Skip to content

Commit af02f75

Browse files
ScIT-RaphaelScIT-Raphael
committed
Nginx (security) optimizations
1 parent 5dc7ba4 commit af02f75

File tree

5 files changed

+320
-250
lines changed

5 files changed

+320
-250
lines changed

install/debian/8/nginx/nginx.conf

Lines changed: 64 additions & 50 deletions
Original file line numberDiff line numberDiff line change
@@ -2,57 +2,78 @@
22
user www-data;
33
worker_processes auto;
44
worker_rlimit_nofile 65535;
5-
error_log /var/log/nginx/error.log crit;
5+
error_log /var/log/nginx/error.log;
66
pid /var/run/nginx.pid;
77

8-
98
# Worker config
109
events {
1110
worker_connections 1024;
1211
use epoll;
1312
multi_accept on;
1413
}
1514

16-
1715
http {
1816
# Main settings
1917
sendfile on;
2018
tcp_nopush on;
2119
tcp_nodelay on;
22-
client_header_timeout 1m;
23-
client_body_timeout 1m;
20+
client_header_timeout 180s;
21+
client_body_timeout 180s;
2422
client_header_buffer_size 2k;
2523
client_body_buffer_size 256k;
2624
client_max_body_size 256m;
27-
large_client_header_buffers 4 8k;
28-
send_timeout 30;
29-
keepalive_timeout 60 60;
25+
large_client_header_buffers 4 8k;
26+
send_timeout 60s;
27+
keepalive_timeout 30s;
28+
keepalive_requests 100000;
3029
reset_timedout_connection on;
3130
server_tokens off;
3231
server_name_in_redirect off;
3332
server_names_hash_max_size 512;
3433
server_names_hash_bucket_size 512;
35-
34+
charset utf-8;
35+
36+
fastcgi_buffers 4 256k;
37+
fastcgi_buffer_size 256k;
38+
fastcgi_busy_buffers_size 256k;
39+
fastcgi_temp_file_write_size 256k;
40+
fastcgi_connect_timeout 30s;
41+
fastcgi_read_timeout 300s;
42+
fastcgi_send_timeout 180s;
43+
fastcgi_cache_lock on;
44+
fastcgi_cache_lock_timeout 5s;
45+
46+
proxy_redirect off;
47+
proxy_set_header Host $host;
48+
proxy_set_header X-Real-IP $remote_addr;
49+
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
50+
proxy_pass_header Set-Cookie;
51+
proxy_buffers 32 4k;
52+
proxy_connect_timeout 30s;
53+
proxy_read_timeout 300s;
54+
proxy_send_timeout 180s;
3655

3756
# Log format
3857
log_format main '$remote_addr - $remote_user [$time_local] $request '
3958
'"$status" $body_bytes_sent "$http_referer" '
4059
'"$http_user_agent" "$http_x_forwarded_for"';
4160
log_format bytes '$body_bytes_sent';
42-
#access_log /var/log/nginx/access.log main;
61+
log_not_found off;
4362
access_log off;
44-
63+
#access_log /var/log/nginx/access.log main;
4564

4665
# Mime settings
4766
include /etc/nginx/mime.types;
4867
default_type application/octet-stream;
4968

50-
5169
# Compression
5270
gzip on;
53-
gzip_comp_level 9;
54-
gzip_min_length 512;
55-
gzip_buffers 8 64k;
71+
gzip_static on;
72+
gzip_vary on;
73+
gzip_comp_level 6;
74+
gzip_min_length 1024;
75+
gzip_buffers 16 8k;
76+
gzip_http_version 1.1;
5677
gzip_types text/plain text/css text/javascript text/js text/xml application/json application/javascript application/x-javascript application/xml application/xml+rss application/x-font-ttf image/svg+xml font/opentype;
5778
gzip_proxied any;
5879
gzip_disable "MSIE [1-6]\.";
@@ -63,76 +84,69 @@ http {
6384
proxy_set_header X-Real-IP $remote_addr;
6485
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
6586
proxy_pass_header Set-Cookie;
66-
proxy_connect_timeout 90;
67-
proxy_send_timeout 90;
68-
proxy_read_timeout 90;
87+
proxy_connect_timeout 90s;
88+
proxy_send_timeout 90s;
89+
proxy_read_timeout 90s;
6990
proxy_buffers 32 4k;
7091

71-
7292
# Cloudflare https://www.cloudflare.com/ips
73-
set_real_ip_from 199.27.128.0/21;
74-
set_real_ip_from 173.245.48.0/20;
75-
set_real_ip_from 103.21.244.0/22;
76-
set_real_ip_from 103.22.200.0/22;
77-
set_real_ip_from 103.31.4.0/22;
78-
set_real_ip_from 141.101.64.0/18;
79-
set_real_ip_from 108.162.192.0/18;
80-
set_real_ip_from 190.93.240.0/20;
81-
set_real_ip_from 188.114.96.0/20;
82-
set_real_ip_from 197.234.240.0/22;
83-
set_real_ip_from 198.41.128.0/17;
84-
set_real_ip_from 162.158.0.0/15;
85-
set_real_ip_from 104.16.0.0/12;
86-
set_real_ip_from 172.64.0.0/13;
87-
#set_real_ip_from 2400:cb00::/32;
88-
#set_real_ip_from 2606:4700::/32;
89-
#set_real_ip_from 2803:f800::/32;
90-
#set_real_ip_from 2405:b500::/32;
91-
#set_real_ip_from 2405:8100::/32;
93+
set_real_ip_from 103.21.244.0/22;
94+
set_real_ip_from 103.22.200.0/22;
95+
set_real_ip_from 103.31.4.0/22;
96+
set_real_ip_from 104.16.0.0/12;
97+
set_real_ip_from 108.162.192.0/18;
98+
set_real_ip_from 131.0.72.0/22;
99+
set_real_ip_from 141.101.64.0/18;
100+
set_real_ip_from 162.158.0.0/15;
101+
set_real_ip_from 172.64.0.0/13;
102+
set_real_ip_from 173.245.48.0/20;
103+
set_real_ip_from 188.114.96.0/20;
104+
set_real_ip_from 190.93.240.0/20;
105+
set_real_ip_from 197.234.240.0/22;
106+
set_real_ip_from 198.41.128.0/17;
107+
#set_real_ip_from 2400:cb00::/32;
108+
#set_real_ip_from 2405:b500::/32;
109+
#set_real_ip_from 2606:4700::/32;
110+
#set_real_ip_from 2803:f800::/32;
111+
#set_real_ip_from 2c0f:f248::/32;
112+
#set_real_ip_from 2a06:98c0::/29;
92113
real_ip_header CF-Connecting-IP;
93114

94-
95-
# openssl dhparam 4096 -out /etc/ssl/dhparam.pem
96-
# ssl_dhparam /etc/ssl/dhparam.pem;
97-
115+
#openssl dhparam 4096 -out /etc/ssl/dhparam.pem
116+
#ssl_dhparam /etc/ssl/dhparam.pem;
98117

99118
# SSL PCI Compliance
100119
ssl_session_cache shared:SSL:10m;
101120
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
102121
ssl_prefer_server_ciphers on;
103-
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
104-
122+
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
105123

106124
# Error pages
107125
error_page 403 /error/403.html;
108126
error_page 404 /error/404.html;
109127
error_page 502 503 504 /error/50x.html;
110128

111-
112129
# Cache settings
113130
proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;
114131
proxy_cache_key "$host$request_uri $cookie_user";
115132
proxy_temp_path /var/cache/nginx/temp;
116133
proxy_ignore_headers Expires Cache-Control;
117134
proxy_cache_use_stale error timeout invalid_header http_502;
118135
proxy_cache_valid any 1d;
119-
120-
136+
121137
# Cache bypass
122138
map $http_cookie $no_cache {
123139
default 0;
124140
~SESS 1;
125141
~wordpress_logged_in 1;
126142
}
127143

128-
129144
# File cache settings
130145
open_file_cache max=10000 inactive=30s;
131146
open_file_cache_valid 60s;
132147
open_file_cache_min_uses 2;
133148
open_file_cache_errors off;
134149

135-
136150
# Wildcard include
137151
include /etc/nginx/conf.d/*.conf;
138-
}
152+
}

install/debian/9/nginx/nginx.conf

Lines changed: 64 additions & 50 deletions
Original file line numberDiff line numberDiff line change
@@ -2,57 +2,78 @@
22
user www-data;
33
worker_processes auto;
44
worker_rlimit_nofile 65535;
5-
error_log /var/log/nginx/error.log crit;
5+
error_log /var/log/nginx/error.log;
66
pid /var/run/nginx.pid;
77

8-
98
# Worker config
109
events {
1110
worker_connections 1024;
1211
use epoll;
1312
multi_accept on;
1413
}
1514

16-
1715
http {
1816
# Main settings
1917
sendfile on;
2018
tcp_nopush on;
2119
tcp_nodelay on;
22-
client_header_timeout 1m;
23-
client_body_timeout 1m;
20+
client_header_timeout 180s;
21+
client_body_timeout 180s;
2422
client_header_buffer_size 2k;
2523
client_body_buffer_size 256k;
2624
client_max_body_size 256m;
27-
large_client_header_buffers 4 8k;
28-
send_timeout 30;
29-
keepalive_timeout 60 60;
25+
large_client_header_buffers 4 8k;
26+
send_timeout 60s;
27+
keepalive_timeout 30s;
28+
keepalive_requests 100000;
3029
reset_timedout_connection on;
3130
server_tokens off;
3231
server_name_in_redirect off;
3332
server_names_hash_max_size 512;
3433
server_names_hash_bucket_size 512;
35-
34+
charset utf-8;
35+
36+
fastcgi_buffers 4 256k;
37+
fastcgi_buffer_size 256k;
38+
fastcgi_busy_buffers_size 256k;
39+
fastcgi_temp_file_write_size 256k;
40+
fastcgi_connect_timeout 30s;
41+
fastcgi_read_timeout 300s;
42+
fastcgi_send_timeout 180s;
43+
fastcgi_cache_lock on;
44+
fastcgi_cache_lock_timeout 5s;
45+
46+
proxy_redirect off;
47+
proxy_set_header Host $host;
48+
proxy_set_header X-Real-IP $remote_addr;
49+
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
50+
proxy_pass_header Set-Cookie;
51+
proxy_buffers 32 4k;
52+
proxy_connect_timeout 30s;
53+
proxy_read_timeout 300s;
54+
proxy_send_timeout 180s;
3655

3756
# Log format
3857
log_format main '$remote_addr - $remote_user [$time_local] $request '
3958
'"$status" $body_bytes_sent "$http_referer" '
4059
'"$http_user_agent" "$http_x_forwarded_for"';
4160
log_format bytes '$body_bytes_sent';
42-
#access_log /var/log/nginx/access.log main;
61+
log_not_found off;
4362
access_log off;
44-
63+
#access_log /var/log/nginx/access.log main;
4564

4665
# Mime settings
4766
include /etc/nginx/mime.types;
4867
default_type application/octet-stream;
4968

50-
5169
# Compression
5270
gzip on;
53-
gzip_comp_level 9;
54-
gzip_min_length 512;
55-
gzip_buffers 8 64k;
71+
gzip_static on;
72+
gzip_vary on;
73+
gzip_comp_level 6;
74+
gzip_min_length 1024;
75+
gzip_buffers 16 8k;
76+
gzip_http_version 1.1;
5677
gzip_types text/plain text/css text/javascript text/js text/xml application/json application/javascript application/x-javascript application/xml application/xml+rss application/x-font-ttf image/svg+xml font/opentype;
5778
gzip_proxied any;
5879
gzip_disable "MSIE [1-6]\.";
@@ -63,76 +84,69 @@ http {
6384
proxy_set_header X-Real-IP $remote_addr;
6485
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
6586
proxy_pass_header Set-Cookie;
66-
proxy_connect_timeout 90;
67-
proxy_send_timeout 90;
68-
proxy_read_timeout 90;
87+
proxy_connect_timeout 90s;
88+
proxy_send_timeout 90s;
89+
proxy_read_timeout 90s;
6990
proxy_buffers 32 4k;
7091

71-
7292
# Cloudflare https://www.cloudflare.com/ips
73-
set_real_ip_from 199.27.128.0/21;
74-
set_real_ip_from 173.245.48.0/20;
75-
set_real_ip_from 103.21.244.0/22;
76-
set_real_ip_from 103.22.200.0/22;
77-
set_real_ip_from 103.31.4.0/22;
78-
set_real_ip_from 141.101.64.0/18;
79-
set_real_ip_from 108.162.192.0/18;
80-
set_real_ip_from 190.93.240.0/20;
81-
set_real_ip_from 188.114.96.0/20;
82-
set_real_ip_from 197.234.240.0/22;
83-
set_real_ip_from 198.41.128.0/17;
84-
set_real_ip_from 162.158.0.0/15;
85-
set_real_ip_from 104.16.0.0/12;
86-
set_real_ip_from 172.64.0.0/13;
87-
#set_real_ip_from 2400:cb00::/32;
88-
#set_real_ip_from 2606:4700::/32;
89-
#set_real_ip_from 2803:f800::/32;
90-
#set_real_ip_from 2405:b500::/32;
91-
#set_real_ip_from 2405:8100::/32;
93+
set_real_ip_from 103.21.244.0/22;
94+
set_real_ip_from 103.22.200.0/22;
95+
set_real_ip_from 103.31.4.0/22;
96+
set_real_ip_from 104.16.0.0/12;
97+
set_real_ip_from 108.162.192.0/18;
98+
set_real_ip_from 131.0.72.0/22;
99+
set_real_ip_from 141.101.64.0/18;
100+
set_real_ip_from 162.158.0.0/15;
101+
set_real_ip_from 172.64.0.0/13;
102+
set_real_ip_from 173.245.48.0/20;
103+
set_real_ip_from 188.114.96.0/20;
104+
set_real_ip_from 190.93.240.0/20;
105+
set_real_ip_from 197.234.240.0/22;
106+
set_real_ip_from 198.41.128.0/17;
107+
#set_real_ip_from 2400:cb00::/32;
108+
#set_real_ip_from 2405:b500::/32;
109+
#set_real_ip_from 2606:4700::/32;
110+
#set_real_ip_from 2803:f800::/32;
111+
#set_real_ip_from 2c0f:f248::/32;
112+
#set_real_ip_from 2a06:98c0::/29;
92113
real_ip_header CF-Connecting-IP;
93114

94-
95-
# openssl dhparam 4096 -out /etc/ssl/dhparam.pem
96-
# ssl_dhparam /etc/ssl/dhparam.pem;
97-
115+
#openssl dhparam 4096 -out /etc/ssl/dhparam.pem
116+
#ssl_dhparam /etc/ssl/dhparam.pem;
98117

99118
# SSL PCI Compliance
100119
ssl_session_cache shared:SSL:10m;
101120
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
102121
ssl_prefer_server_ciphers on;
103-
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
104-
122+
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
105123

106124
# Error pages
107125
error_page 403 /error/403.html;
108126
error_page 404 /error/404.html;
109127
error_page 502 503 504 /error/50x.html;
110128

111-
112129
# Cache settings
113130
proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;
114131
proxy_cache_key "$host$request_uri $cookie_user";
115132
proxy_temp_path /var/cache/nginx/temp;
116133
proxy_ignore_headers Expires Cache-Control;
117134
proxy_cache_use_stale error timeout invalid_header http_502;
118135
proxy_cache_valid any 1d;
119-
120-
136+
121137
# Cache bypass
122138
map $http_cookie $no_cache {
123139
default 0;
124140
~SESS 1;
125141
~wordpress_logged_in 1;
126142
}
127143

128-
129144
# File cache settings
130145
open_file_cache max=10000 inactive=30s;
131146
open_file_cache_valid 60s;
132147
open_file_cache_min_uses 2;
133148
open_file_cache_errors off;
134149

135-
136150
# Wildcard include
137151
include /etc/nginx/conf.d/*.conf;
138-
}
152+
}

0 commit comments

Comments
 (0)