Update nginx default configuration files

Security enhancements and other improvements.

Author: Kristan Kenney

install/deb/nginx/nginx.conf

@@ -32,7 +32,7 @@ http {
     server_names_hash_max_size      512;
     server_names_hash_bucket_size   512;
     charset                         utf-8;
-    
+
     # FastCGI settings
     fastcgi_buffers                 4 256k;
     fastcgi_buffer_size             256k;
@@ -103,23 +103,22 @@ http {
     #set_real_ip_from  2a06:98c0::/29;
     real_ip_header     CF-Connecting-IP;
 
-    # SSL PCI Compliance
-    ssl_session_cache   shared:SSL:10m;
+    # SSL PCI compliance
+    ssl_session_cache   shared:SSL:20m;
+    ssl_buffer_size     1400;
     ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers on;
     ssl_ciphers         "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
     ssl_dhparam         /etc/ssl/dhparam.pem;
-    ssl_ecdh_curve secp384r1;
-    ssl_session_cache shared:SSL:10m;
+    ssl_ecdh_curve      secp384r1;
     ssl_session_tickets off;
-    ssl_stapling on;
+    ssl_stapling        on;
     ssl_stapling_verify on;
-    ssl_buffer_size 1400;
     resolver 1.0.0.1 1.1.1.1 valid=300s;
-    resolver_timeout 5s;
-    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
-    add_header X-Frame-Options SAMEORIGIN;
-    add_header X-Content-Type-Options nosniff;
+    resolver_timeout    5s;
+    add_header          Strict-Transport-Security "max-age=31536000; includeSubDomains";
+    add_header          X-Frame-Options SAMEORIGIN;
+    add_header          X-Content-Type-Options nosniff;
 
     # Error pages
     error_page          403          /error/403.html;
@@ -141,12 +140,12 @@ http {
         ~wordpress_logged_in 1;
     }
 
-    # File cache settings
+    # File cache (static assets)
     open_file_cache          max=10000 inactive=30s;
     open_file_cache_valid    60s;
     open_file_cache_min_uses 2;
     open_file_cache_errors   off;
 
     # Wildcard include
     include             /etc/nginx/conf.d/*.conf;
-}
+}

src/deb/nginx/nginx.conf

@@ -75,12 +75,15 @@ http {
     gzip_proxied        any;
     gzip_disable        "MSIE [1-6]\.";
 
-    # SSL PCI Compliance
+    # SSL PCI compliance
     ssl_session_cache   shared:SSL:10m;
-    ssl_session_timeout 10m;
+    ssl_buffer_size     1400;
+    ssl_session_timeout 60m;
     ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers on;
     ssl_ciphers         "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
+    add_header          X-Frame-Options SAMEORIGIN;
+    add_header          X-Content-Type-Options nosniff;
 
     # Error pages
     error_page          403          /error/403.html;