Extra Settings
Its worth to have the following useful settings prepared to include them quickly and easy anywhere where needed. They are not for automatic inclusion.
Cloudflare
The file
/etc/nginx/cloudflare.conf.
#
# Cloudflare protected and accelerated servers
# https://www.cloudflare.com/ips/
#
# TLS Authenticated Origin Pulls
ssl_client_certificate /etc/nginx/certs/cloudflare.crt;
ssl_verify_client on;
# Cloudflare allocated IPv4 addresses
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 199.27.128.0/21;
# Cloudflare allocated IPv6 addresses
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2a06:98c0::/29;
set_real_ip_from 2c0f:f248::/32;
# Change the originating IP
real_ip_header CF-Connecting-IP;
# Log CF-RAY header
# Helps with tracing a request through CloudFlare's network.
log_format cf_custom '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"'
'$http_cf_ray';
access_log /var/log/nginx/cf_access.log cf_custom;
FastCGI
The file
/etc/nginx/fastcgi.conf.
#
# FastCGI Settings
#
#
# httpoxy Mitigation - See https://httpoxy.org/
fastcgi_param HTTP_PROXY "";
#
# Pass Nginx variables to the CGI executeable environment
#
# Request
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
# Script
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
fastcgi_param REQUEST_URI $request_uri;
fastcgi_param DOCUMENT_URI $document_uri;
fastcgi_param DOCUMENT_ROOT $document_root;
fastcgi_param SERVER_PROTOCOL $server_protocol;
# Proxy
fastcgi_param GATEWAY_INTERFACE CGI/1.1;
fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;
# Network
fastcgi_param REMOTE_ADDR $remote_addr;
fastcgi_param REMOTE_PORT $remote_port;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
# Protocol
fastcgi_param REQUEST_SCHEME $scheme;
fastcgi_param HTTPS $https if_not_empty;
# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param REDIRECT_STATUS 200;
HSTS
The file
/etc/nginx/hsts.conf.
1#
2# Strict Transport Security (HSTS), RFC 6797
3# See https://hstspreload.org/
4# See https://tools.ietf.org/html/rfc6797
5
6#
7# 5 minutes:.......300
8# 1 week:......604,800
9# 1 month:...2,592,000
10# 18 weeks..10,886,400 <- Chrome Browser preload minimum
11# 6 months:.15,768,000 <- Mozilla minimum
12# 1 year:...31,536,000 <- Mozilla recommended
13# 2 years:..63,072,000 <- Chrome Browser preload recommended
14#
15add_header Strict-Transport-Security
16 'max-age=63072000; includeSubDomains; preload' always;
Local Access Only
The file
/etc/nginx/local-access-only.conf.
1#
2# Private LAN only access allowed
3#
4
5# Allow UNIX local sockets
6allow unix:;
7
8# Allow localhost
9allow 127.0.0.0/8;
10allow ::1;
11
12# Private IPv4 addresses (RFC 1918)
13allow 10.0.0.0/8;
14allow 172.16.0.0/12;
15allow 192.168.0.0/16;
16
17# Private IPv6 addresses (RFC 4193)
18allow fc00::/7;
19
20# Link-local IPv4 addresses (RFC 6890 and RFC 3927)
21deny 169.254.0.0/24;
22deny 169.254.255.0/24;
23allow 169.254.0.0/16;
24
25# Link-local IPv6 addresses (RFC 4862 and RFC 4291)
26allow fe80::/10;
27
28# Global IPv6 subnet assigned to us by our ISP
29allow 2001:db8:c0de::/64;
30
31# Deny access to rest of the world
32deny all;
Debug-Logging
The file
/etc/nginx/log-debug.conf.
1#
2# log-debug.conf
3# Nginx logging configuration
4#
5# Ususally we disable all logging with the automatic inclusion of
6# http-conf.d/log-nothing.conf on the http{} level..
7#
8# For debugging, include this file in any server{} or location{} temporarely.
9#
10# include log-debug.conf;
11#
12# and reload Nginx:
13# sudo nginx -t && sudo nginx -s reload
14#
15
16# Default error log file
17# Error log levels:
18# debug | info | notice | warn | error | crit | alert | emerg
19error_log /var/log/nginx/error.log info;
20
21# Path, format, and configuration for buffered log writes
22access_log /var/log/nginx/access.log main;
23
24# Log subrequests
25log_subrequest on; # May be 'on' or 'off'
26
27# Log 404 not found errors
28log_not_found on; # May be 'on' or 'off'
29
30# Log rewrite processing
31rewrite_log on; # May be 'on' or 'off'
OCSP Stapling
The file
/etc/nginx/ocsp-stapling.conf.
1#
2# OCSP Response Stapling
3#
4# nginx/1.7.0
5# OpenSSL 1.0.1f 6 Jan 2014
6
7#
8# Enables or disables stapling of OCSP responses by the server.
9# Default: ssl_stapling off;
10ssl_stapling on;
11
12#
13# Enables or disables verification of OCSP responses by the server.
14# Default: ssl_stapling_verify off;
15ssl_stapling_verify on;
16
17#
18# DNS servers used to resolve names for OCSP servers (and upstream servers)
19# Only needed if there is no system configured resolver or you need to ovverride
20# somehow.
21# Default: <default DNS resolvers>
22#resolver 172.20.10.43 172.20.10.1;
23
24#
25# When set, the stapled OCSP response will be taken from the specified file
26# instead of querying the OCSP responder specified in the server certificate.
27# The file should be in the DER format as produced by the “openssl ocsp”
28# command.
29# Default: <unset>
30#ssl_stapling_file /etc/dehydrated/certs/;
Onion Sites
The file
/etc/nginx/onion-redirect.conf.
1#
2# Redirect to the .onion site if client is coming from a known Tor-Exit IP
3#
4# Needs Nginx map defined as $isTorExitNode outside server{} context.
5# Needs Nginx variable $onionSite set inside server{} context.
6#
7
8if ($isTorExitNode = "true") {
9 return 301 http://$onionSite$request_uri;
10}
PHP Handler
The file
/etc/nginx/php-handler.conf.
1#
2# Pass requests for PHP scripts to PHP FPM
3#
4
5# Use index.php as default for '/' requests
6index index.php index.html index.htm;
7
8# Catch PHP scripts
9location ~ [^/]\.php(/|$) {
10
11 # Split requests in script-file and trailing path
12 fastcgi_split_path_info ^(.+?\.php)(/.*)$;
13
14 # Check for existence of script-file before sending to backend
15 if (!-f $document_root$fastcgi_script_name) {
16 return 404;
17 }
18
19 # Pass the request to PHP FPM via FastCGI backend
20 fastcgi_pass php-backend;
21
22 # Script filename tp append if URI ends with a slash
23 fastcgi_index index.php;
24
25 # Environment variables to send to the FastCGI backend
26 include fastcgi_params;
27
28}
Server Maintenance
The file
/etc/nginx/server-maintenance.conf.
1# Web Site Maintenance
2#
3# If included in a server{} configuration all requests
4# are denied with HTTP error 503 and a maintenance information page displayed.
5#
6
7# Retry in 5 minutes
8#set $RetryAfter '300';
9
10# Retry in 15 minutes
11#set $RetryAfter '900';
12
13# Retry in one hour
14#set $RetryAfter '3600';
15
16# Retry after one day
17set $RetryAfter '86400';
18
19# Retry after one week
20#set $RetryAfter '604800';
21
22# Retry at specific time
23#set $RetryAfter 'Tue, 30 Feb 2015 17:00:00 GMT';
24
25# Set Retry-After header
26add_header 'Retry-After' $RetryAfter always;
27
28# Unconditional Maintenance, no one can bypass the maintenance-mode.
29return 503;
30
31# Allow a specific IPv6 address to bypass maintenance-mode
32#if ($remote_addr != "2001:db8:c0de:aded:b08f:9298:32db") {
33# return 503;
34# break;
35#}
36
37# Allow a specific IPv6 prefix to bypass maintenance-mode
38#if ($remote_addr !~* "2001:db8:c0de:aded:.*") {
39# return 503;
40# break;
41#}
42
43# No further processing
44break;