Extra Settings

Its worth to have the following useful settings prepared to include them quickly and easy anywhere where needed. They are not for automatic inclusion.

Cloudflare

The file /etc/nginx/cloudflare.conf.

#
# Cloudflare protected and accelerated servers
# https://www.cloudflare.com/ips/
#

# TLS Authenticated Origin Pulls
ssl_client_certificate /etc/nginx/certs/cloudflare.crt;
ssl_verify_client on;

# Cloudflare allocated IPv4 addresses
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 199.27.128.0/21;

# Cloudflare allocated IPv6 addresses
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2a06:98c0::/29;
set_real_ip_from 2c0f:f248::/32;

# Change the originating IP
real_ip_header     CF-Connecting-IP;

# Log CF-RAY header
# Helps with tracing a request through CloudFlare's network.
log_format cf_custom '$remote_addr - $remote_user [$time_local]  '
                    '"$request" $status $body_bytes_sent '
                    '"$http_referer" "$http_user_agent"'
                    '$http_cf_ray';

access_log  /var/log/nginx/cf_access.log cf_custom;

FastCGI

The file /etc/nginx/fastcgi.conf.

#
# FastCGI Settings
#

#
# httpoxy Mitigation - See https://httpoxy.org/
fastcgi_param  HTTP_PROXY           "";

#
# Pass Nginx variables to the CGI executeable environment
#

# Request
fastcgi_param  QUERY_STRING         $query_string;
fastcgi_param  REQUEST_METHOD       $request_method;
fastcgi_param  CONTENT_TYPE         $content_type;
fastcgi_param  CONTENT_LENGTH       $content_length;

# Script
fastcgi_param  SCRIPT_FILENAME      $document_root$fastcgi_script_name;
fastcgi_param  SCRIPT_NAME          $fastcgi_script_name;
fastcgi_param  PATH_INFO            $fastcgi_path_info;
fastcgi_param  PATH_TRANSLATED      $document_root$fastcgi_path_info;
fastcgi_param  REQUEST_URI          $request_uri;
fastcgi_param  DOCUMENT_URI         $document_uri;
fastcgi_param  DOCUMENT_ROOT        $document_root;
fastcgi_param  SERVER_PROTOCOL      $server_protocol;

# Proxy
fastcgi_param  GATEWAY_INTERFACE    CGI/1.1;
fastcgi_param  SERVER_SOFTWARE      nginx/$nginx_version;

# Network
fastcgi_param  REMOTE_ADDR          $remote_addr;
fastcgi_param  REMOTE_PORT          $remote_port;
fastcgi_param  SERVER_ADDR          $server_addr;
fastcgi_param  SERVER_PORT          $server_port;
fastcgi_param  SERVER_NAME          $server_name;

# Protocol
fastcgi_param  REQUEST_SCHEME       $scheme;
fastcgi_param  HTTPS                $https if_not_empty;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

HSTS

The file /etc/nginx/hsts.conf.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
#
# Strict Transport Security (HSTS), RFC 6797
# See https://hstspreload.org/
# See https://tools.ietf.org/html/rfc6797

#
# 5 minutes:.......300
# 1 week:......604,800
# 1 month:...2,592,000
# 18 weeks..10,886,400 <- Chrome Browser preload minimum
# 6 months:.15,768,000 <- Mozilla minimum
# 1 year:...31,536,000 <- Mozilla recommended
# 2 years:..63,072,000 <- Chrome Browser preload recommended
#
add_header  Strict-Transport-Security
    'max-age=63072000; includeSubDomains; preload' always;

Local Access Only

The file /etc/nginx/local-access-only.conf.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#
# Private LAN only access allowed
#

# Allow UNIX local sockets
allow	unix:;

# Allow localhost
allow	127.0.0.0/8;
allow   ::1;

# Private IPv4 addresses (RFC 1918)
allow   10.0.0.0/8;
allow   172.16.0.0/12;
allow   192.168.0.0/16;

# Private IPv6 addresses (RFC 4193)
allow   fc00::/7;

# Link-local IPv4 addresses (RFC 6890 and RFC 3927)
deny    169.254.0.0/24;
deny    169.254.255.0/24;
allow   169.254.0.0/16;

# Link-local IPv6 addresses (RFC 4862 and RFC 4291)
allow   fe80::/10;

# Global IPv6 subnet assigned to us by our ISP
allow   2001:db8:c0de::/64;

# Deny access to rest of the world
deny    all;

Debug-Logging

The file /etc/nginx/log-debug.conf.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#
# log-debug.conf
# Nginx logging configuration
#
# Ususally we disable all logging with the automatic inclusion of
# http-conf.d/log-nothing.conf on the http{} level..
#
# For debugging, include this file in any server{} or location{} temporarely.
#
# 	include log-debug.conf;
#
# and reload Nginx:
#	sudo nginx -t && sudo nginx -s reload
#

# Default error log file
# Error log levels:
#	debug | info | notice | warn | error | crit | alert | emerg
error_log		/var/log/nginx/error.log info;

# Path, format, and configuration for buffered log writes
access_log 		/var/log/nginx/access.log main;

# Log subrequests
log_subrequest 	on;	# May be 'on' or 'off'

# Log 404 not found errors
log_not_found 	on;	# May be 'on' or 'off'

# Log rewrite processing
rewrite_log 	on;	# May be 'on' or 'off'

OCSP Stapling

The file /etc/nginx/ocsp-stapling.conf.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
#
# OCSP Response Stapling
#
# nginx/1.7.0
# OpenSSL 1.0.1f 6 Jan 2014

#
# Enables or disables stapling of OCSP responses by the server.
# Default: ssl_stapling off;
ssl_stapling on;

#
# Enables or disables verification of OCSP responses by the server.
# Default: ssl_stapling_verify off;
ssl_stapling_verify on;

#
# DNS servers used to resolve names for OCSP servers (and upstream servers)
# Only needed if there is no system configured resolver or you need to ovverride
# somehow.
# Default: <default DNS resolvers>
#resolver 172.20.10.43 172.20.10.1;

#
# When set, the stapled OCSP response will be taken from the specified file
# instead of querying the OCSP responder specified in the server certificate.
# The file should be in the DER format as produced by the “openssl ocsp”
# command.
# Default: <unset>
#ssl_stapling_file /etc/dehydrated/certs/;

Onion Sites

The file /etc/nginx/onion-redirect.conf.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
#
# Redirect to the .onion site if client is coming from a known Tor-Exit IP
#
# Needs Nginx map defined as $isTorExitNode outside server{} context.
# Needs Nginx variable $onionSite set inside server{} context.
#

if ($isTorExitNode = "true") {
  return	301 http://$onionSite$request_uri;
}

PHP Handler

The file /etc/nginx/php-handler.conf.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#
# Pass requests for PHP scripts to PHP FPM
#

# Use index.php as default for '/' requests
index index.php index.html index.htm;

# Catch PHP scripts
location ~ [^/]\.php(/|$) {

    # Split requests in script-file and trailing path
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;

    # Check for existence of script-file before sending to backend
    if (!-f $document_root$fastcgi_script_name) {
        return 404;
    }

    # Pass the request to PHP FPM via FastCGI backend
    fastcgi_pass php-backend;

    # Script filename tp append if URI ends with a slash
    fastcgi_index index.php;

    # Environment variables to send to the FastCGI backend
    include fastcgi_params;

}

Server Maintenance

The file /etc/nginx/server-maintenance.conf.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
# Web Site Maintenance
#
# If included in a server{} configuration all requests
# are denied with HTTP error 503 and a maintenance information page displayed.
#

# Retry in 5 minutes
#set $RetryAfter '300';

# Retry in 15 minutes
#set $RetryAfter '900';

# Retry in one hour
#set $RetryAfter '3600';

# Retry after one day
set $RetryAfter '86400';

# Retry after one week
#set $RetryAfter '604800';

# Retry at specific time
#set $RetryAfter 'Tue, 30 Feb 2015 17:00:00 GMT';

# Set Retry-After header
add_header 'Retry-After' $RetryAfter always;

# Unconditional Maintenance, no one can bypass the maintenance-mode.
return 503;

# Allow a specific IPv6 address to bypass maintenance-mode
#if ($remote_addr != "2001:db8:c0de:aded:b08f:9298:32db") {
#    return 503;
#    break;
#}

# Allow a specific IPv6 prefix to bypass maintenance-mode
#if ($remote_addr !~* "2001:db8:c0de:aded:.*") {
#    return 503;
#    break;
#}

# No further processing
break;