From b2b9731020fa13a6a58b9f7ce0134908ae35de60 Mon Sep 17 00:00:00 2001 From: JOduMonT Date: Sat, 9 Sep 2017 23:10:36 +0700 Subject: [PATCH] a little bit of security Hide the version of NGINX, block XSS and more... inspired by : https://gist.github.com/plentz/6737338 --- data/conf/nginx/site.conf | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/data/conf/nginx/site.conf b/data/conf/nginx/site.conf index 7fda9b1e..8a8f2a57 100644 --- a/data/conf/nginx/site.conf +++ b/data/conf/nginx/site.conf @@ -1,3 +1,4 @@ +server_tokens off; # includes to http { proxy_cache_path /tmp levels=1:2 keys_zone=sogo:10m inactive=24h max_size=1g; server_names_hash_bucket_size 64; @@ -7,6 +8,7 @@ map $http_x_forwarded_proto $client_req_scheme { default $scheme; https https; } + server { include /etc/nginx/conf.d/listen_ssl.active; include /etc/nginx/mime.types; @@ -18,7 +20,17 @@ server { ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'; - add_header Strict-Transport-Security "max-age=15768000; includeSubDomains"; + + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 1d; + ssl_session_tickets off; + + add_header X-Frame-Options SAMEORIGIN; + add_header X-Content-Type-Options nosniff; + add_header X-XSS-Protection "1; mode=block"; + add_header Referrer-Policy: no-referrer-when-downgrade; + add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"; + ssl_ecdh_curve secp384r1; index index.php index.html; include /etc/nginx/conf.d/server_name.active;