Join the community today
Become a Member

Nginx nginx.conf tweaks

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by dorobo, Jun 21, 2014.

Tags:
  1. dorobo

    dorobo Active Member

    420
    104
    43
    Jun 6, 2014
    Ratings:
    +162
    Local Time:
    12:37 PM
    latest
    latest
    Can we discuss how we can improve nginx.conf so that we could squeeze some more performance and better security.


    I saw this link
    Code:
    https://gist.github.com/plentz/6737338
    and it has the following additional lines:

    Code:
    add_header X-Frame-Options SAMEORIGIN;
     
    add_header X-Content-Type-Options nosniff;
     
    add_header X-XSS-Protection "1; mode=block";
    
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";
    the description of each is explained in the link. What do you think?
     
    Last edited: Jun 21, 2014
  2. eva2000

    eva2000 Administrator Staff Member

    53,535
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    2:37 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    I believe those are specific to SSL / https usage ? And would be dependent on what web sites you are serving so can't really be something you implement by default on all Centmin Mod servers. You'd have to decide for yourself which to enable for your specific SSL https Nginx based web sites.
     
  3. rdan

    rdan Well-Known Member

    5,439
    1,398
    113
    May 25, 2014
    Ratings:
    +2,187
    Local Time:
    12:37 PM
    Mainline
    10.2
    Base on my experience specific for XenForo under https:
    add_header X-Frame-Options SAMEORIGIN;
    - already duplicate as already declared by xenforo.

    add_header X-XSS-Protection "1; mode=block";
    - do not use or else some XenForo feature may not work correctly.
     
  4. eva2000

    eva2000 Administrator Staff Member

    53,535
    12,134
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,677
    Local Time:
    2:37 PM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    indeed it does checking forum http headers here

    Code:
    x-page-speed    1.8.31.3-4009
    date    Sat, 21 Jun 2014 10:18:14 GMT
    content-encoding    gzip
    server    nginx
    x-frame-options    SAMEORIGIN
    strict-transport-security    max-age=31536000; includeSubdomains
    content-type    text/html; charset=UTF-8
    status    200
    cache-control    max-age=0, no-cache
    alternate-protocol    443:npn-spdy/3
    version    HTTP/1.1