andybeak
5/27/2016 - 11:30 AM

Nginx configuration with redirects

Nginx configuration with redirects

# Read
#       http://wiki.nginx.org/Pitfalls
#       http://wiki.nginx.org/QuickStart#
#       http://tautt.com/best-nginx-configuration-for-security/
#
#       Generate your key with: openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
#       Generate certificate: sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

## redirects http traffic to https ##
server {
    listen 80;
    listen [::]:80;

    server_name mysite.co.uk www.mysite.co.uk;
    return 301 https://$server_name$request_uri;
}

## redirect non-www to www ##
server {
    listen 443;
    listen [::]:443;
    
    ssl on;
    
    # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
    # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
    add_header Strict-Transport-Security "max-age=31536000;";

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options "nosniff";
    add_header X-XSS-Protection "1; mode=block";

    # SSL Certificate files
    ssl_certificate     ssl/certificate.crt;
    ssl_certificate_key ssl/certificate.key;
    ssl_dhparam         /etc/nginx/ssl/dhparam.pem;

    # see https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;
    keepalive_timeout    60;
    
    server_name mysite.co.uk;
    return 301 https://www.mysite.co.uk$request_uri;
}

# =================================================================================================

server {

    listen 443;
    listen [::]:443;

    ssl on;

    server_name www.mysite.co.uk;

    root /usr/share/nginx/html;
    index index.php;
    
    if ($server_protocol ~* "HTTP/1.0") {
      return 444;
    }

    # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
    # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
    add_header Strict-Transport-Security "max-age=31536000;";

    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Content-Type-Options "nosniff";
    add_header X-XSS-Protection "1; mode=block";

    # SSL Certificate files
    ssl_certificate     ssl/certificate.crt;
    ssl_certificate_key ssl/certificate.key;
    ssl_dhparam         /etc/nginx/ssl/dhparam.pem;

    # This config allows backwards compatibility for insecure TLS 1.0 protocols for Microsoft Browsers
    # see https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    keepalive_timeout    60;

    # enable OSCP stapling (crt must have intermediate key in it)
    # ssl_stapling on;
    # ssl_stapling_verify on;
    # resolver 8.8.8.8;
    # ssl_trusted_certificate ssl/certificate.crt;

    # enable session resumption to improve https performance
    # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;

    access_log /var/log/nginx/mysite.access.log;
    error_log /var/log/nginx/mysite.error.log;

    # Verify lets encrypt
    location ~ /.well-known {
        # Sometimes useful to use a different root, not always though
        root /usr/share/nginx/html;
        allow all;
        try_files $uri /index.php?q=$uri&$args;
    }

    # Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
    # Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
    location ~ /\. {
        deny all;
    }

    location ~* \.(js|css|png|jpg|jpeg|gif|ico|txt|woff|otf|svg)$ {
        expires max;
        proxy_buffering on;
        proxy_cache_valid 200 120m;
        log_not_found off;
    }

    # Do not log favicon.ico requests
    location = /favicon.ico {
        expires max;
        log_not_found off;
        access_log off;
    }

    # Do not log robots.txt requests
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }

    # Redirect 403 errors to 404 error to fool attackers
    error_page 403 = 404;

    location / {
        # include /etc/nginx/naxsi.rules;
        try_files $uri $uri/ /index.php?q=$uri&$args;
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;

        if (!-f $document_root$fastcgi_script_name) {
            return 404;
        }

        include                 fastcgi_params;
        fastcgi_keep_conn       on;
        fastcgi_index           index.php;
        fastcgi_param           SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param           SERVER_NAME $host;
        fastcgi_pass            unix:/var/run/php5-fpm.sock;
        fastcgi_read_timeout    600;
    }

}