ADD ssl.d/globalssl.conf [ci skip]

Recommended SSL settings for all nginx sites

headers.d/headers.conf

@@ -0,0 +1,63 @@
+############################################################################## 
+# _ __ _ #
+# / |/ /__ _(_)__ __ __ #
+# / / _ `/ / _ \\ \ / #
+# /_/|_/\_, /_/_//_/_\_\ #
+# __/___/ __ ___ __ ___ __ __ #
+# / _ )___ ____/ / / _ )___ / /_ / _ )/ /__ ____/ /_____ ____ #
+# / _ / _ `/ _ / / _ / _ \/ __/ / _ / / _ \/ __/ '_/ -_) __/ #
+# /____/\_,_/\_,_/ /____/\___/\__/ /____/_/\___/\__/_/\_\\__/_/ #
+# #
+############################################################################## 
+
+# ------------------------------------------------------------------------------
+# MIT License
+# ------------------------------------------------------------------------------
+# Copyright (c) 2017 Mitchell Krog - [email protected]
+# https://github.com/mitchellkrogza
+# ------------------------------------------------------------------------------
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+# ------------------------------------------------------------------------------
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+# ------------------------------------------------------------------------------
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+# ------------------------------------------------------------------------------
+
+# --------------------------------
+# Security Headers for Nginx Sites
+# --------------------------------
+
+# headers.conf
+# Global server headers configuration file.
+# Should be included in each and every server {} block.
+# These are some of the MOST important and overlooked header rules for ANY web site
+
+# To use this set of rules, add the include below into each server block.
+# add this at the very top of your server blocks before any other location rules
+# include /etc/nginx/headers.d/headers.conf;
+
+ ##
+ # Add X Headers
+ ##
+
+ add_header X-Frame-Options SAMEORIGIN;
+ add_header X-Content-Type-Options nosniff;
+ add_header X-XSS-Protection "1; mode=block";
+
+ ##
+ #Set Referrer-Policy Header
+ ##
+
+ add_header Referrer-Policy "no-referrer";

ssl.d/globalssl.conf

@@ -0,0 +1,120 @@
+############################################################################## 
+# _ __ _ #
+# / |/ /__ _(_)__ __ __ #
+# / / _ `/ / _ \\ \ / #
+# /_/|_/\_, /_/_//_/_\_\ #
+# __/___/ __ ___ __ ___ __ __ #
+# / _ )___ ____/ / / _ )___ / /_ / _ )/ /__ ____/ /_____ ____ #
+# / _ / _ `/ _ / / _ / _ \/ __/ / _ / / _ \/ __/ '_/ -_) __/ #
+# /____/\_,_/\_,_/ /____/\___/\__/ /____/_/\___/\__/_/\_\\__/_/ #
+# #
+############################################################################## 
+
+# ------------------------------------------------------------------------------
+# MIT License
+# ------------------------------------------------------------------------------
+# Copyright (c) 2017 Mitchell Krog - [email protected]
+# https://github.com/mitchellkrogza
+# ------------------------------------------------------------------------------
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+# ------------------------------------------------------------------------------
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+# ------------------------------------------------------------------------------
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+# ------------------------------------------------------------------------------
+
+# ----------------------------------------
+# Recommended SSL Settings for Nginx Sites
+# ----------------------------------------
+
+# Last Updated: 2019-07-04
+
+# globalssl.conf
+# Global ssl configuration file.
+# Should be included in each and every server {} block of your https/ssl sites.
+# Only use this if you know what you are doing with SSL, this is merely an example of 
+# good SSL settings for nginx ssl sites.
+# NO SUPPORT IS OFFERED IN THIS REPO FOR SETTING UP AND RUNNING SSL
+# There is lots of help for Let's Encrypt at: https://community.letsencrypt.org/
+
+# To use this set of rules, add the include below into each server block.
+# add this at the very top of your HTTPS server blocks before any other location rules
+# include /etc/nginx/ssl.d/globalssl.conf;
+
+
+ ## 
+ # DIFFIE HELMAN ENCRYPTION / DHE
+ ##
+
+ # Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits
+ # Requires generating your dhparam.pem 
+ # INSTRUCTIONS:
+ # -------------
+ # cd /etc/nginx/ssl
+ # sudo openssl dhparam -out dhparam.pem 4096
+ # WAIT FOR IT TO FINISH - Can take a long time 
+
+ ssl_dhparam /etc/nginx/ssl/dhparam.pem;
+
+ ## 
+ # SSL SESSION SETTINGS
+ ##
+
+ ssl_session_timeout 10m;
+ ssl_session_cache shared:SSL:128m;
+ ssl_session_tickets off;
+
+ ##
+ # SSL PROTOCOL SUPPORT
+ # Support modern and intermediate browsers ONLY 
+ # If you want to allow some older browsers add TLSv1 TLSv1.1 
+ ##
+
+ ssl_protocols TLSv1.2 TLSv1.3;
+
+ ##
+ # SSL CIPHERS 
+ # ciphers recommended by https://mozilla.github.io/server-side-tls/ssl-config-generator/
+
+ ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+ ssl_prefer_server_ciphers on;
+
+ ##
+ # HSTS Headers
+ ##
+
+ add_header Strict-Transport-Security max-age=63072000; includeSubDomains; preload; always;
+
+ ##
+ # OCSP Stapling
+ # fetch OCSP records from URL in ssl_certificate and cache them
+ ##
+
+ ssl_stapling on;
+ ssl_stapling_verify on;
+
+ # Do not use resolvers for OCSP see comment in - https://scotthelme.co.uk/ocsp-stapling-speeding-up-ssl/
+ # http:https://disq.us/url?url=http%3A%2F%2Fblog.zorinaq.com%2Fnginx-resolver-vulns%2F%3AP2dn26U8hf5EMF__e_ZIRGBpc3E&cuid=2541595
+ # resolver 8.8.8.8 8.8.4.4 valid=300s;
+ # resolver_timeout 5s;
+
+ ##
+ # HSTS(HTTP Strict Transport Security)
+ # https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
+ ##
+
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+