Nginx configuration with redirects
# Read
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart#
# http://tautt.com/best-nginx-configuration-for-security/
#
# Generate your key with: openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
# Generate certificate: sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
## redirects http traffic to https ##
server {
listen 80;
listen [::]:80;
server_name mysite.co.uk www.mysite.co.uk;
return 301 https://$server_name$request_uri;
}
## redirect non-www to www ##
server {
listen 443;
listen [::]:443;
ssl on;
# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
add_header Strict-Transport-Security "max-age=31536000;";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
# SSL Certificate files
ssl_certificate ssl/certificate.crt;
ssl_certificate_key ssl/certificate.key;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# see https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
keepalive_timeout 60;
server_name mysite.co.uk;
return 301 https://www.mysite.co.uk$request_uri;
}
# =================================================================================================
server {
listen 443;
listen [::]:443;
ssl on;
server_name www.mysite.co.uk;
root /usr/share/nginx/html;
index index.php;
if ($server_protocol ~* "HTTP/1.0") {
return 444;
}
# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
add_header Strict-Transport-Security "max-age=31536000;";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
# SSL Certificate files
ssl_certificate ssl/certificate.crt;
ssl_certificate_key ssl/certificate.key;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
# This config allows backwards compatibility for insecure TLS 1.0 protocols for Microsoft Browsers
# see https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
keepalive_timeout 60;
# enable OSCP stapling (crt must have intermediate key in it)
# ssl_stapling on;
# ssl_stapling_verify on;
# resolver 8.8.8.8;
# ssl_trusted_certificate ssl/certificate.crt;
# enable session resumption to improve https performance
# http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
access_log /var/log/nginx/mysite.access.log;
error_log /var/log/nginx/mysite.error.log;
# Verify lets encrypt
location ~ /.well-known {
# Sometimes useful to use a different root, not always though
root /usr/share/nginx/html;
allow all;
try_files $uri /index.php?q=$uri&$args;
}
# Deny all attempts to access hidden files such as .htaccess, .htpasswd, .DS_Store (Mac).
# Keep logging the requests to parse later (or to pass to firewall utilities such as fail2ban)
location ~ /\. {
deny all;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico|txt|woff|otf|svg)$ {
expires max;
proxy_buffering on;
proxy_cache_valid 200 120m;
log_not_found off;
}
# Do not log favicon.ico requests
location = /favicon.ico {
expires max;
log_not_found off;
access_log off;
}
# Do not log robots.txt requests
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Redirect 403 errors to 404 error to fool attackers
error_page 403 = 404;
location / {
# include /etc/nginx/naxsi.rules;
try_files $uri $uri/ /index.php?q=$uri&$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
include fastcgi_params;
fastcgi_keep_conn on;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SERVER_NAME $host;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_read_timeout 600;
}
}