[ { "path": "Dockerfile", "content": "FROM nginx:1.10.2\nMAINTAINER Kyle Mathews \"mathews.kyle@gmail.com\"\n\nRUN rm /etc/nginx/nginx.conf /etc/nginx/mime.types\nCOPY nginx.conf /etc/nginx/nginx.conf\nCOPY basic.conf /etc/nginx/basic.conf\nCOPY mime.types /etc/nginx/mime.types\nRUN mkdir /etc/nginx/ssl\nCOPY default /etc/nginx/sites-enabled/default\nCOPY default-ssl /etc/nginx/sites-available/default-ssl\nCOPY directive-only /etc/nginx/directive-only\nCOPY location /etc/nginx/location\n\n# expose both the HTTP (80) and HTTPS (443) ports\nEXPOSE 80 443\n\nCMD [\"nginx\"]\n\n" }, { "path": "LICENSE.txt", "content": "MIT License\n\nCopyright (c) 2017 Kyle Mathews\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "README.md", "content": "docker-nginx\n============\n\nA high-performance Nginx base image for Docker to serve static websites. It will serve anything in the `/var/www` directory.\n\nTo build a Docker image for your site, you'll need to create a `Dockerfile`. For example, if your site is in a directory called `src/`, you could create this `Dockerfile`:\n\n FROM kyma/docker-nginx\n COPY src/ /var/www\n CMD 'nginx'\n\nThen build and run it:\n\n $ docker build -t mysite .\n ...\n Successfully built 5ae2fb5cf4f8\n $ docker run -p 80:80 -d mysite\n da809981545f\n $ curl localhost\n ...\n\nDocker Hub\n----------\nThe trusted build information can be found on the Docker Hub at https://registry.hub.docker.com/u/kyma/docker-nginx/.\n\nSSL\n---\n\nTo use SSL, put your certs in `/etc/nginx/ssl` and enable the `default-ssl` site:\n\n ADD server.crt /etc/nginx/ssl/\n ADD server.key /etc/nginx/ssl/\n RUN ln -s /etc/nginx/sites-available/default-ssl /etc/nginx/sites-enabled/default-ssl\n\nWhen you run it, you'll want to make port 443 available, e.g.:\n\n $ docker run -p 80:80 -p 443:443 -d mysite\n\n\nnginx.conf\n---------\n\nThe nginx.conf and mime.types are pulled with slight modifications from\nthe h5bp Nginx HTTP server boilerplate configs project at\nhttps://github.com/h5bp/server-configs-nginx\n\nCustomized configs\n------------------\n\nTo modify the NGINX config, you would just create a custom Dockerfile like the following\nwhere you copy in your modified config files.\n\n```dockerfile\n# Guide here:\n# https://github.com/KyleAMathews/docker-nginx\n\n# Build docker file\n# docker build -t CONTAINERNAME .\n\n# Build from this repo's image\nFROM kyma/docker-nginx\n\n# Example if you wanna swap the default server file.\nCOPY path/to/your/default /etc/nginx/sites-enabled/default\n\n# Add src.\nCOPY src/ /var/www\n\nCMD 'nginx'\n```\n" }, { "path": "basic.conf", "content": "# Basic h5bp rules\n\ninclude /etc/nginx/directive-only/x-ua-compatible.conf;\ninclude /etc/nginx/location/expires.conf;\ninclude /etc/nginx/location/cross-domain-fonts.conf;\ninclude /etc/nginx/location/protect-system-files.conf;" }, { "path": "default", "content": "server {\n root /var/www;\n index index.html index.htm;\n\n # Make site accessible from http://localhost/\n server_name localhost;\n\n # Add 1 week expires header for static assets\n location ~* \\.(js|css|png|jpg|jpeg|gif|ico)$ {\n expires 1w;\n }\n\n location / {\n # First attempt to serve request as file, then\n # as directory, then fall back to redirecting to index.html\n try_files $uri $uri/ @root;\n }\n\n # If nginx can't find a file, fallback to the homepage.\n location @root {\n rewrite .* / redirect;\n }\n\n include /etc/nginx/basic.conf;\n}\n" }, { "path": "default-ssl", "content": "server {\n listen 443;\n\n root /var/www;\n index index.html index.htm;\n\n ssl on;\n ssl_certificate /etc/nginx/ssl/server.crt;\n ssl_certificate_key /etc/nginx/ssl/server.key;\n}\n" }, { "path": "directive-only/cache-file-descriptors.conf", "content": "# This tells Nginx to cache open file handles, \"not found\" errors, metadata about files and their permissions, etc.\n#\n# The upside of this is that Nginx can immediately begin sending data when a popular file is requested,\n# and will also know to immediately send a 404 if a file is missing on disk, and so on.\n#\n# However, it also means that the server won't react immediately to changes on disk, which may be undesirable.\n#\n# In the below configuration, inactive files are released from the cache after 20 seconds, whereas\n# active (recently requested) files are re-validated every 30 seconds.\n#\n# Descriptors will not be cached unless they are used at least 2 times within 20 seconds (the inactive time).\n#\n# A maximum of the 1000 most recently used file descriptors can be cached at any time.\n#\n# Production servers with stable file collections will definitely want to enable the cache.\nopen_file_cache max=1000 inactive=20s;\nopen_file_cache_valid 30s;\nopen_file_cache_min_uses 2;\nopen_file_cache_errors on;\n" }, { "path": "directive-only/cross-domain-insecure.conf", "content": "# Cross domain AJAX requests\n\n# http://www.w3.org/TR/cors/#access-control-allow-origin-response-header\n\n# **Security Warning**\n# Do not use this without understanding the consequences.\n# This will permit access from any other website.\n#\nadd_header \"Access-Control-Allow-Origin\" \"*\";\n\n# Instead of using this file, consider using a specific rule such as:\n#\n# Allow access based on [sub]domain:\n# add_header \"Access-Control-Allow-Origin\" \"subdomain.example.com\";\n" }, { "path": "directive-only/extra-security.conf", "content": "# The X-Frame-Options header indicates whether a browser should be allowed\n# to render a page within a frame or iframe.\nadd_header X-Frame-Options SAMEORIGIN;\n\n# MIME type sniffing security protection\n#\tThere are very few edge cases where you wouldn't want this enabled.\nadd_header X-Content-Type-Options nosniff;\n\n# The X-XSS-Protection header is used by Internet Explorer version 8+\n# The header instructs IE to enable its inbuilt anti-cross-site scripting filter.\nadd_header X-XSS-Protection \"1; mode=block\";\n\n# with Content Security Policy (CSP) enabled (and a browser that supports it (http://caniuse.com/#feat=contentsecuritypolicy),\n# you can tell the browser that it can only download content from the domains you explicitly allow\n# CSP can be quite difficult to configure, and cause real issues if you get it wrong\n# There is website that helps you generate a policy here http://cspisawesome.com/\n# add_header Content-Security-Policy \"default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;\";\n" }, { "path": "directive-only/no-transform.conf", "content": "# Prevent mobile network providers from modifying your site\n#\n# (!) If you are using `ngx_pagespeed`, please note that setting\n# the `Cache-Control: no-transform` response header will prevent\n# `PageSpeed` from rewriting `HTML` files, and, if\n# `pagespeed DisableRewriteOnNoTransform off` is not used, also\n# from rewriting other resources.\n#\n# https://developers.google.com/speed/pagespeed/module/configuration#notransform\n\nadd_header \"Cache-Control\" \"no-transform\";\n" }, { "path": "directive-only/spdy.conf", "content": "# Nginx's spdy module is compiled by default from 1.6\n# SPDY only works on HTTPS connections\n\n# Inform browser of SPDY availability\nadd_header Alternate-Protocol 443:npn-spdy/3;\n\n# Adjust connection keepalive for SPDY clients:\nspdy_keepalive_timeout 300s; # up from 180 secs default\n\n# enable SPDY header compression\nspdy_headers_comp 6;\n" }, { "path": "directive-only/ssl-stapling.conf", "content": "# OCSP stapling...\nssl_stapling on;\nssl_stapling_verify on;\n\n#trusted cert must be made up of your intermediate certificate followed by root certificate\n#ssl_trusted_certificate /path/to/ca.crt;\n\nresolver 8.8.8.8 8.8.4.4 216.146.35.35 216.146.36.36 valid=60s;\nresolver_timeout 2s;\n" }, { "path": "directive-only/ssl.conf", "content": "# Protect against the BEAST and POODLE attacks by not using SSLv3 at all. If you need to support older browsers (IE6) you may need to add\n# SSLv3 to the list of protocols below.\nssl_protocols TLSv1 TLSv1.1 TLSv1.2;\n\n# Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla (Intermediate Set) - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx\nssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;\nssl_prefer_server_ciphers on;\n\n# Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes.\n# The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection.\n# By enabling a cache (of type \"shared between all Nginx workers\"), we tell the client to re-use the already negotiated state.\n# Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS.\nssl_session_cache shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions\nssl_session_timeout 24h;\n\n# SSL buffer size was added in 1.5.9\n#ssl_buffer_size 1400; # 1400 bytes to fit in one MTU\n\n# Session tickets appeared in version 1.5.9\n#\n# nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and\n# when a restart is performed the previous key is lost, which resets all previous\n# sessions. The fix for this is to setup a manual rotation mechanism:\n# http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx\n#\n# Note that you'll have to define and rotate the keys securely by yourself. In absence\n# of such infrastructure, consider turning off session tickets:\n#ssl_session_tickets off;\n\n# Use a higher keepalive timeout to reduce the need for repeated handshakes\nkeepalive_timeout 300s; # up from 75 secs default\n\n# HSTS (HTTP Strict Transport Security)\n# This header tells browsers to cache the certificate for a year and to connect exclusively via HTTPS.\n#add_header Strict-Transport-Security \"max-age=31536000;\";\n# This version tells browsers to treat all subdomains the same as this site and to load exclusively over HTTPS\n#add_header Strict-Transport-Security \"max-age=31536000; includeSubdomains;\";\n\n# This default SSL certificate will be served whenever the client lacks support for SNI (Server Name Indication).\n# Make it a symlink to the most important certificate you have, so that users of IE 8 and below on WinXP can see your main site without SSL errors.\n#ssl_certificate /etc/nginx/default_ssl.crt;\n#ssl_certificate_key /etc/nginx/default_ssl.key;\n\n# Consider using OCSP Stapling as shown in ssl-stapling.conf\n" }, { "path": "directive-only/x-ua-compatible.conf", "content": "# Force the latest IE version\nadd_header \"X-UA-Compatible\" \"IE=Edge\";\n" }, { "path": "location/cache-busting.conf", "content": "# Built-in filename-based cache busting\n\n# https://github.com/h5bp/html5-boilerplate/blob/5370479476dceae7cc3ea105946536d6bc0ee468/.htaccess#L403\n# This will route all requests for /css/style.20120716.css to /css/style.css\n# Read also this: github.com/h5bp/html5-boilerplate/wiki/cachebusting\n# This is not included by default, because it'd be better if you use the build\n# script to manage the file names.\nlocation ~* (.+)\\.(?:\\d+)\\.(js|css|png|jpg|jpeg|gif)$ {\n try_files $uri $1.$2;\n}\n" }, { "path": "location/cross-domain-fonts.conf", "content": "# Cross domain webfont access\nlocation ~* \\.(?:ttf|ttc|otf|eot|woff|woff2)$ {\n include /etc/nginx/directive-only/cross-domain-insecure.conf;\n\n # Also, set cache rules for webfonts.\n #\n # See http://wiki.nginx.org/HttpCoreModule#location\n # And https://github.com/h5bp/server-configs/issues/85\n # And https://github.com/h5bp/server-configs/issues/86\n expires 1M;\n access_log off;\n add_header Cache-Control \"public\";\n}\n" }, { "path": "location/expires.conf", "content": "# Expire rules for static content\n\n# No default expire rule. This config mirrors that of apache as outlined in the\n# html5-boilerplate .htaccess file. However, nginx applies rules by location,\n# the apache rules are defined by type. A consequence of this difference is that\n# if you use no file extension in the url and serve html, with apache you get an\n# expire time of 0s, with nginx you'd get an expire header of one month in the\n# future (if the default expire rule is 1 month). Therefore, do not use a\n# default expire rule with nginx unless your site is completely static\n\n# cache.appcache, your document html and data\nlocation ~* \\.(?:manifest|appcache|html?|xml|json)$ {\n expires -1;\n access_log /var/log/nginx/static.log;\n}\n\n# Feed\nlocation ~* \\.(?:rss|atom)$ {\n expires 1h;\n add_header Cache-Control \"public\";\n}\n\n# Media: images, icons, video, audio, HTC\nlocation ~* \\.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {\n expires 1M;\n access_log off;\n add_header Cache-Control \"public\";\n}\n\n# CSS and Javascript\nlocation ~* \\.(?:css|js)$ {\n expires 1y;\n access_log off;\n add_header Cache-Control \"public\";\n}\n\n# WebFonts\n# If you are NOT using cross-domain-fonts.conf, uncomment the following directive\n# location ~* \\.(?:ttf|ttc|otf|eot|woff|woff2)$ {\n# expires 1M;\n# access_log off;\n# add_header Cache-Control \"public\";\n# }\n" }, { "path": "location/protect-system-files.conf", "content": "# Prevent clients from accessing hidden files (starting with a dot)\n# This is particularly important if you store .htpasswd files in the site hierarchy\n# Access to `/.well-known/` is allowed.\n# https://www.mnot.net/blog/2010/04/07/well-known\n# https://tools.ietf.org/html/rfc5785\nlocation ~* /\\.(?!well-known\\/) {\n deny all;\n}\n\n# Prevent clients from accessing to backup/config/source files\nlocation ~* (?:\\.(?:bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$ {\n deny all;\n}\n" }, { "path": "mime.types", "content": "types {\n\n# Audio\n audio/midi mid midi kar;\n audio/mp4 aac f4a f4b m4a;\n audio/mpeg mp3;\n audio/ogg oga ogg;\n audio/x-realaudio ra;\n audio/x-wav wav;\n\n# Images\n image/bmp bmp;\n image/gif gif;\n image/jpeg jpeg jpg;\n image/png png;\n image/tiff tif tiff;\n image/vnd.wap.wbmp wbmp;\n image/webp webp;\n image/x-icon ico cur;\n image/x-jng jng;\n\n# JavaScript\n application/javascript js;\n application/json json;\n\n# Manifest files\n application/x-web-app-manifest+json webapp;\n text/cache-manifest manifest appcache;\n\n# Microsoft Office\n application/msword doc;\n application/vnd.ms-excel xls;\n application/vnd.ms-powerpoint ppt;\n application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;\n application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;\n application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;\n\n# Video\n video/3gpp 3gpp 3gp;\n video/mp4 mp4 m4v f4v f4p;\n video/mpeg mpeg mpg;\n video/ogg ogv;\n video/quicktime mov;\n video/webm webm;\n video/x-flv flv;\n video/x-mng mng;\n video/x-ms-asf asx asf;\n video/x-ms-wmv wmv;\n video/x-msvideo avi;\n\n# Web feeds\n application/xml atom rdf rss xml;\n\n# Web fonts\n application/font-woff woff;\n application/vnd.ms-fontobject eot;\n application/x-font-ttf ttc ttf;\n font/opentype otf;\n image/svg+xml svg svgz;\n\n# Other\n application/java-archive jar war ear;\n application/mac-binhex40 hqx;\n application/pdf pdf;\n application/postscript ps eps ai;\n application/rtf rtf;\n application/vnd.wap.wmlc wmlc;\n application/xhtml+xml xhtml;\n application/vnd.google-earth.kml+xml kml;\n application/vnd.google-earth.kmz kmz;\n application/x-7z-compressed 7z;\n application/x-chrome-extension crx;\n application/x-opera-extension oex;\n application/x-xpinstall xpi;\n application/x-cocoa cco;\n application/x-java-archive-diff jardiff;\n application/x-java-jnlp-file jnlp;\n application/x-makeself run;\n application/x-perl pl pm;\n application/x-pilot prc pdb;\n application/x-rar-compressed rar;\n application/x-redhat-package-manager rpm;\n application/x-sea sea;\n application/x-shockwave-flash swf;\n application/x-stuffit sit;\n application/x-tcl tcl tk;\n application/x-x509-ca-cert der pem crt;\n application/x-bittorrent torrent;\n application/zip zip;\n\n application/octet-stream bin exe dll;\n application/octet-stream deb;\n application/octet-stream dmg;\n application/octet-stream iso img;\n application/octet-stream msi msp msm;\n application/octet-stream safariextz;\n\n text/css css;\n text/html html htm shtml;\n text/mathml mml;\n text/plain txt;\n text/vnd.sun.j2me.app-descriptor jad;\n text/vnd.wap.wml wml;\n text/vtt vtt;\n text/x-component htc;\n text/x-vcard vcf;\n\n}\n" }, { "path": "nginx.conf", "content": "# nginx Configuration File\n# http://wiki.nginx.org/Configuration\n\n# Run as a less privileged user for security reasons.\nuser nginx;\n\n# How many worker threads to run;\n# \"auto\" sets it to the number of CPU cores available in the system, and\n# offers the best performance. Don't set it higher than the number of CPU\n# cores if changing this parameter.\n\n# The maximum number of connections for Nginx is calculated by:\n# max_clients = worker_processes * worker_connections\nworker_processes auto;\n\n# Maximum open file descriptors per process;\n# should be > worker_connections.\nworker_rlimit_nofile 8192;\n\n# Process needs to run in foreground within container\ndaemon off;\n\nevents {\n # When you need > 8000 * cpu_cores connections, you start optimizing your OS,\n # and this is probably the point at which you hire people who are smarter than\n # you, as this is *a lot* of requests.\n worker_connections 8000;\n\n multi_accept on;\n use epoll;\n}\n\n# Log errors and warnings to this file\n# This is only used when you don't override it on a server{} level\nerror_log /var/log/nginx/error.log warn;\n\npid /var/run/nginx.pid;\n\nhttp {\n\n # Hide nginx version information.\n server_tokens off;\n\n # Define the MIME types for files.\n include /etc/nginx/mime.types;\n default_type application/octet-stream;\n\n # Update charset_types due to updated mime.types\n charset_types text/xml text/plain text/vnd.wap.wml application/x-javascript application/rss+xml text/css application/javascript application/json;\n\n # Format to use in log files\n log_format main '$remote_addr - $remote_user [$time_local] \"$request\" '\n '$status $body_bytes_sent \"$http_referer\" '\n '\"$http_user_agent\" \"$http_x_forwarded_for\"';\n\n # How long to allow each connection to stay idle; longer values are better\n # for each individual client, particularly for SSL, but means that worker\n # connections are tied up longer. (Default: 65)\n keepalive_timeout 20;\n\n # Speed up file transfers by using sendfile() to copy directly\n # between descriptors rather than using read()/write().\n sendfile on;\n\n # Tell Nginx not to send out partial frames; this increases throughput\n # since TCP frames are filled up before being sent out. (adds TCP_CORK)\n tcp_nopush on;\n\n # Tell Nginx to enable the Nagle buffering algorithm for TCP packets, which\n # collates several smaller packets together into one larger packet, thus saving\n # bandwidth at the cost of a nearly imperceptible increase to latency. (removes TCP_NODELAY)\n tcp_nodelay off;\n\n\n # Compression\n\n # Enable Gzip compressed.\n gzip on;\n\n # Enable compression both for HTTP/1.0 and HTTP/1.1 (required for CloudFront).\n gzip_http_version 1.0;\n\n # Compression level (1-9).\n # 5 is a perfect compromise between size and cpu usage, offering about\n # 75% reduction for most ascii files (almost identical to level 9).\n gzip_comp_level 5;\n\n # Don't compress anything that's already small and unlikely to shrink much\n # if at all (the default is 20 bytes, which is bad as that usually leads to\n # larger files after gzipping).\n gzip_min_length 256;\n\n # Compress data even for clients that are connecting to us via proxies,\n # identified by the \"Via\" header (required for CloudFront).\n gzip_proxied any;\n\n # Tell proxies to cache both the gzipped and regular version of a resource\n # whenever the client's Accept-Encoding capabilities header varies;\n # Avoids the issue where a non-gzip capable client (which is extremely rare\n # today) would display gibberish if their proxy gave them the gzipped version.\n gzip_vary on;\n\n # Compress all output labeled with one of the following MIME-types.\n gzip_types\n application/atom+xml\n application/javascript\n application/json\n application/rss+xml\n application/vnd.ms-fontobject\n application/x-font-ttf\n application/x-web-app-manifest+json\n application/xhtml+xml\n application/xml\n font/opentype\n image/svg+xml\n image/x-icon\n text/css\n text/plain\n text/x-component;\n # text/html is always compressed by HttpGzipModule\n\n\n # This should be turned on if you are going to have pre-compressed copies (.gz) of\n # static files available. If not it should be left off as it will cause extra I/O\n # for the check. It is best if you enable this in a location{} block for\n # a specific directory, or on an individual server{} level.\n # gzip_static on;\n\n # Protect against the BEAST attack by preferring RC4-SHA when using SSLv3 and TLS protocols.\n # Note that TLSv1.1 and TLSv1.2 are immune to the beast attack but only work with OpenSSL v1.0.1 and higher and has limited client support.\n # Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx\n ssl_protocols TLSv1 TLSv1.1 TLSv1.2;\n ssl_ciphers \"EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4\";\n ssl_prefer_server_ciphers on;\n\n # Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes.\n # The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection.\n # By enabling a cache (of type \"shared between all Nginx workers\"), we tell the client to re-use the already negotiated state.\n # Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS.\n ssl_session_cache shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions\n ssl_session_timeout 10m;\n\n # This default SSL certificate will be served whenever the client lacks support for SNI (Server Name Indication).\n # Make it a symlink to the most important certificate you have, so that users of IE 8 and below on WinXP can see your main site without SSL errors.\n #ssl_certificate /etc/nginx/default_ssl.crt;\n #ssl_certificate_key /etc/nginx/default_ssl.key;\n\n include sites-enabled/*;\n}\n" }, { "path": "nginx_signing.key", "content": "-----BEGIN PGP PUBLIC KEY BLOCK-----\nVersion: GnuPG v1.4.11 (FreeBSD)\n\nmQENBE5OMmIBCAD+FPYKGriGGf7NqwKfWC83cBV01gabgVWQmZbMcFzeW+hMsgxH\nW6iimD0RsfZ9oEbfJCPG0CRSZ7ppq5pKamYs2+EJ8Q2ysOFHHwpGrA2C8zyNAs4I\nQxnZZIbETgcSwFtDun0XiqPwPZgyuXVm9PAbLZRbfBzm8wR/3SWygqZBBLdQk5TE\nfDR+Eny/M1RVR4xClECONF9UBB2ejFdI1LD45APbP2hsN/piFByU1t7yK2gpFyRt\n97WzGHn9MV5/TL7AmRPM4pcr3JacmtCnxXeCZ8nLqedoSuHFuhwyDnlAbu8I16O5\nXRrfzhrHRJFM1JnIiGmzZi6zBvH0ItfyX6ttABEBAAG0KW5naW54IHNpZ25pbmcg\na2V5IDxzaWduaW5nLWtleUBuZ2lueC5jb20+iQE+BBMBAgAoBQJOTjJiAhsDBQkJ\nZgGABgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRCr9b2Ce9m/YpvjB/98uV4t\n94d0oEh5XlqEZzVMrcTgPQ3BZt05N5xVuYaglv7OQtdlErMXmRWaFZEqDaMHdniC\nsF63jWMd29vC4xpzIfmsLK3ce9oYo4t9o4WWqBUdf0Ff1LMz1dfLG2HDtKPfYg3C\n8NESud09zuP5NohaE8Qzj/4p6rWDiRpuZ++4fnL3Dt3N6jXILwr/TM/Ma7jvaXGP\nDO3kzm4dNKp5b5bn2nT2QWLPnEKxvOg5Zoej8l9+KFsUnXoWoYCkMQ2QTpZQFNwF\nxwJGoAz8K3PwVPUrIL6b1lsiNovDgcgP0eDgzvwLynWKBPkRRjtgmWLoeaS9FAZV\nccXJMmANXJFuCf26iQEcBBABAgAGBQJOTkelAAoJEKZP1bF62zmo79oH/1XDb29S\nYtWp+MTJTPFEwlWRiyRuDXy3wBd/BpwBRIWfWzMs1gnCjNjk0EVBVGa2grvy9Jtx\nJKMd6l/PWXVucSt+U/+GO8rBkw14SdhqxaS2l14v6gyMeUrSbY3XfToGfwHC4sa/\nThn8X4jFaQ2XN5dAIzJGU1s5JA0tjEzUwCnmrKmyMlXZaoQVrmORGjCuH0I0aAFk\nRS0UtnB9HPpxhGVbs24xXZQnZDNbUQeulFxS4uP3OLDBAeCHl+v4t/uotIad8v6J\nSO93vc1evIje6lguE81HHmJn9noxPItvOvSMb2yPsE8mH4cJHRTFNSEhPW6ghmlf\nWa9ZwiVX5igxcvaIRgQQEQIABgUCTk5b0gAKCRDs8OkLLBcgg1G+AKCnacLb/+W6\ncflirUIExgZdUJqoogCeNPVwXiHEIVqithAM1pdY/gcaQZmIRgQQEQIABgUCTk5f\nYQAKCRCpN2E5pSTFPnNWAJ9gUozyiS+9jf2rJvqmJSeWuCgVRwCcCUFhXRCpQO2Y\nVa3l3WuB+rgKjsQ=\n=A015\n-----END PGP PUBLIC KEY BLOCK-----\n" } ]