Is this Nginx configuration OK?
by Jason.nix from LinuxQuestions.org on (#6N7RD)
Hello,
I have configured Nginx for HTTP only. The default.conf file is as follows::
Code:#server {
# listen 80;
# listen [::]:80;
# server_name your_domain www.your_domain;
# location ~ /.well-known/acme-challenge {
# allow all;
# root /var/www/html;
# }
# location / {
# rewrite ^ https://$host$request_uri? permanent;
# }
#}
server {
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
# server_name your_domain www.your_domain;
# server_tokens off;
# ssl_certificate /etc/letsencrypt/live/your_domain/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/your_domain/privkey.pem;
# ssl_buffer_size 8k;
# ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
# ssl_protocols TLSv1.2;
# ssl_prefer_server_ciphers on;
# ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
# ssl_ecdh_curve secp384r1;
# ssl_session_tickets off;
# ssl_stapling on;
# ssl_stapling_verify on;
# resolver 8.8.8.8;
# resolver_timeout 60s;
client_header_buffer_size 5k;
large_client_header_buffers 2 2k;
client_header_timeout 10;
gzip on;
gzip_min_length 1499;
gzip_disable "msie6";
gzip_vary on;
gzip_static on;
gzip_proxied any;
gzip_comp_level 4;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/wasm application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml application/xml
image/bmp
image/svg+xml
image/x-icon
font/opentype
text/cache-manifest
text/css
text/javascript
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy
text/xml
application/xml+rss;
listen 80;
listen [::]:80;
server_name _;
location / {
try_files $uri @User;
}
location @User {
proxy_pass http://User:3000;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
server_tokens off;
tcp_nopush on;
tcp_nodelay on;
open_file_cache max=5000 inactive=240s;
open_file_cache_valid 60s;
open_file_cache_min_uses 5;
open_file_cache_errors off;
client_max_body_size 20M;
client_body_buffer_size 32k;
client_body_timeout 10;
keepalive_timeout 10;
send_timeout 10;
proxy_hide_header X-Powered-By;
proxy_hide_header X-AspNet-Version;
proxy_hide_header X-AspNetMvc-Version;
proxy_hide_header X-Runtime;
proxy_hide_header X-Redirect-By;
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# enable strict transport security only if you understand the implications
}
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
}Please share your thoughts on this configuration.
Thank you.
I have configured Nginx for HTTP only. The default.conf file is as follows::
Code:#server {
# listen 80;
# listen [::]:80;
# server_name your_domain www.your_domain;
# location ~ /.well-known/acme-challenge {
# allow all;
# root /var/www/html;
# }
# location / {
# rewrite ^ https://$host$request_uri? permanent;
# }
#}
server {
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
# server_name your_domain www.your_domain;
# server_tokens off;
# ssl_certificate /etc/letsencrypt/live/your_domain/fullchain.pem;
# ssl_certificate_key /etc/letsencrypt/live/your_domain/privkey.pem;
# ssl_buffer_size 8k;
# ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;
# ssl_protocols TLSv1.2;
# ssl_prefer_server_ciphers on;
# ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
# ssl_ecdh_curve secp384r1;
# ssl_session_tickets off;
# ssl_stapling on;
# ssl_stapling_verify on;
# resolver 8.8.8.8;
# resolver_timeout 60s;
client_header_buffer_size 5k;
large_client_header_buffers 2 2k;
client_header_timeout 10;
gzip on;
gzip_min_length 1499;
gzip_disable "msie6";
gzip_vary on;
gzip_static on;
gzip_proxied any;
gzip_comp_level 4;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/manifest+json
application/rss+xml
application/vnd.geo+json
application/vnd.ms-fontobject
application/wasm application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml application/xml
image/bmp
image/svg+xml
image/x-icon
font/opentype
text/cache-manifest
text/css
text/javascript
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy
text/xml
application/xml+rss;
listen 80;
listen [::]:80;
server_name _;
location / {
try_files $uri @User;
}
location @User {
proxy_pass http://User:3000;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
server_tokens off;
tcp_nopush on;
tcp_nodelay on;
open_file_cache max=5000 inactive=240s;
open_file_cache_valid 60s;
open_file_cache_min_uses 5;
open_file_cache_errors off;
client_max_body_size 20M;
client_body_buffer_size 32k;
client_body_timeout 10;
keepalive_timeout 10;
send_timeout 10;
proxy_hide_header X-Powered-By;
proxy_hide_header X-AspNet-Version;
proxy_hide_header X-AspNetMvc-Version;
proxy_hide_header X-Runtime;
proxy_hide_header X-Redirect-By;
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# enable strict transport security only if you understand the implications
}
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
}Please share your thoughts on this configuration.
Thank you.