Welcome to Centmin Mod Community
Register Now

Nginx Are these recommended changes in nginx.conf/newdoamin.conf for better security still valid or not?

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by modder, Jan 9, 2020.

  1. modder

    modder New Member

    10
    0
    1
    Dec 6, 2019
    Ratings:
    +0
    Local Time:
    8:19 PM
    are these recommended changes in nginx.conf/newdomain.conf for better security still valid for centminmod created websites?

    Source: Best nginx configuration for improved security(and performance).

    Code (Text):
    # read more here http://tautt.com/best-nginx-configuration-for-security/
    
    # don't send the nginx version number in error pages and Server header
    server_tokens off;
    
    # config to don't allow the browser to render the page inside an frame or iframe
    # and avoid clickjacking Clickjacking - Wikipedia
    # if you need to allow frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
    # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
    add_header X-Frame-Options SAMEORIGIN;
    
    # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
    # to disable content-type sniffing on some browsers.
    # OWASP Secure Headers Project - OWASP
    # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
    # Reducing MIME type security risks (Windows)
    # 'soon' on Firefox 471020 - Add X-Content-Type-Options: nosniff support to Firefox
    add_header X-Content-Type-Options nosniff;
    
    # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
    # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
    # this particular website if it was disabled by the user.
    # OWASP Secure Headers Project - OWASP
    add_header X-XSS-Protection "1; mode=block";
    
    # with Content Security Policy (CSP) enabled(and a browser that supports it(Can I use... Support tables for HTML5, CSS3, etc),
    # you can tell the browser that it can only download content from the domains you explicitly allow
    # An Introduction to Content Security Policy - HTML5 Rocks
    # https://www.owasp.org/index.php/Content_Security_Policy
    # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
    # directives for css and js(if you have inline css or js, you will need to keep it too).
    # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";
    
    # redirect all http traffic to https
    server {
      listen 80 default_server;
      listen [::]:80 default_server;
      server_name .forgott.com;
      return 301 https://$host$request_uri;
    }
    
    server {
      listen 443 ssl http2;
      listen [::]:443 ssl http2;
      server_name .forgott.com;
    
      ssl_certificate /etc/nginx/ssl/star_forgott_com.crt;
      ssl_certificate_key /etc/nginx/ssl/star_forgott_com.key;
    
      # enable session resumption to improve https performance
      # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html
      ssl_session_cache shared:SSL:50m;
      ssl_session_timeout 1d;
      ssl_session_tickets off;
    
      # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
      ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    
      # enables server-side protection from BEAST attacks
      # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
      ssl_prefer_server_ciphers on;
      # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      # ciphers chosen for forward secrecy and compatibility
      # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html
      ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    
      # enable ocsp stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
      # http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
      resolver 8.8.8.8 8.8.4.4;
      ssl_stapling on;
      ssl_stapling_verify on;
      ssl_trusted_certificate /etc/nginx/ssl/star_forgott_com.crt;
    
      # config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
      # to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping
      # also https://hstspreload.org/
      add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
    
      # ... the rest of your configuration
    }

     
    Last edited: Jan 9, 2020
  2. eva2000

    eva2000 Administrator Staff Member

    42,833
    9,705
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +14,970
    Local Time:
    10:19 PM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Some of these are already in default Centmin Mod generated nginx vhosts whether enabled or commented out /disabled with a hash in front. Read up on what each do before enabling especially for CSP - content security policy and HSTS /preload as incorrectly configured you could break the functionality of your web site and DOS - denial of service attack your own site with incorrect HSTS and unintentionally prevent css/js files to load if CSP isn't configured for your specific site as CSP is not set and forget, you need to tailor CSP policy to your specific site's loaded web assets/css/js etc.

    servern tokens is already off in /usr/local/nginx/conf/nginx.conf