nginx Secure Default Configuration (with php-fpm)

#
# A virtual host using mix of IP-, name-, and port-based configuration
#

server {
listen 443 ssl http2;
server_name http://www.website.com;
ssl on;
ssl_certificate /etc/nginx/conf.d/ssl/www.website.com.crt;
ssl_certificate_key /etc/nginx/conf.d/ssl/www.website.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers “EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS”;
ssl_dhparam /etc/nginx/conf.d/ssl/dhparams.pem;

ssl_session_cache shared:SSL:5m;
ssl_session_timeout 1h;
add_header Strict-Transport-Security “max-age=15768000; includeSubDomains: always;”;

server_tokens off;
add_header X-Frame-Options “SAMEORIGIN” always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection “1; mode=block” always;
add_header Content-Security-Policy “default-src ‘self’; script-src ‘self’ ‘unsafe-inline’ ‘unsafe-eval’ https://www.gstatic.com https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net https://ajax.googleapis.com https://www.google.com; img-src ‘self’ https://www.google.com https://www.facebook.com https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src ‘self’ ‘unsafe-inline’ https://fonts.googleapis.com https://assets.zendesk.com; font-src ‘self’ https://fonts.gstatic.com https://themes.googleusercontent.com; child-src https://www.google.com https://staticxx.facebook.com https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src ‘none'” always;

# auth_basic “Restricted”;
# auth_basic_user_file /etc/nginx/conf.d/passwd;

root /var/www/html;
index index.php index.html index.htm;

location / {
try_files $uri $uri/ /index.php?$query_string;
}

location ~\.php$ {
try_files $uri /index.php =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}

location ~/\.ht {
deny all;
}

}

server {
listen 80;
server_name http://www.website.com;
return 301 https://$host$request_uri;
}

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s