nginx configuration on Debian sanity check?
Hello,
Can I get a sanity check on this config? I'm running Debian 12, Nginx
1.24.0, and PHP 8.2.
My goal is to have all non-www traffic redirected to the equivalent
www, then all that redirected to https, basically no https no www no
work. I'd also appreciate an assessment of my ssl ciphers, running
protocols 1.2 and 1.3 only and want to ensure I've got the best
security setup.
Thanks.
Dave.
#
# example.com virtual host configuration
#
# enforce HTTPS
# Redirect www.example.com port 80 to www.example.com port 443
server {
listen 80;
server_name www.example.com;
access_log off;
error_log off;
return 301 https://$host$request_uri;
}
# Redirect https://example.com port 80 to https://example.com port 443
server {
listen 80;
access_log off;
error_log off;
server_name example.com;
return 301 https://$server_name$request_uri;
}
### redirect https example.com to https www.example.com
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/ssl/example.com/example.com.fullchain.crt;
ssl_certificate_key /etc/ssl/example.com/example.com.key;
return 301 https://www.example.com$request_uri;
}
# The www.example.com https virtual host
server {
listen 443 ssl http2;
server_name www.example.com;
access_log /var/log/nginx/www.example.com_access.log;
error_log /var/log/nginx/www.example.com_error.log;
# TLS/SSL CONFIG
# RSA certificates (dual config)
ssl_certificate /etc/ssl/example.com/example.com.fullchain.crt;
ssl_certificate_key /etc/ssl/example.com/example.com.key;
# ECC/ECDSA certificates (dual config)
ssl_certificate /etc/ssl/example.com/example.com.fullchain.crt.ecc;
ssl_certificate_key /etc/ssl/example.com/example.com.key.ecc;
# A little bit of optimization
#ssl_session_timeout 1d;
#ssl_session_cache shared:GoofyPizzaSSL:50m;
#ssl_session_tickets off;
#ssl_dhparam /etc/ssl/example.com/dhparams.pem;
# TLS version 1.2 and 1.3 only
#ssl_protocols TLSv1.2 TLSv1.3;
#ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
#ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
#ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
#ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
#ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required)
# *************************************************************************
# WARNING - Wrong headers can create problems. Read docs otherwise
# all 3rd party scripts/ads won't load and in some case
# browser won't work. Read docs @ https://developer.mozilla.org
# *************************************************************************
#add_header Strict-Transport-Security "max-age=63072000" always;
#add_header X-Content-Type-Options "nosniff" always;
#add_header X-Frame-Options "SAMEORIGIN" always;
#add_header X-Xss-Protection "1; mode=block" always;
#add_header Referrer-Policy strict-origin-when-cross-origin always;
#add_header Feature-policy "accelerometer 'none'; camera 'none';
geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone
'none'; payment 'none'; usb 'none'" always;
# ***************************************************************************************************
# WARNING: The HTTP Content-Security-Policy response header allows
sysadmin/developers
# to control resources the user agent is allowed to load for a given page.
# Wrong config can create problems for third party scripts/ad
networks. Hence read the following url:
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
# ****************************************************************************************************
#add_header content-security-policy "default-src
https://www.example.com:443"; always;
#ssl_stapling on;
#ssl_stapling_verify on;
# Replace with the IP address of your resolver
#resolver 1.1.1.1;
#ssl_buffer_size 8k;
root /var/www/example.com;
index index.php index.html index.nginx-debian.html;
location / {
try_files $uri $uri/ /index.php?$query_string;
}
# Directives to send expires headers and turn off 404 error logging.
#location ~* ^.+\.(css|js|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$
{
#access_log off; log_not_found off; expires max;
#}
# Pass PHP Scripts To FastCGI Server
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php8.2-fpm.sock; #depends on PHP versions
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# Password-protected directory with autoindex
#location /quickdir/ {
#auth_basic "Quickdir Access";
#auth_basic_user_file /var/www/quickdir/htpasswd;
#root /var/www/quickdir/;
#autoindex on;
#}
}
Reply to: