h3artbl33d.nl

Nginx configuration example

user www;
worker_processes 1;
error_log off;

worker_rlimit_nofile 1024;
events {
    worker_connections 800;
}


http {
    include mime.types;
    default_type application/octet-stream;
    index index.html index.htm;

    access_log off;
    error_log off;
    keepalive_timeout 65;

    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 8;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    server_tokens off;

    server {
        # Accept plain-text traffic, redirect to https.
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name _;
        return 301 https://$host$request_uri;
    }

    server {
        # Generic settings
        server_name h3artbl33d.nl www.h3artbl33d.nl;
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        # TLS cert and key
        ssl_certificate /etc/letsencrypt/live/h3b.nl/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/h3b.nl/privkey.pem;

        # TLS protocol and ciphers
        ssl_protocols TLSv1.2;
        ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
        ssl_ecdh_curve secp384r1;
        ssl_dhparam /etc/ssl/dhparam.pem;
        ssl_prefer_server_ciphers on;

        # TLS session
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:1m;
        ssl_session_tickets off;

        # OCSP stapling
        ssl_stapling on;
        ssl_stapling_verify on;
        resolver 127.0.0.1 [::1]:5353 valid=300s;
        resolver_timeout 5s;
        ssl_trusted_certificate /etc/letsencrypt/live/h3b.nl/cert.pem;

        # Security headers
        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
        add_header X-Xss-Protection "1; mode=block" always;
        add_header Referrer-Policy "no-referrer-when-downgrade" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always;
        add_header Feature-Policy "usermedia *; sync-xhr 'self'";

        # Disable logging
        access_log off;
        error_log off;

        # Begin site settings
        root /var/www/htdocs/h3artbl33d.nl;
        index index.html index.htm;

        # Custom error pages
        error_page 404 = /404.html;
        error_page 403 /403.html;

        location / {
            try_files $uri $uri/ $uri.html =404;
        }
    }
}

© 2019 h3artbl33d