Repository: h5bp/server-configs-nginx
Branch: main
Commit: 545e9cfa86fe
Files: 49
Total size: 106.7 KB
Directory structure:
gitextract_6tgcy6ja/
├── .editorconfig
├── .gitattributes
├── .github/
│ ├── CODEOWNERS
│ ├── CODE_OF_CONDUCT.md
│ ├── CONTRIBUTING.md
│ ├── FUNDING.yml
│ ├── dependabot.yml
│ └── workflows/
│ ├── auto-merge.yml
│ ├── lint.yml
│ └── server.yml
├── .gitignore
├── CHANGELOG.md
├── LICENSE.txt
├── README.md
├── conf.d/
│ ├── .default.conf
│ ├── no-ssl.default.conf
│ └── templates/
│ ├── example.com.conf
│ └── no-ssl.example.com.conf
├── h5bp/
│ ├── basic.conf
│ ├── cross-origin/
│ │ ├── requests.conf
│ │ └── resource_timing.conf
│ ├── errors/
│ │ └── custom_errors.conf
│ ├── location/
│ │ ├── security_file_access.conf
│ │ ├── web_performance_filename-based_cache_busting.conf
│ │ └── web_performance_svgz-compression.conf
│ ├── media_types/
│ │ ├── character_encodings.conf
│ │ └── media_types.conf
│ ├── security/
│ │ ├── content-security-policy.conf
│ │ ├── cross-origin-policy.conf
│ │ ├── permissions-policy.conf
│ │ ├── referrer-policy.conf
│ │ ├── server_software_information.conf
│ │ ├── strict-transport-security.conf
│ │ ├── x-content-type-options.conf
│ │ └── x-frame-options.conf
│ ├── tls/
│ │ ├── certificate_files.conf
│ │ ├── ocsp_stapling.conf
│ │ ├── policy_balanced.conf
│ │ ├── policy_strict.conf
│ │ └── ssl_engine.conf
│ └── web_performance/
│ ├── cache-control.conf
│ ├── cache-file-descriptors.conf
│ ├── cache_expiration.conf
│ ├── compression.conf
│ ├── content_transformation.conf
│ ├── pre-compressed_content_brotli.conf
│ └── pre-compressed_content_gzip.conf
├── mime.types
└── nginx.conf
================================================
FILE CONTENTS
================================================
================================================
FILE: .editorconfig
================================================
# For more information about the properties used in
# this file, please see the EditorConfig documentation:
# https://editorconfig.org/
root = true
[*]
charset = utf-8
end_of_line = lf
indent_size = 2
indent_style = space
insert_final_newline = true
trim_trailing_whitespace = true
[*.md]
# Markdown uses the trailing whitespaces
# https://daringfireball.net/projects/markdown/syntax#block
trim_trailing_whitespace = false
================================================
FILE: .gitattributes
================================================
# Automatically normalize line endings for all text-based files
# https://git-scm.com/docs/gitattributes#_end_of_line_conversion
* text=auto
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Make GitHub's language statistics treat the `*.conf` files as
# Nginx configuration files
#
# https://github.com/github/linguist/blob/master/README.md
*.conf linguist-language=Nginx
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
/.git* export-ignore
/test export-ignore
================================================
FILE: .github/CODEOWNERS
================================================
# https://help.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners
* @h5bp/server-configs-nginx
================================================
FILE: .github/CODE_OF_CONDUCT.md
================================================
Please read [Code of Conduct for H5BP](https://github.com/h5bp/html5-boilerplate/blob/master/.github/CODE_OF_CONDUCT.md)
================================================
FILE: .github/CONTRIBUTING.md
================================================
# Contributing to Nginx Server Configs
♥ [Nginx Server Configs](https://github.com/h5bp/server-configs-nginx) and
want to get involved? Thanks! We're actively looking for folks interested in
helping out and there are plenty of ways you can help!
Please take a moment to review this document in order to make the contribution
process easy and effective for everyone involved.
Following these guidelines helps to communicate that you respect the time of
the developers managing and developing this open-source project. In return,
they should reciprocate that respect in addressing your issue or assessing
patches and features.
## Using the issue tracker
The [issue tracker](https://github.com/h5bp/server-configs-nginx/issues) is
the preferred channel for [bug reports](#bugs), [features requests](#features)
and [submitting pull requests](#pull-requests), but please respect the following
restrictions:
* Please **do not** use the issue tracker for personal support requests (use
[Stack Overflow](https://stackoverflow.com) or IRC).
* Please **do not** derail or troll issues. Keep the discussion on topic and
respect the opinions of others.
## Bug reports
A bug is a _demonstrable problem_ that is caused by the code in the repository.
Good bug reports are extremely helpful - thank you!
Guidelines for bug reports:
1. **Use the GitHub issue search** — check if the issue has already been
reported.
2. **Check if the issue has been fixed** — try to reproduce it using the
latest `main` or development branch in the repository.
3. **Isolate the problem** — ideally, create a [reduced test
case](https://css-tricks.com/reduced-test-cases/) and a live example.
A good bug report shouldn't leave others needing to chase you up for more
information. Please try to be as detailed as possible in your report. What is
your environment? What steps will reproduce the issue? What version of Nginx
experiences the problem? What would you expect to be the outcome? All these
details will help people to fix any potential bugs.
Example:
> Short and descriptive example bug report title
>
> A summary of the issue and server version / OS / browser environment in which
> it occurs. If suitable, include the steps required to reproduce the bug.
>
> 1. This is the first step
> 2. This is the second step
> 3. Further steps, etc.
>
> `` - a link to the reduced test case
>
> Any other information you want to share that is relevant to the issue being
> reported. This might include the lines of code that you have identified as
> causing the bug, and potential solutions (and your opinions on their merits).
## Feature requests
Feature requests are welcome. But take a moment to find out whether your idea
fits with the scope and aims of the project. It's up to *you* to make a strong
case to convince the project's developers of the merits of this feature. Please
provide as much detail and context as possible.
## Pull requests
Good pull requests - patches, improvements, new features - are a fantastic
help. They should remain focused in scope and avoid containing unrelated
commits.
**Please ask first** before embarking on any significant pull request (e.g.
implementing features, refactoring code), otherwise you risk spending a lot of
time working on something that the project's developers might not want to merge
into the project.
Please adhere to the coding conventions used throughout a project (indentation,
accurate comments, etc.) and any other requirements (such as test coverage).
Adhering to the following process is the best way to get your work
included in the project:
1. [Fork](https://help.github.com/en/github/getting-started-with-github/fork-a-repo) the project, clone your
fork, and configure the remotes:
```bash
# Clone your fork of the repo into the current directory
git clone https://github.com//server-configs-nginx.git
# Navigate to the newly cloned directory
cd server-configs-nginx
# Assign the original repo to a remote called "upstream"
git remote add upstream https://github.com/h5bp/server-configs-nginx
```
2. If you cloned a while ago, get the latest changes from upstream:
```bash
git checkout main
git pull upstream main
```
3. Create a new topic branch (off the main project development branch) to
contain your feature, change, or fix:
```bash
git checkout -b
```
4. Commit your changes in logical chunks. Please adhere to these [git commit
message guidelines](https://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html)
or your code is unlikely to be merged into the main project. Use Git's
[interactive rebase](https://help.github.com/en/github/using-git/about-git-rebase)
feature to tidy up your commits before making them public.
5. Locally merge (or rebase) the upstream development branch into your topic branch:
```bash
git pull [--rebase] upstream main
```
6. Push your topic branch up to your fork:
```bash
git push origin
```
7. [Open a Pull Request](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/about-pull-requests)
with a clear title and description.
**IMPORTANT**: By submitting a patch, you agree to allow the project
owners to license your work under the terms of the [MIT License](../LICENSE.txt).
================================================
FILE: .github/FUNDING.yml
================================================
# These are supported funding model platforms
github: [LeoColomb]
patreon: # Replace with a single Patreon username
open_collective: #
ko_fi: # Replace with a single Ko-fi username
tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
custom: # Replace with a single custom sponsorship URL
================================================
FILE: .github/dependabot.yml
================================================
version: 2
updates:
- package-ecosystem: github-actions
directory: "/"
schedule:
interval: daily
================================================
FILE: .github/workflows/auto-merge.yml
================================================
# https://docs.github.com/actions
name: Auto-merge
on: pull_request_target
permissions:
pull-requests: write
contents: write
jobs:
dependabot:
name: Dependabot
runs-on: ubuntu-latest
if: ${{ github.actor == 'dependabot[bot]' }}
steps:
- name: Dependabot metadata
id: dependabot-metadata
uses: dependabot/fetch-metadata@v2.5.0
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Approve a PR
if: steps.dependabot-metadata.outputs.update-type != 'version-update:semver-major'
run: gh pr review --approve "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Enable auto-merge for Dependabot PRs
run: gh pr merge --auto --rebase "$PR_URL"
env:
PR_URL: ${{ github.event.pull_request.html_url }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
================================================
FILE: .github/workflows/lint.yml
================================================
# https://docs.github.com/actions
name: Lint
on: [push, pull_request]
jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Lint configuration using Gixy
uses: docker://yandex/gixy:latest
with:
args: /github/workspace/nginx.conf
================================================
FILE: .github/workflows/server.yml
================================================
# https://docs.github.com/actions
name: Server CI
on: [push, pull_request]
jobs:
check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Check configuration
uses: docker://nginx:latest
with:
entrypoint: nginx
args: -c /github/workspace/nginx.conf -t
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Install k6
uses: grafana/setup-k6-action@v1
- name: Test with server-configs-test
uses: h5bp/server-configs-test@8.2.3
with:
command: test
server: nginx
root-path: /var/www/server.localhost
certs-path: /etc/nginx/certs
configs-volumes: test/vhosts:/etc/nginx/conf.d;h5bp:/etc/nginx/h5bp;nginx.conf:/etc/nginx/nginx.conf;mime.types:/etc/nginx/mime.types
tests: basic-file-access;caching;cache-busting;custom-errors;forbidden-files;precompressed-files-gzip;rewrites;ssl
- name: Benchmark
uses: h5bp/server-configs-test@8.2.3
with:
command: benchmark
server: nginx
root-path: /var/www/server.localhost
certs-path: /etc/nginx/certs
configs-volumes: test/vhosts:/etc/nginx/conf.d;h5bp:/etc/nginx/h5bp;nginx.conf:/etc/nginx/nginx.conf;mime.types:/etc/nginx/mime.types
================================================
FILE: .gitignore
================================================
logs/
conf.d/*.conf
!conf.d/.default.conf
!conf.d/no-ssl.default.conf
test/*
!test/vhosts/
================================================
FILE: CHANGELOG.md
================================================
### 5.0.1 (July 23, 2023)
* Set `ssl_prefer_server_ciphers` to `off`
[https://github.com/h5bp/server-configs-nginx/pull/328]
* Add `browsing-topics` to `Permissions-Policy` header
[https://github.com/h5bp/server-configs-nginx/pull/323]
* Improve README docs
[https://github.com/h5bp/server-configs-nginx/pull/333]
* Improve inline comments
### 5.0.0 (December 05, 2022)
* 🎉 Significant improvement on `Cache-Control` definition and usage
* `Cache-Control` boilerplate with extensive control
[https://github.com/h5bp/server-configs-nginx/pull/319]
* Switch to a proper `no-cache` directive on cache expiration config
[https://github.com/h5bp/server-configs-nginx/pull/314]
* Reorder and improve cache expiration `expires` map
[https://github.com/h5bp/server-configs-nginx/pull/324]
* Drop `image/avif-sequence` MIME-type
[[4bc5275](https://github.com/h5bp/server-configs-nginx/commit/4bc5275d5a3fdb34e6298240db7215c3270a916e)]
* Improve inline comments.
### 4.2.0 (February 24, 2022)
* Extend media, font and default cache TTL to 1 year
[[4a22965](https://github.com/h5bp/server-configs-nginx/commit/4a229657fdad9c039529314aed0fc0ae17480829)]
[[3869706](https://github.com/h5bp/server-configs-nginx/commit/3869706922bf4897d20c5cc35817a1a4107d7623)]
* Add compression support for `.ico` files
[[537a022](https://github.com/h5bp/server-configs-nginx/commit/537a0229a1bfa89ebc983aa0d78b62cb6998a997)]
* Dropped legacy and non web related file types
[[a961768](https://github.com/h5bp/server-configs-nginx/commit/a9617688fc921e728d5dcd044db9327aa50ede79)]
[[175cc52](https://github.com/h5bp/server-configs-nginx/commit/175cc52e3fbd75628021df55f61f25cadca8e45c)]
### 4.1.0 (October 28, 2021)
* Add support for custom values import
[[fbdaa3f](https://github.com/h5bp/server-configs-nginx/commit/fbdaa3f867f3c8e1926df6bfe5943bfe57926ef5)]
### 4.0.0 (July 31, 2021)
* ⚠️ **Breaking**: End of support for Internet Explorer (`X-UA-Compatible` and `X-XSS-Protection` headers)
[[4556277](https://github.com/h5bp/server-configs-nginx/commit/4556277ced27fdb96874bf14d3ffe59925c7fc41)]
[[836467c](https://github.com/h5bp/server-configs-nginx/commit/836467c8b57ab6788745c441fb31046ca11384e3)]
* 🎉 Security first! Modernize TLS configuration
[[688348a](https://github.com/h5bp/server-configs-nginx/commit/688348a5fd991fcbe1a535e51056c420a81c9ae7)]
* 🎉 Security first! Refresh policies-related headers usage
* Add Cross Origin Policies headers (COOP/COEP/CORP)
[[25a569d](https://github.com/h5bp/server-configs-nginx/commit/25a569d97d9634497498a4a387f1784269d998bb)]
* Add `Permissions-Policy` header
[[36310b9](https://github.com/h5bp/server-configs-nginx/commit/36310b927b167ef8561dc6407ab9707038b804c7)]
* Make `Content-Security-Policy` disallow 'object-src' by default
[[8600df1](https://github.com/h5bp/server-configs-nginx/commit/8600df101823e9fe71e4b13a4dfa4009726929b4)]
* Add mime-type `image/jxl`
[[b9ef881](https://github.com/h5bp/server-configs-nginx/commit/b9ef881d62311ff7b2555472135529d07483bab6)]
* Improve inline comments.
### 3.3.0 (January 6, 2021)
* Add mime-type `image/avif` and `image/avifs`
[[a9aea70](https://github.com/h5bp/server-configs-nginx/commit/a9aea7038cc3c672eea0794e8af1640fd01ebc99)]
* Add mime-type `image/apng`
[[ba4967f](https://github.com/h5bp/server-configs-nginx/commit/ba4967f99ea655cdf150b56b06ed390a79b555fc)]
* Improve inline comments.
### 3.2.0 (April 14, 2020)
* Stricter default for Referrer Policy `strict-origin-when-cross-origin`
[[e0724b8](https://github.com/h5bp/server-configs-nginx/commit/e0724b814952f6aee3c09dd578480c9c143955ae)]
* Revert: drop `Cache-Control: no-transform` usage
[[bc39e4c](https://github.com/h5bp/server-configs-nginx/commit/bc39e4c07d23edfc0acd3c11de88e95af5880eee)]
* Rewrite, improve and update a large part of the documentation
[[0af3052](https://github.com/h5bp/server-configs-nginx/commit/0af305283f99abfc85e4395201ffadc7de975d4b)]
[[177a5e9](https://github.com/h5bp/server-configs-nginx/commit/177a5e94a60d9c27a8831a1d63211ffe6f6a83a3)]
[[5ca3aed](https://github.com/h5bp/server-configs-nginx/commit/5ca3aed56c83a0f80c88cc85b66abf9b118557ee)]
[[bb2a30c](https://github.com/h5bp/server-configs-nginx/commit/bb2a30caccd240bab3baa511c25152117961bd09)]
[[5ca3aed](https://github.com/h5bp/server-configs-nginx/commit/5ca3aed56c83a0f80c88cc85b66abf9b118557ee)]
* Ensure the presence of security headings where expected
[[4168940](https://github.com/h5bp/server-configs-nginx/commit/41689406c87990eb8c6200a62b1baa7c1705dd31)]
[[3615dfa](https://github.com/h5bp/server-configs-nginx/commit/3615dfa351c54e724f17737643e6ecbe7836d06c)]
[[98de990](https://github.com/h5bp/server-configs-nginx/commit/98de990c1c572354fc2d3f8c7f30940e3af9cdf0)]
* Remove non-ASCII character from config files
[[d2f5972](https://github.com/h5bp/server-configs-nginx/commit/d2f597235a1d384cf1d69cb51a74c22755c0c11c)]
* Improve inline comments.
### 3.1.0 (May 19, 2019)
* Drop `Cache-Control: no-transform` usage
[[282d979](https://github.com/h5bp/server-configs-nginx/commit/282d979af40f34dccb852df9dcbecd42b899ef18)]
* Disable cache expiration for empty content-type resources
[[c73d1ef](https://github.com/h5bp/server-configs-nginx/commit/c73d1efb60e834c57c6343745415c4b58418c934)]
* Remove Content-Security-Policy from `basic.conf` includes
[[29ff09a](https://github.com/h5bp/server-configs-nginx/commit/29ff09ac950d40dd525e1b438ab2ecaf0a4be96f)]
* Improve default Content-Security-Policy values
[[276af8d](https://github.com/h5bp/server-configs-nginx/commit/276af8da7bdf7c7d3708bbe5190092194b307789)]
* Add more common DNS resolver addresses to default `resolver`
[[28874c3](https://github.com/h5bp/server-configs-nginx/commit/28874c33f0e778fc7687f5b3926590ce09e06c98)]
* Pre-compressed content usage config files
[[8db768b](https://github.com/h5bp/server-configs-nginx/commit/8db768bd61094ad814bb56b8a2a560ccc416aef0)]
* Improve inline comments.
### 3.0.1 (March 09, 2019)
* Use regexp in MIME-types based maps
[[d65cd97](https://github.com/h5bp/server-configs-nginx/commit/d65cd977618ede702f15e084cb0f4a152e204935)]
[[db1601f](https://github.com/h5bp/server-configs-nginx/commit/db1601f6064fd7d3d822618cf2e069a6b0cb8e9f)]
* Fix SVGZ compression handling
[[cec616a](https://github.com/h5bp/server-configs-nginx/commit/cec616a103345ccef418a16549adee60f650cf52)]
* Add Referrer-Policy for html document by default
[[f600128](https://github.com/h5bp/server-configs-nginx/commit/f600128203e6319d6f3ce02e2538bf65b0ed01ea)]
### 3.0.0 (February 12, 2019)
* ⚠️ **Breaking**: Drop support for Nginx version < 1.8.0
[[1f5d635](https://github.com/h5bp/server-configs-nginx/commit/1f5d6359be53e90b634ea0451b121cfbeffa4b63)]
* ⚠️ **Breaking**: Switch from `sites-enabled`/`available` to `conf.d`
[[306af36](https://github.com/h5bp/server-configs-nginx/commit/306af367e97a5f177b8bc479cef416fef2508732)]
* ⚠️ **Breaking**: Refactor `h5bp/` directives to strict atomic structure
[[496af1c](https://github.com/h5bp/server-configs-nginx/commit/496af1cfd535d472d8bbd2db0a322f988803741b)]
[[2d13505](https://github.com/h5bp/server-configs-nginx/commit/2d135053cbd96e1e74884e4395c3163b8a39602f)]
* ⚠️ **Breaking**: Refactor and modernize TLS/SSL directives
[[1b2b4eb...d2531ac](https://github.com/h5bp/server-configs-nginx/compare/1b2b4eb...d2531ac)]
* ⚠️ **Breaking**: Move common header directives from location directives to mapped values based on MIME-types
[[6dd4cc2](https://github.com/h5bp/server-configs-nginx/commit/6dd4cc27edafc26e73d8998ab146235774d4abdc)]
* 🎉 Tests! Add tests and configure continuous integration to help community contributions
[[52e1353](https://github.com/h5bp/server-configs-nginx/commit/52e13535b46ca862d1a51d083d7696eb964fe82b)]
* Replace location block `add_header` directives with `expires` directives
[[135d093](https://github.com/h5bp/server-configs-nginx/commit/135d093a7505a72810156760b23b1f03e18c8b0a)]
* Support hashed asset names
[[1b2b4eb](https://github.com/h5bp/server-configs-nginx/commit/1b2b4eb2766e3be99f30c65c86c265fc07edcdad)]
* Update many values in MIME-types table
[[62dbd41](https://github.com/h5bp/server-configs-nginx/commit/62dbd41aeefb063be761741098a2584f1019f586)]
[[08272b6](https://github.com/h5bp/server-configs-nginx/commit/08272b63c2c9d0f875480a62caa615fe20387ad7)]
[[9c6aad8](https://github.com/h5bp/server-configs-nginx/commit/9c6aad83a509cb9dc72cacf17a54281326dd9ca9)]
[[b244111](https://github.com/h5bp/server-configs-nginx/commit/b244111468ce69218acad08ccc4b79c43f88c8c9)]
[[94262e7](https://github.com/h5bp/server-configs-nginx/commit/94262e76103a2f69d3f66b4e92c0c0ebb3cd486b)]
[[b244111](https://github.com/h5bp/server-configs-nginx/commit/b244111468ce69218acad08ccc4b79c43f88c8c9)]
[[fe7ff95](https://github.com/h5bp/server-configs-nginx/commit/fe7ff95a7fc96315a9022f4d02c11e6264b1bb1c)]
* Remove outdated `inline` script
[[8a4a1ce](https://github.com/h5bp/server-configs-nginx/commit/8a4a1ce706eb90d820f6a2ccaa23f5f55e6c056e)]
* Improve inline comments and review documentation.
### 2.0.0 (2017-05-06)
- V2.0.0. [AD7six]
- Add defaults to all directives in nginx.conf. [Andy Dawson]
The reason most of these are changed is already covered by the existing
doc block
closes #127
- Updated gzip_types and charset_types. [Tobias Reich]
… both are now using the same coding convention. Each type in its own row and `text/html` comment at the top (where all comments are placed).
- Added mime types for JPEG-XR, markdown, and CSV. [JoeArizona]
JPEG-XR: http://www.iana.org/assignments/provisional-standard-media-types/provisional-standard-media-types.xhtml
Markdown: https://tools.ietf.org/html/rfc7763
CSV: https://tools.ietf.org/html/rfc7111
- Removed SPDY support as we're using HTTP/2 now. Ref: df102c6.
[Pentago]
- Don't need that expires. [Andy Dawson]
- Remove cache-control public and better handle svgz files. [Matthew
Miller]
Fixes: #86
Fixes: #134
- Don't use expire headers in doc examples. [Andy Dawson]
- Use Cache-Control max-age instead of Expires headers. [Alan Orth]
Cache-Control max-age was introduced in HTTP/1.1 over ten years ago
and is preferred to Expires. This replaces all expiry dates with an
equivalent max-age in seconds.
See: https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/http-caching
See: https://www.mnot.net/blog/2007/05/15/expires_max-age
- Remove references to Cache-Control public. [Alan Orth]
A previous commit removed some, but missed these. Where a location
directive was using Expires to set a future expiry in conjunction
with Cache-Control public, I have replaced the time with an equal
max-age.
Furthermore, Google's web performance guide says that "public" is
implicit if there is a max-age specified.
See: https://developers.google.com/web/fundamentals/performance/optimizing-content-efficiency/http-caching
- Enable IPv6 for no-default. [Johannes Müller]
- Remove Unnecessary Trailing Semicolon. [0ri0n]
No need to add a semicolon for the last directive. In addition, having that unnecessary semicolon causes the HSTS tool (https://hstspreload.org/) for getting on the preload list to fail with an error about the semicolon.
- Update ssl_ciphers To Latest Mozilla Intermediate. [0ri0n]
Updates to latest ciphers list for Mozilla Intermediate, which also adds support for ChaCha20 and Poly1305.
- Always add security-relevant headers to the response, regardless of
the response code (implements #147) [Leon Klingele]
From nginx' add_header documentation:
```
add_header Adds the specified field to a response header provided that
the response code equals 200, 201, 204, 206, 301, 302, 303, 304, or 307.
```
At least for all security-relevant headers this should not be the case
and the header should always be added.
- Gitignore already tracked. [Edgar Ribeiro]
- Ignore files in sites-enabled. [Edgar Ribeiro]
- Fix missing ; [Edgar Ribeiro]
- Fixed #143 issue: Fix typo. [Bo-Yi Wu]
- Whitespace. [Andy Dawson]
- Add a failing example. [Andy Dawson]
- Show a successful example. [Andy Dawson]
- Now irrelevant. [Andy Dawson]
- Remove access log for probably-not-static files. [Andy Dawson]
closes #131
- Remove cache-control public. [Andy Dawson]
Closes #134
- Preload added to ssl.conf. [root]
- Add an ssl no-default example. [Andy Dawson]
I.e. an example of this:
-> curl -kI -H "Host: valid.com" https://localhost
HTTP/1.1 200 OK
...
-> curl -kI -H "Host: invalid.com" https://localhost
curl: (52) Empty reply from server
Whether this works or not depends on SNI.
- Updated ssl.exemple.com to use http2 instead of spdy. [Buzut]
http2 is available in nginx since nginx 1.9.5. Therefor it's better to use the standard.
- Documentation inconsistent with file structure. [Edward Granger]
- Fix capitalization of includeSubDomains. [Chris Chapman]
- Correct syntax for keepalive_timeout. [Alan Orth]
It doesn't seem to be a fatal error, but the keepalive_timeout
value actually requires "s" (for seconds). Another occurrence of
this was fixed in 35434b3361b04beb028f602c78a9331ef4967a0d but
these slipped through.
See: http://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
Signed-off-by: Alan Orth
- Fix typo. [Craig Davison]
- Improve comments in nginx.conf. [Craig Davison]
- Single capitalization fix. [Corban Mailloux]
- Change default value in comment. [Craig Davison]
- Specify that keepalive_timeout is in seconds. [Craig Davison]
- Fix format. [Bo-Yi Wu]
Signed-off-by: Bo-Yi Wu
- Update nginx.conf. [beilharz]
Typo: sites-available should be sites-enabled
- Add white space for comment. [Bo-Yi Wu]
- Miiiiiiiiiiiiiinor typo fix. [Francisc Romano]
- Updated locations to match h5bp's Apache config. [Kimmo Salmela]
See https://github.com/h5bp/server-configs-apache/issues/31 for `well-known` change.
- Update media types in `nginx.conf` [Philipp Becker]
- Minor extension of the alphabetical sorting of media types. [Philipp
Becker]
- Added FreeBSD w/ ZFS performance instructions. [Goran]
On FreeBSD systems with ZFS, sendfile() is useless as ZFS's caching subsystem (adaptive replacement cache a.k.a ARC) already caches most frequently used files in RAM. Disabling sendfile() avoids redundant data caching.
References:
https://calomel.org/nginx.html
http://blog.vx.sk/uploads/conferences/EuroBSDcon2012/zfs-tuning-handout.pdf
- Update to mozilla's wiki's current intermediate set. [AD7six]
- Fix #113. [St. Isidore de Seville]
- Add an inline documentation link to the sites-enabled documentation
page. [Eric Andrew Lewis]
- Explain why everything in the sites-enabled folder is included. [Eric
Lewis]
- Fix misspelling. [Jeff Widman]
- Fix mispelling. [Jeff Widman]
- Fix typo. [Jeff Widman]
- Don't use invalid examples. [Andy Dawson]
A wildcard subdomain isn't valid syntax for a ACAO header
- Added 'dataready' accept_filter for SSL servers on FreeBSD hosts as
per 'accept_filter=filter' section of
http://nginx.org/en/docs/http/ngx_http_core_module.html#listen.
[Pentago]
More on FreeBSD's accept filters:
http://www.freebsd.org/cgi/man.cgi?accf_http
http://www.freebsd.org/cgi/man.cgi?accf_data
Also added 'defered' (TCP_DEFER_ACCEPT) socket option to SSL server on Linux hosts and organized/commented both platform directives above the default value.
Related to https://github.com/h5bp/server-configs-nginx/blob/master/sites-available/example.com#L19
- Fix typo in `inline.sh` [Luke Brookhart]
`h5bp/basics.conf` => `h5bp/basic.conf`
Close #97
- Update `CHANGELOG.md` [Cătălin Mariș]
- Map `.manifest` → `text/cache-manifest` media type. [Cătălin Mariș]
The specification for the manifest file for web applications was
recently updated¹ and it changed one of the recommended file extensions
from `.manifest` to the unique `.webmanifest`².
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
¹ https://github.com/w3c/manifest/commit/0eecadd09074746a657d806131a39e2f7bdc962f
² https://github.com/w3c/manifest/issues/346
- Remove vcf → text/x-vcard mapping from mime.types. [Cătălin Mariș]
Ref: http://www.iana.org/assignments/media-types/text/vcard
Fix h5bp/server-configs-nginx#92
- README.md: Make minor improvements. [Cătălin Mariș]
- Update `CHANGELOG.md` [Cătălin Mariș]
- Update the list of resources to be compressed. [Cătălin Mariș]
Ref: https://github.com/h5bp/server-configs-apache/blob/a0c4e1719075bf1d97d92a3b0ad225c7bff5dfab/src/web_performance/compression.conf
- Update `mime.types` [Cătălin Mariș]
* Reorganized media types and order them alphabetically
* Include some new media types in order to align with what is provided
by the Apache configurations.
https://github.com/h5bp/server-configs-apache/blob/c805353c4142c792267945687309259fc15b2106/src/media_types/media_types.conf
- Update `CHANGELOG.md` [Cătălin Mariș]
- Remove the .manifest → text/cache-manifest mapping. [Cătălin Mariș]
Four years ago the recommended file extension for AppCache manifest
files was changed¹ from `.manifest` to `.appcache`. So, even adding
into consideration the transitional period, it no longer makes sense
to keep the configurations that ensure that `.manifest` files are
served with the AppCache required `text/cache-manifest` media type.
Also, recently, `.manifest` became one of the recommended file
extensions for web application manifest² files.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
¹ https://html5.org/r/5812
² http://w3c.github.io/manifest/
- Rename `LICENSE.md` to `LICENSE.txt` [Cătălin Mariș]
Change made so that the process of opening the `LICENSE` file is
easier for non-technical people.
- Change media types for `.atom` and `.rss` files. [Sylvain Emery]
Modify the configurations so that:
* `.atom` files are served with the `application/atom+xml`¹ media type
* `.rss` files are served with the `application/rss+xml`² media type
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
¹ https://www.iana.org/assignments/media-types/application/atom+xml
² http://tools.ietf.org/id/draft-nottingham-rss-media-type-00.txt
Ref: https://github.com/h5bp/server-configs-apache/pull/50#issuecomment-76552855
https://github.com/h5bp/server-configs-apache/commit/653c461c35a982e757fa94ddd73088f2581a88f9
Close h5bp/server-configs-nginx#90
- Dropping the eggs. [Pedro de Carvalho]
removed the blah blah and link to documentation.
- Calling reload nginx by the system scripts. [Pedro de Carvalho]
- Update getting-started.md. [Pedro de Carvalho]
- Added the -s flag to the reload command. [Pedro de Carvalho]
The nginx documentation advises on using the -s signal to reload configuration.
- Spacing words. [Pedro de Carvalho]
- Add MIME-Types for .xsl files. [Steffen Weber]
The correct MIME-Type for XSL files is "application/xslt+xml" according to http://www.w3.org/TR/2007/REC-xslt20-20070123/#media-type-registration.
- Add the Mozilla SSL config generator to related projects. [Roland
Warmerdam]
- Fix minor typos and the capitalization of acronyms. [Drew Hammond]
Close h5bp/server-configs-nginx#83
- Fix typo in `expires.conf` [Joey Geiger]
Close h5bp/server-configs-nginx#82.
- Remove include directive in ssl.example.com. [Philipp Becker]
To include the SSL related directives in the port 80 server block seems to be redundant.
Because we are redirecting explicit all incoming traffic via port 80 to the HTTPS host on
port 443 where only the *secure-connection-magic* is happen.
Maybe I am missing something, but I tested the configuration
under the following system and encountered no negative side effects:
**Server**
* Ubuntu 14.04 LTS
* Nginx 1.7.7 mainline
**Client**
* OS X 10.9.5
* Browser: FF 33, Chrome 38, Safari 7
- Update extra-security.conf. [Chris McKee]
- Extra security headers without a home. [Chris McKee]
- Change note / add missing header. [Chris McKee]
- Avoid long lines. [Andy Dawson]
- Add secondary google dns ip and 2 failover DYN DNS public dns ips, and
timeouts. [Chris McKee]
- Update Cipher list to latest add version of STS. [Chris McKee]
Updated latest "intermediate" ciphers from mozilla
Add another version of the STS header including subdomains and comments
Add note at base to consider ssl-stapling
- Move SVG media type into the "Images" group. [Steffen Weber]
SVG is primarily an image format. Its usage as a font format is a
legacy issue for supporting iOS 3 and iOS 4. In Chrome 38, support
for SVG fonts has been removed (http://caniuse.com/#feat=svg-fonts).
They have never been supported in Firefox or IE.
Close h5bp/server-configs-nginx#74
- MIME-Types: support for .opus files. [Steffen Weber]
http://en.wikipedia.org/wiki/Opus_(audio_format)
- Bump the minimum version requirement to 1.6.0. [AD7six]
using the version shipped with debian stable (which is where 1.2.1 came
from) holds back this repository too much.
- Correct bad link. [Andy Dawson]
### 1.0.0 (2014-10-24)
- V1.0.0. [AD7six]
- Add a header doc block. [AD7six]
- Add some structure to this bash script. [AD7six]
Add help usage and examples. Some structural hints taken from
http://linuxcommand.org/html_text/new_script.README.html
- Add very simple debugging script. [AD7six]
this script converts include statements to dump the included file's
contents inline.
- Add a brief description of h5bp's contents. [AD7six]
- Add doc files for sites-enabled|available. [AD7six]
- Add info on ngx_pagespeed & content transformation. [Cătălin Mariș]
Provide information about `ngx_pagespeed` not rewriting any / some
of the resources if the `Cache-Control: no-transform` response header
is set.
Ref: https://developers.google.com/speed/pagespeed/module/configuration#notransform
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Thanks to @Nikita-S-Doroshenko for pointing this out!
Ref: h5bp/server-configs-apache#46
- Whitespace matters. [AD7six]
- Add hotlink protection example. [AD7six]
closes #7
- Better wording. [AD7six]
- Correct typo. [AD7six]
- Mention try_files in server context gotcha. [AD7six]
- Dynamically handling request which match a location block. [AD7six]
- Add a document explaining request handling. [AD7six]
it's not exactly the same as one might expect
- Add a document (stub) for common problems. [AD7six]
fixes #29
- Add nginx-conf-md to the toc. [AD7six]
- Add a description of nginx.conf. [AD7six]
it's not intended to be complete, merely guide users unfamiliar with
nginx.
fixes #39
- Remove quotes from SSL cipher list. [Mike Almond]
- Add note about POODLE attack against SSLv3. [Mike Almond]
- Update SSL ciphers to the updated defaults by Mozilla. [Mike Almond]
- HSTS off by default. [Daniel Marquard]
Consensus to disable HSTS by default.
- Removed "includeSubDomains" [Daniel Marquard]
As a best practice, Nginx should only direct clients to use the certificate on specified domains. This is because not all servers using other subdomains necessarily listen on 443 and because, unless it is a wildcard certificate, it likely won't be valid on subdomains other than WWW.
- IPv6 only is the default. [Jack Wearden]
- IPv6 only is the default. [Jack Wearden]
- IPv6 support. [Jack Wearden]
- IPv6 support. [Jack Wearden]
- Use a more conventional location for sites. [AD7six]
it's more common (at least IME) to use /var/www/example.com rather than
creating a new root folder `sites` to put apps in.
- Fix typo in `getting-started.md` [Philipp Becker]
User and group name should be separated by a space character.
Otherwise, only one value `www-data-www-data` is passed:
"If group is omitted, a group whose name equals that of user is used."
- Add configs for WOFF 2.0 font files (`.woff2`) [Przemek Matylla]
Ref: http://www.w3.org/TR/WOFF2/
h5bp/server-configs-apache#32
Close: h5bp/server-configs-nginx#54
- Remove Chrome Frame related comment. [Matthew Haughton]
Fix h5bp/server-configs-nginx#30
Close h5bp/server-configs-nginx#62
- Use relative path for mime.types. [Vladimir Sazhin]
- Remove gzip_http_version parameter. [Drew Hammond]
The gzip_http_version override is no longer needed because CloudFront
now forwards requests using HTTP/1.1. We can remove this line entirely
and let nginx use its default value of 1.1.
- Fix 'directive' typo. [Joshua Gigg]
Spotted by @honi in #51
- Add missing semicolons in `ssl.example.com` [Cătălin Mariș]
Close h5bp/server-configs-nginx#52.
- Use a much longer ssl_session_timeout. [AD7six]
To match the settings from istlsfastyet.com
Add a mention of ssl_buffer_size even though it can 't be enabled yet
- Add ssl example site. [AD7six]
ensure to avoid any use of if as that's "extremely inefficient" and
eliminate redirects where possible
- Don't include ssl config by default. [AD7six]
If the server has no ssl config - there's no need to load a config file
full of ssl config
- Disable ssl_session_tickets. [AD7six]
it's only recently added so is a config error otherwise
- Add stubs for ssl-stapling and spdy. [AD7six]
- Default to use HTTP strict transport security. [AD7six]
- Add increased ssl timeout. [AD7six]
- Turn off ssl session tickets. [AD7six]
Stolen from istlsfastyet.com's config
It is probably a more logical default to turn off session tickets
given the diff linked in the comment block.
- Remove SSLv3 from the ssl protocol list. [AD7six]
As suggested in #44, and since h5bp doesn't support IE6 it seems to be
appropriate to remove a protocol which is in the list only to permit use
with IE6.
- Move ssl config to a separate file. [AD7six]
- Remove tcp_nodelay. [AD7six]
The Nagle buffering algorithm is apparently that the best thing
to enable by default.
closes #28
- Fix typo, Update/Add Nginx Command to test a particular config file,
Update Restart Command & Comments. [Syed I.R]
- Format README, Add Verify Config & Restart Nginx Command. [Syed I.R]
- Fix typo. [Marvin Roger]
Close h5bp/server-configs-nginx#48.
- Make minor format related improvement in README.md. [Syed I.R]
- Apply cross-domain changes proposed in #23. [AD7six]
closes #23
- Added missing semicolon, removed text/html charset. [Odontopera
Mediochrea]
I believe the error was because text/html is implied by default.
- Fix charset_types as mime.types is updated. [Tsz Ming WONG]
- Correct link to documentation. [Andy Dawson]
- Update README.md. [Markus Amalthea Magnuson]
- Fix broken documentation link. [Markus Amalthea Magnuson]
The documentation link in the README is broken. It can be fixed either by changing "blob" to "tree", or by linking to the table of contents. This fix opts for the latter.
- Ssl_ciphers update. [Chris McKee]
Updated ciphers to provide forwarding secrecy, a wider range of support and to match those provided by Mozilla security https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
- Fix spelling errors in nginx config docs. [Peter Kowalczyk]
- Remove Chrome Frame meta tag. Reference h5bp/server-configs-nginx#2.
[Bo-Yi Wu]
- Renamed h5bp.conf to basic.conf README. [Syed I.R]
Updated with correct filename.
- Update doc. [Domenico Leone Luciani]
Because nginx doesn't start without fix access_log path.
- Move config snippets around. [AD7six]
Make it more obvious which snippets are location based, and which
are just directives. Need to provide more files like basic.conf to
cover more of the common use cases.
- Create getting started doc. [AD7six]
- Adds no value, remove. [AD7six]
- Wrong dash. [AD7six]
- Get started on the documentation. [AD7six]
- Remove readme from doc folder. [AD7six]
a readme prevents navigating existing files via github
- Add a doc block to no-default. [AD7six]
and remove the default_server directive from example.com. Since this file
is likely to be the copy-and-paste file for multiple server configs,
don't mark example.com as the default.
- Add a config file for no default site. [AD7six]
fixes #10
- Rename conf folder to h5bp. [AD7six]
The name "conf" is potentially confusing as something which should be included
en masse rather than a folder of config snippets.
Closes #13
- Ensure compatibility with earlier/current versions of nginx. [AD7six]
auto was not introdued until 1.3.8 and 1.2.5.
Debian wheezy for example only comes with 1.2.1, only the next version
(in testing) will have a version of nginx which supports auto.
- Remove the sites-enabled readme. [AD7six]
this file is considered a site config file, preventing the use of the repo as is
- Typo foorbar -> foobar. [James Freeman]
- Grammar, doesn't modify code. [Corprew Reed]
- Remove `font.css` reference. [Matt Robenolt]
Close #6.
- Add configs for cursor images (`.cur`) [Oskar S. Jakieła]
Apply all the configs used for `.ico` files to `.cur` files as the two
image formats are almost identical.
The MIME type for the `.cur` file doesn't matter as browsers seem to
sniff the content. However, `image/x-icon` is specified because it's
the one usually used for `.ico` file and because it's shorter then the
other frequentlly used one (`image/vnd.microsoft.icon`), making the
header size smaller.
See also:
* http://en.wikipedia.org/wiki/ICO_%28file_format%29
* http://msdn.microsoft.com/en-us/library/windows/desktop/ms648007%28v=vs.85%29.aspx
Close: #5.
- Update CONTRIBUTING.md and LICENSE.md. [Cătălin Mariș]
Replace the Apache references with Nginx ones.
- Add MIME type for `.torrent` files. [Andrej Čremožnik]
Serve `.torrent` files with the `application/x-bittorrent` MIME type
instead of the default `application/octet-stream`. This helps improve
the user experience in some browsers (e.g.: in Firefox, the user is
offered the option to open the file with a torrent application, if
it has one installed).
Close h5bp/server-configs-nginx#4
- Don't map the .jsonp extension to the JS MIME type. [Cătălin Mariș]
Remove `.jsonp` as there isn't any convention around the JSONP MIME-type
or the `.jsonp` extension. Also, it seems that, `application/javascript`
is arguably the wrong type to use for JSONP.
Ref: broofa/node-mime#64
- Add `CHANGELOG.md` [Cătălin Mariș]
Use a `CHANGELOG.md` file to keep the project history available within
the repository, therefore, making it easier to track what has changed
since the last tagged release.
- Add `README.md` [Cătălin Mariș]
- Add MIT license. [Cătălin Mariș]
In order to remove any ambiguity, provide a proper, highly permissive
license, recognized by the Open Source Initiative (OSI).
- Add `CONTRIBUTING.md` [Cătălin Mariș]
Providing the `CONTRIBUTING.md` file allows us to take advantage
of GitHub's UI and prompt contributors to read the repository's
guidelines before creating an issue or opening a pull request:
https://github.com/blog/1184-contributing-guidelines.
The content in the `CONTRIBUTING.md` file is based on @necolas's
Issue Guidelines: https://github.com/necolas/issue-guidelines.
- Move nginx server configs to their own repository. [Cătălin Mariș]
- Move documentations into `doc` directories. [Cătălin Mariș]
- [nginx] Remove `text/html` from `gzip_types` [alrra]
Fix: h5bp/server-configs#144.
- Nginx.conf: repair broken log format (someone had swapped two
variables around, breaking the intended apache log format
compatibility) [Aitte]
Conflicts:
nginx/nginx.conf
- Update server configs. [alrra]
Update some of the server configurations to match
the ones used in the Apache hypertext access file.
- Expires.conf: add missing .htc file type. [Aitte]
- Protect-system-files.conf: clarify why people should be using it.
[Aitte]
- Cache-file-descriptors.conf: new feature which greatly speeds up
performance on very busy production sites. [Aitte]
- Nginx.conf: Add support for default SSL certificate served to clients
with old browsers. [Aitte]
- Nginx.conf: Massively speed up SSL connections by caching the sessions
for 10 minutes rather than constantly re-negotiating. [Aitte]
- Nginx.conf: protect server against the BEAST SSL attack (ref:
http://nginx.org/en/docs/http/configuring_https_servers.html) [Aitte]
- Replacing everything with more descriptive comments. [Aitte]
for people that don't know what the options do
- Nginx.conf: Make use of the "auto" directive to let nginx spawn as
many workers as there are CPU cores. [Aitte]
- Nginx.conf: Remove the gzip_buffers directive and let nginx figure it
out instead, that way it will align them to CPU cache lines for
greater performance. [Aitte]
- Protect-system-files.conf: use "deny all" for clearer intent when
blocking access. [Aitte]
- Nginx: change regex patterns to non-capturing for speedup. [Aitte]
- Don't cache .html or .htm files. [Andy Dawson]
Thanks @aitte, ref h5bp/server-configs#133
- Expires.conf: remove duplicate .ico cache headers. [Aitte]
- Change WOFF MIME type to `application/font-woff` [alrra]
The WOFF MIME Type was formally registered as `application/font-woff`:
- http://www.iana.org/assignments/media-types/application/font-woff
- One more space. [Nicolae Vartolomei]
- Code style consistency across nginx configs. [Nicolae Vartolomei]
- Port wiki docs to README's. [Nicolas Gallagher]
Move the wiki documentation into a README for each server config dir.
Make formatting improvements to the IIS documentation.
- Move .htaccess to the `server-configs` repository. [alrra]
- Update Microsoft Office Mime-Types (h5bp/server-configs#94) [Christian
Boenning]
Add mimetypes for all major MS office file types > 2003
Reference:
http://technet.microsoft.com/en-us/library/ee309278(v=office.12).aspx
- Whitespace correction. [Andy Dawson]
Make the markdown render correctly
- Update nginx/nginx.conf. [nvartolomei]
- Update gzip_disable option to match best practice. [James Aitken]
Nginx recommend to use the string ``msie6`` instead of the previously recommended regex.
The string matches the same stuff as the regex, but is faster according to their docs.
See: http://nginx.org/en/docs/http/ngx_http_gzip_module.html#gzip_disable
- Correct cache headers for webfonts. [AD7six]
Only one location match is ever executed - therefore the relevant
location match must contain all relevant rules.
cross-domain-fonts is included by default, therefore for right now add
the cache rules for these requests directly to the
cross-domain-fonts.conf file
fixes h5bp/server-configs#85
fixes h5bp/server-configs#86
Thanks to @MisterJack
- Split the default server config. [AD7six]
Make it possible to pick and mix server rules.
- Improve READMEs. [Alessandro Vendruscolo]
- Rename default.conf to example.com. [Alessandro Vendruscolo]
This should encourage users to keep the config files indexed by domain
name
- Per-site configuration, using two server blocks. [Alessandro
Vendruscolo]
- Correct syntax error. [Andy Dawson]
- Cleanup mess made doing pointless merge. [Chris McKee]
- Revert "Merge remote-tracking branch 'upstream/master' (HLBP Master
Server Configs)" [Chris McKee]
This reverts commit 19aa2e8a56ee3366feb99207aa6a43d498d92a0f, reversing
changes made to 1007c16e697790da227fab1b7ade6343be02ddb6.
- Only include conf files. [AD7six]
- Don't need this "hint" symlink. [AD7six]
there's a readme instead.
- Adding readm files to sites-available/enabled. [AD7six]
- Remove embedded config lost in merge. [AD7six]
- Use sites-available vhost style. [AD7six]
If there is only one host - this doesn't add any problems, and makes
it easier to isolate changes related to the host from that of the host
in general.
When more than one host is used, it makes things much, much simpler.
- Add `cache-control: no-transform` header. [Alessandro Vendruscolo]
- Cross-domain stuff. [Alessandro Vendruscolo]
- Security tweaks, returning 403 if needed. [Alessandro Vendruscolo]
- Add filename based cache busting. [Alessandro Vendruscolo]
- Handle www to non-www redirect. [Alessandro Vendruscolo]
A secondary `server` block has been added. It'll listen on the `www`
host and redirect to the `non-www` host.
- Encourage users to use multiple virtual hosts. [Alessandro
Vendruscolo]
- Add the MIME type for AAC audio files. [Roland Warmerdam]
- Update the nginx gzip MIME types. [Roland Warmerdam]
- Use valid font mime types in the nginx config. [Roland Warmerdam]
- Normalize whitespace. [AD7six]
make it easier to keep this file and the .htaccess file it is based upon
in sync, by using the same indent
- Syncing with latest H5BP `.htaccess` [Chris Jones]
- Add the x-web-app-manifest-json mimetype for webapp files. [James
Long]
- Fix configuration syntax. http://wiki.nginx.org/ConfigurationSyntax.
[Indrek Ardel]
- Serve .mp4 and .m4v files as `video/mp4` as per RFC 4337. [Mathias
Bynens]
Closes h5bp/html5-boilerplate#1024. See http://tools.ietf.org/html/rfc4337#section-2.
- Whoops - 1Y is not valid. [AD7six]
one year is 1y
- Apparently this is the same header as apache serves. [AD7six]
- Move all server configs into folders. [AD7six]
easier to organise. We could also possibly then simply add a README
file toeach folder rather than use wiki pages - maybe.
- Make xml application/xml. [AD7six]
- Add json. [AD7six]
- Add expire rules mimicking that of the apache config. [AD7six]
These rules are closer to the expire logic defined for apache, and also
use a none-capturing regex which will be (unnoticably) faster.
Added a comment as to why there is no default expire header defined.
- Do not set a default expire. [AD7six]
Unless your entire site is static it's inappropriate to do so - dynamic
requests will be cached by the browser unless your application code
overrides the expires which nginx is setting by default.
- Added m4a/m4v mime types. [John-Scott Atlakson]
This was recently added upstream => http://trac.nginx.org/nginx/changeset/4252/nginx
- Specify a charset. [ram]
- Use the correct MIME type for XHTML files. [Mathias Bynens]
- Add mime types from default mime.types. [James McKinney]
- Updating configs to match H5BP .htaccess defaults. [Mike Almond]
- Add mime type for .wav files. [Tinnet Coronam]
'x-wav' seems to be the standard, but could also be 'wav' or 'wave' or 'vnd.wav' according to wikipedia
- We also need application/x-javascript for google chrome. [Iurii
Ogiienko]
- Merge. i thinkkk. [Paul Irish]
- Nginx.conf Improvements/Corrections. [sean]
Don't think it makes sense to turn this off for a single worker and it's on by default.
The docs indicate that Nginx will use the best method based on the available methods
Keepalive of 5 seems very low - i've seen recommendations of 10-20
gzip_proxied was set twice
gzip_static should be off unless actually used
default is deprecated
server_name _; shouldn't be used
Shoudn't use expires in the server {} block - should be inside location {}
Extra root lines not needed
gzip_comp_level seems too low
gzip_min_length seems too high
- Added some comments to the nginx config relating to expires. [Mark
Wolfe]
- Added some comments to the nginx config relating to expires. [Mark
Wolfe]
- Specify 404 page. [Ben Hanzl]
- Image/x-icon to match our htaccess. thx badboy. [Paul Irish]
- Remove access logging for static files to save disk writes. [Graham
Weldon]
- Add to and fix typo in MIME types to be gzipped: [Paul Sarena]
Add text/x-component. It's listed in html5-boilerplate/.htaccess and is in our nginx-mime.types
Fix application/xml+rss, should be application/rss+xml
Comment indicating text/html is always compressed, so there's no need to include it
- Remove access logging for static files to save disk writes. [Graham
Weldon]
- Add to and fix typo in MIME types to be gzipped: [Paul Sarena]
Add text/x-component. It's listed in html5-boilerplate/.htaccess and is in our nginx-mime.types
Fix application/xml+rss, should be application/rss+xml
Comment indicating text/html is always compressed, so there's no need to include it
- Associate mime.types file with nginx. [Paul Irish]
- Nginx: js wasnt being gzipped. thanks poswald! fixes h5bp/server-
configs#5. [Paul Irish]
- Use the .appcache extension instead of .manifest, as per
http://html5.org/r/5812 - thx mathias. [Paul Irish]
- X-UA-Compatible for nginx. thanks mucho joshgillies. [Paul Irish]
- Adding minor note about who owns the mime.types file. [Paul Irish]
- Whats up, sweetass configurations? boom boom. [Paul Irish]
================================================
FILE: LICENSE.txt
================================================
Copyright (c) H5BP
Permission is hereby granted, free of charge, to any person obtaining a copy of
this software and associated documentation files (the "Software"), to deal in
the Software without restriction, including without limitation the rights to
use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies
of the Software, and to permit persons to whom the Software is furnished to do
so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
================================================
FILE: README.md
================================================
# [Nginx Server Configs](https://github.com/h5bp/server-configs-nginx)
[](https://github.com/h5bp/server-configs-nginx/actions/workflows/server.yml)
**Nginx Server Configs** is a collection of configuration files that can help
your server improve the website's performance and security, while also
ensuring that resources are served with the correct content-type and are
accessible, if needed, even cross-domain.
## Getting Started
Using the Nginx server configs repo directly has a few required steps to be able to work.
* [Nginx Beginners Guide](https://nginx.org/en/docs/beginners_guide.html)
* [Nginx Request Processing](https://nginx.org/en/docs/http/request_processing.html)
### Check `nginx.conf` settings
The first thing to check is that the `nginx.conf` file contains appropriate values for
your specific install.
Most specific variables are:
* `user`
* `error_log`
* `pid`
* `access_log`
### Nginx test and restart
* To verify Nginx config
```shell
nginx -t
```
* To verify Nginx config with a custom file
```shell
nginx -t -c nginx.conf
```
* To reload Nginx and apply the new config
```shell
nginx -s reload
```
### Repository structure
This repository has the following structure:
```text
./
├── conf.d/
│ ├── default.conf
│ └── templates/
├── h5bp/
│ ├── basic.conf
│ ├── location/
│ └── .../
├── custom.d/
│ └── .../
├── mime.types
└── nginx.conf
```
* **`conf.d/`**
This directory should contain all the `server` definitions.
Except if they are dot prefixed or non `.conf` extension, all files in this
directory are loaded automatically.
* **`templates` folder**
Files in this directory contain a `server` template for secure and non-secure
hosts. They are intended to be copied in the `conf.d` directory with all
`example.com` occurrences changed to the target host.
* **`h5bp/`**
This directory contains config snippets (mixins) to be included as desired.
There are two types of config files provided: individual config snippets and
combined config files which provide convenient defaults.
* **`basic.conf`**
This file loads a small subset of the rules provided by this repository to add
`expires` headers, allow cross-domain fonts and protect system files from web
access.
The `basic.conf` file includes the rules which are recommended to always be
defined.
* **`location/`**
Files in this directory contain one or more `location` directives. They are
intended to be loaded in the `server` context (or, in a nested `location` block).
* **`custom.d/`**
This directory should contain all the custom `nginx.conf` configuration.
Except if they are dot prefixed or non `.conf` extension, all files in this
folder are loaded automatically.
* **`mime.types`**
The `mime.types` file is responsible for mapping file extensions to MIME types.
* **`nginx.conf`**
The main Nginx config file.
## Usage
### As a reference
To use as reference requires no special installation steps, download/checkout the
repository to a convenient location and adapt your existing Nginx configuration
incorporating the desired functionality from this repository.
Download the [latest release archive](https://github.com/h5bp/server-configs-nginx/releases/latest).
### Directly
To use directly, replace the Nginx config directory with this repository.
For example:
```shell
nginx -s stop
cd /etc
mv nginx nginx-previous
git clone https://github.com/h5bp/server-configs-nginx.git nginx
# install-specific edits
nginx
```
### Manage sites
```bash
cd /etc/nginx/conf.d
```
* Creating a new site
```bash
cp templates/example.com.conf .actual-hostname.conf
sed -i 's/example.com/actual-hostname/g' .actual-hostname.conf
```
* Enabling a site
```bash
mv .actual-hostname.conf actual-hostname.conf
```
* Disabling a site
```bash
mv actual-hostname.conf .actual-hostname.conf
```
```bash
nginx -s reload
```
## Support
* Nginx v**1.8.0**+
## Contributing
Anyone is welcome to [contribute](.github/CONTRIBUTING.md),
however, if you decide to get involved, please take a moment to review
the [guidelines](.github/CONTRIBUTING.md):
* [Bug reports](.github/CONTRIBUTING.md#bugs)
* [Feature requests](.github/CONTRIBUTING.md#features)
* [Pull requests](.github/CONTRIBUTING.md#pull-requests)
## Acknowledgements
[Nginx Server Configs](https://github.com/h5bp/server-configs-nginx) is
only possible thanks to all the awesome
[contributors](https://github.com/h5bp/server-configs-nginx/graphs/contributors)!
## License
The code is available under the [MIT license](LICENSE.txt).
================================================
FILE: conf.d/.default.conf
================================================
# ----------------------------------------------------------------------
# | Default behavior for unknown hosts |
# ----------------------------------------------------------------------
#
# Drop requests for unknown hosts.
#
# If no default server is defined, Nginx will use the first found server.
# To prevent host header attacks, or other potential problems when an unknown
# server name is used in a request, it's recommended to drop the request
# returning 444 "No Response".
server {
listen [::]:443 ssl http2 default_server;
listen 443 ssl http2 default_server;
server_name _;
include h5bp/tls/ssl_engine.conf;
include h5bp/tls/certificate_files.conf;
include h5bp/tls/policy_balanced.conf;
return 444;
}
================================================
FILE: conf.d/no-ssl.default.conf
================================================
# ----------------------------------------------------------------------
# | Default behavior for unknown hosts |
# ----------------------------------------------------------------------
#
# Drop requests for unknown hosts.
#
# If no default server is defined, Nginx will use the first found server.
# To prevent host header attacks, or other potential problems when an unknown
# server name is used in a request, it's recommended to drop the request
# returning 444 "No Response".
#
# (1) In production, only secure hosts should be used (all `no-ssl` disabled).
# If so, redirect first ANY request to a secure connection before handling
# it, even if the host is unknown.
#
# https://observatory.mozilla.org/faq/
server {
listen [::]:80 default_server deferred;
listen 80 default_server deferred;
server_name _;
# (1)
# return 301 https://$host$request_uri;
return 444;
}
================================================
FILE: conf.d/templates/example.com.conf
================================================
# ----------------------------------------------------------------------
# | Config file for example.com host |
# ----------------------------------------------------------------------
#
# This file is a template for an Nginx server.
# This Nginx server listens for the `example.com` host and handles requests.
# Replace `example.com` with your hostname before enabling.
# Choose between www and non-www, listen on the wrong one and redirect to
# the right one.
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#server-name-if
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name www.example.com;
include h5bp/tls/ssl_engine.conf;
include h5bp/tls/certificate_files.conf;
include h5bp/tls/policy_balanced.conf;
return 301 $scheme://example.com$request_uri;
}
server {
# listen [::]:443 ssl http2 accept_filter=dataready; # for FreeBSD
# listen 443 ssl http2 accept_filter=dataready; # for FreeBSD
listen [::]:443 ssl http2;
listen 443 ssl http2;
# The host name to respond to
server_name example.com;
include h5bp/tls/ssl_engine.conf;
include h5bp/tls/certificate_files.conf;
include h5bp/tls/policy_balanced.conf;
# Path for static files
root /var/www/example.com/public;
# Custom error pages
include h5bp/errors/custom_errors.conf;
# Include the basic h5bp config set
include h5bp/basic.conf;
}
================================================
FILE: conf.d/templates/no-ssl.example.com.conf
================================================
# ----------------------------------------------------------------------
# | Config file for non-secure example.com host |
# ----------------------------------------------------------------------
#
# This file is a template for a non-secure Nginx server.
# This Nginx server listens for the `example.com` host and handles requests.
# Replace `example.com` with your hostname before enabling.
# Choose between www and non-www, listen on the wrong one and redirect to
# the right one.
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/#server-name-if
server {
listen [::]:80;
listen 80;
server_name www.example.com;
return 301 $scheme://example.com$request_uri;
}
server {
# listen [::]:80 accept_filter=httpready; # for FreeBSD
# listen 80 accept_filter=httpready; # for FreeBSD
listen [::]:80;
listen 80;
# The host name to respond to
server_name example.com;
# Path for static files
root /var/www/example.com/public;
# Custom error pages
include h5bp/errors/custom_errors.conf;
# Include the basic h5bp config set
include h5bp/basic.conf;
}
================================================
FILE: h5bp/basic.conf
================================================
# Nginx Server Configs | MIT License
# https://github.com/h5bp/server-configs-nginx
include h5bp/security/referrer-policy.conf;
include h5bp/security/x-content-type-options.conf;
include h5bp/security/x-frame-options.conf;
include h5bp/location/security_file_access.conf;
include h5bp/cross-origin/requests.conf;
================================================
FILE: h5bp/cross-origin/requests.conf
================================================
# ----------------------------------------------------------------------
# | Cross-origin requests |
# ----------------------------------------------------------------------
# Allow cross-origin requests.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
# https://enable-cors.org/
# https://www.w3.org/TR/cors/
# (!) Do not use this without understanding the consequences.
# This will permit access from any other website.
# Instead of using this file, consider using a specific rule such as
# allowing access based on (sub)domain:
#
# add_header Access-Control-Allow-Origin "subdomain.example.com";
add_header Access-Control-Allow-Origin $cors;
================================================
FILE: h5bp/cross-origin/resource_timing.conf
================================================
# ----------------------------------------------------------------------
# | Cross-origin resource timing |
# ----------------------------------------------------------------------
# Allow cross-origin access to the timing information for all resources.
#
# If a resource isn't served with a `Timing-Allow-Origin` header that would
# allow its timing information to be shared with the document, some of the
# attributes of the `PerformanceResourceTiming` object will be set to zero.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Timing-Allow-Origin
# https://www.w3.org/TR/resource-timing/
# https://www.stevesouders.com/blog/2014/08/21/resource-timing-practical-tips/
add_header Timing-Allow-Origin "*";
================================================
FILE: h5bp/errors/custom_errors.conf
================================================
# ----------------------------------------------------------------------
# | Custom error messages/pages |
# ----------------------------------------------------------------------
# Customize what Nginx returns to the client in case of an error.
#
# https://nginx.org/en/docs/http/ngx_http_core_module.html#error_page
error_page 404 /404.html;
================================================
FILE: h5bp/location/security_file_access.conf
================================================
# ----------------------------------------------------------------------
# | File access |
# ----------------------------------------------------------------------
# Block access to all hidden files and directories except for the
# visible content from within the `/.well-known/` hidden directory.
#
# These types of files usually contain user preferences or the preserved state
# of a utility, and can include rather private places like, for example, the
# `.git` or `.svn` directories.
#
# The `/.well-known/` directory represents the standard (RFC 5785) path prefix
# for "well-known locations" (e.g.: `/.well-known/manifest.json`,
# `/.well-known/keybase.txt`), and therefore, access to its visible content
# should not be blocked.
#
# https://www.mnot.net/blog/2010/04/07/well-known
# https://tools.ietf.org/html/rfc5785
location ~* /\.(?!well-known\/) {
deny all;
}
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Block access to files that can expose sensitive information.
#
# By default, block access to backup and source files that may be left by some
# text editors and can pose a security risk when anyone has access to them.
#
# https://feross.org/cmsploit/
#
# (!) Update the `location` regular expression from below to include any files
# that might end up on your production server and can expose sensitive
# information about your website. These files may include: configuration
# files, files that contain metadata about the project (e.g.: project
# dependencies, build scripts, etc.).
location ~* (?:#.*#|\.(?:bak|conf|dist|fla|in[ci]|log|orig|psd|sh|sql|sw[op])|~)$ {
deny all;
}
================================================
FILE: h5bp/location/web_performance_filename-based_cache_busting.conf
================================================
# ----------------------------------------------------------------------
# | Filename-based cache busting |
# ----------------------------------------------------------------------
# If you're not using a build process to manage your filename version revving,
# you might want to consider enabling the following directives.
#
# To understand why this is important and even a better solution than using
# something like `*.css?v231`, please see:
# https://www.stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring/
location ~* (.+)\.(?:\w+)\.(avifs?|bmp|css|cur|gif|ico|jpe?g|jxl|m?js|a?png|svgz?|webp|webmanifest)$ {
try_files $uri $1.$2;
}
================================================
FILE: h5bp/location/web_performance_svgz-compression.conf
================================================
# ----------------------------------------------------------------------
# | SVGZ Compression |
# ----------------------------------------------------------------------
# SVGZ files are already compressed.
# Disable gzip function for `.svgz` files.
location ~* \.svgz$ {
gzip off;
add_header Content-Encoding gzip;
include h5bp/security/x-content-type-options.conf;
include h5bp/security/content-security-policy.conf;
include h5bp/security/referrer-policy.conf;
include h5bp/security/permissions-policy.conf;
include h5bp/security/cross-origin-policy.conf;
include h5bp/cross-origin/requests.conf;
}
================================================
FILE: h5bp/media_types/character_encodings.conf
================================================
# ----------------------------------------------------------------------
# | Character encodings |
# ----------------------------------------------------------------------
# Serve all resources labeled as `text/html` or `text/plain` with the media type
# `charset` parameter set to `UTF-8`.
#
# https://nginx.org/en/docs/http/ngx_http_charset_module.html#charset
charset utf-8;
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Update charset_types to match updated mime.types.
# `text/html` is always included by charset module.
# Default: text/html text/xml text/plain text/vnd.wap.wml application/javascript application/rss+xml
#
# https://nginx.org/en/docs/http/ngx_http_charset_module.html#charset_types
charset_types
text/css
text/plain
text/vnd.wap.wml
text/javascript
text/markdown
text/calendar
text/x-component
text/vcard
text/cache-manifest
text/vtt
application/json
application/manifest+json;
================================================
FILE: h5bp/media_types/media_types.conf
================================================
# ----------------------------------------------------------------------
# | Media types |
# ----------------------------------------------------------------------
# Serve resources with the proper media types (f.k.a. MIME types).
#
# https://www.iana.org/assignments/media-types/media-types.xhtml
# https://nginx.org/en/docs/http/ngx_http_core_module.html#types
include mime.types;
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Default: text/plain
#
# https://nginx.org/en/docs/http/ngx_http_core_module.html#default_type
default_type application/octet-stream;
================================================
FILE: h5bp/security/content-security-policy.conf
================================================
# ----------------------------------------------------------------------
# | Content Security Policy (CSP) |
# ----------------------------------------------------------------------
# Mitigate the risk of cross-site scripting and other content-injection
# attacks.
#
# This can be done by setting a Content Security Policy which permits
# trusted sources of content for your website.
#
# There is no policy that fits all websites, you will have to modify the
# `Content-Security-Policy` directives in the example depending on your needs.
#
# To make your CSP implementation easier, you can use an online CSP header
# generator such as:
# https://report-uri.com/home/generate/
#
# It is encouraged that you validate your CSP header using a CSP validator
# such as:
# https://csp-evaluator.withgoogle.com
#
# https://www.w3.org/TR/CSP/
# https://owasp.org/www-project-secure-headers/#content-security-policy
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
# https://developers.google.com/web/fundamentals/security/csp
# https://content-security-policy.com/
add_header Content-Security-Policy $content_security_policy always;
================================================
FILE: h5bp/security/cross-origin-policy.conf
================================================
# ----------------------------------------------------------------------
# | Cross Origin Policy |
# ----------------------------------------------------------------------
# Set strict a Cross Origin Policy to mitigate information leakage.
#
# (1) Cross-Origin-Embedder-Policy prevents a document from loading any
# cross-origin resources that don’t explicitly grant the document
# permission.
# https://html.spec.whatwg.org/multipage/origin.html#coep
# https://owasp.org/www-project-secure-headers/#cross-origin-embedder-policy
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy
#
# (2) Cross-Origin-Opener-Policy allows you to ensure a top-level document does
# not share a browsing context group with cross-origin documents.
# https://html.spec.whatwg.org/multipage/origin.html#cross-origin-opener-policies
# https://owasp.org/www-project-secure-headers/#cross-origin-opener-policy
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy
#
# (3) Cross-Origin-Resource-Policy allows to define a policy that lets web
# sites and applications opt in to protection against certain requests from
# other origins, to mitigate speculative side-channel attacks.
# https://fetch.spec.whatwg.org/#cross-origin-resource-policy-header
# https://owasp.org/www-project-secure-headers/#cross-origin-resource-policy
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy
# https://resourcepolicy.fyi/
#
# To check your Cross Origin Policy, you can use an online service, such as:
# https://securityheaders.com/
# https://observatory.mozilla.org/
#
# https://web.dev/coop-coep/
# https://web.dev/why-coop-coep/
# https://web.dev/cross-origin-isolation-guide/
# https://scotthelme.co.uk/coop-and-coep/
# (1)
add_header Cross-Origin-Embedder-Policy $coep_policy always;
# (2)
add_header Cross-Origin-Opener-Policy $coop_policy always;
# (3)
add_header Cross-Origin-Resource-Policy $corp_policy always;
================================================
FILE: h5bp/security/permissions-policy.conf
================================================
# ----------------------------------------------------------------------
# | Permissions Policy |
# ----------------------------------------------------------------------
# Set a strict Permissions Policy to mitigate access to browser features.
#
# The header uses a structured syntax, and allows sites to more tightly
# restrict which origins can be granted access to features.
# The list of available features:
# https://github.com/w3c/webappsec-permissions-policy/blob/main/features.md
#
# The example policy below aims to disable all features expect synchronous
# `XMLHttpRequest` requests on the same origin.
#
# To check your Permissions Policy, you can use an online service, such as:
# https://securityheaders.com/
# https://observatory.mozilla.org/
#
# https://www.w3.org/TR/permissions-policy-1/
# https://owasp.org/www-project-secure-headers/#permissions-policy
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
# https://scotthelme.co.uk/a-new-security-header-feature-policy/
add_header Permissions-Policy $permissions_policy always;
================================================
FILE: h5bp/security/referrer-policy.conf
================================================
# ----------------------------------------------------------------------
# | Referrer Policy |
# ----------------------------------------------------------------------
# Set a strict Referrer Policy to mitigate information leakage.
#
# (1) The `Referrer-Policy` header is included in responses for resources
# that are able to request (or navigate to) other resources.
#
# This includes the commonly used resource types:
# HTML, CSS, XML/SVG, PDF documents, scripts and workers.
#
# To prevent referrer leakage entirely, specify the `no-referrer` value
# instead. Note that the effect could impact analytics metrics negatively.
#
# To check your Referrer Policy, you can use an online service, such as:
# https://securityheaders.com/
# https://observatory.mozilla.org/
#
# https://www.w3.org/TR/referrer-policy/
# https://owasp.org/www-project-secure-headers/#referrer-policy
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
# https://scotthelme.co.uk/a-new-security-header-referrer-policy/
add_header Referrer-Policy $referrer_policy always;
================================================
FILE: h5bp/security/server_software_information.conf
================================================
# ----------------------------------------------------------------------
# | Server software information |
# ----------------------------------------------------------------------
# Prevent Nginx from sending its version number in the "Server" response header.
#
# https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens
server_tokens off;
================================================
FILE: h5bp/security/strict-transport-security.conf
================================================
# ----------------------------------------------------------------------
# | HTTP Strict Transport Security (HSTS) |
# ----------------------------------------------------------------------
# Force client-side TLS (Transport Layer Security) redirection.
#
# If a user types `example.com` in their browser, even if the server redirects
# them to the secure version of the website, that still leaves a window of
# opportunity (the initial HTTP connection) for an attacker to downgrade or
# redirect the request.
#
# The following header ensures that a browser only connects to your server
# via HTTPS, regardless of what the users type in the browser's address bar.
#
# (!) Be aware that Strict Transport Security is not revokable and you
# must ensure being able to serve the site over HTTPS for the duration
# you've specified in the `max-age` directive. When you don't have a
# valid TLS connection anymore (e.g. due to an expired TLS certificate)
# your visitors will see a nasty error message even when attempting to
# connect over HTTP.
#
# (1) Preloading Strict Transport Security.
# To submit your site for HSTS preloading, it is required that:
# * the `includeSubDomains` directive is specified
# * the `preload` directive is specified
# * the `max-age` is specified with a value of at least 31536000 seconds
# (1 year).
# https://hstspreload.org/#deployment-recommendations
#
# https://tools.ietf.org/html/rfc6797#section-6.1
# https://owasp.org/www-project-secure-headers/#http-strict-transport-security
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
# https://www.html5rocks.com/en/tutorials/security/transport-layer-security/
# https://hstspreload.org/
add_header Strict-Transport-Security "max-age=16070400; includeSubDomains" always;
# (1) Enable your site for HSTS preload inclusion.
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
================================================
FILE: h5bp/security/x-content-type-options.conf
================================================
# ----------------------------------------------------------------------
# | Content Type Options |
# ----------------------------------------------------------------------
# Prevent some browsers from MIME-sniffing the response.
#
# This reduces exposure to drive-by download attacks and cross-origin data
# leaks, and should be left uncommented, especially if the server is serving
# user-uploaded content or content that could potentially be treated as
# executable by the browser.
#
# https://owasp.org/www-project-secure-headers/#x-content-type-options
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
# https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-v-comprehensive-protection/
# https://mimesniff.spec.whatwg.org/
add_header X-Content-Type-Options nosniff always;
================================================
FILE: h5bp/security/x-frame-options.conf
================================================
# ----------------------------------------------------------------------
# | Frame Options |
# ----------------------------------------------------------------------
# Protect website against clickjacking.
#
# The example below sends the `X-Frame-Options` response header with the value
# `DENY`, informing browsers not to display the content of the web page in any
# frame.
#
# This might not be the best setting for everyone. You should read about the
# other two possible values the `X-Frame-Options` header field can have:
# `SAMEORIGIN` and `ALLOW-FROM`.
# https://tools.ietf.org/html/rfc7034#section-2.1.
#
# Keep in mind that while you could send the `X-Frame-Options` header for all
# of your website's pages, this has the potential downside that it forbids even
# non-malicious framing of your content.
#
# Nonetheless, you should ensure that you send the `X-Frame-Options` header for
# all pages that allow a user to make a state-changing operation (e.g: pages
# that contain one-click purchase links, checkout or bank-transfer confirmation
# pages, pages that make permanent configuration changes, etc.).
#
# Sending the `X-Frame-Options` header can also protect your website against
# more than just clickjacking attacks.
# https://cure53.de/xfo-clickjacking.pdf.
#
# (!) The `Content-Security-Policy` header has a `frame-ancestors` directive
# which obsoletes this header for supporting browsers.
#
# https://tools.ietf.org/html/rfc7034
# https://owasp.org/www-project-secure-headers/#x-frame-options
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
# https://docs.microsoft.com/archive/blogs/ieinternals/combating-clickjacking-with-x-frame-options
add_header X-Frame-Options $x_frame_options always;
================================================
FILE: h5bp/tls/certificate_files.conf
================================================
# ----------------------------------------------------------------------
# | Certificate files |
# ----------------------------------------------------------------------
# This default SSL certificate will be served whenever the client lacks support
# for SNI (Server Name Indication).
#
# (1) Certificate and key files location
# The certificate file can contain an intermediate certificate.
#
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate
#
# (2) Intermediate certificate location if loaded certificate (1) does not
# contain intermediate certificate when enabling OCSP stapling.
#
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate
#
# (3) CA certificate file location for client certificate authentication.
#
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_client_certificate
# (1)
ssl_certificate /etc/nginx/certs/default.crt;
ssl_certificate_key /etc/nginx/certs/default.key;
# (2)
# ssl_trusted_certificate /path/to/ca.crt;
# (3)
# ssl_client_certificate /etc/nginx/default_ssl.crt;
================================================
FILE: h5bp/tls/ocsp_stapling.conf
================================================
# ----------------------------------------------------------------------
# | Online Certificate Status Protocol stapling |
# ----------------------------------------------------------------------
# OCSP is a lightweight, only one record to help clients verify the validity of
# the server certificate.
# OCSP stapling allows the server to send its cached OCSP record during the TLS
# handshake, without the need of 3rd party OCSP responder.
#
# https://wiki.mozilla.org/Security/Server_Side_TLS#OCSP_Stapling
# https://tools.ietf.org/html/rfc6066#section-8
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
#
# (1) Use Cloudflare 1.1.1.1 DNS resolver
# https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/
#
# (2) Use Google 8.8.8.8 DNS resolver
# https://developers.google.com/speed/public-dns/docs/using
#
# (3) Use OpenDNS resolver
# https://use.opendns.com
ssl_stapling on;
ssl_stapling_verify on;
resolver
# (1)
1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]
# (2)
8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844]
# (3)
# 208.67.222.222 208.67.220.220 [2620:119:35::35] [2620:119:53::53]
valid=60s;
resolver_timeout 2s;
================================================
FILE: h5bp/tls/policy_balanced.conf
================================================
# ----------------------------------------------------------------------
# | SSL policy - Balanced |
# ----------------------------------------------------------------------
# For services that need to support a wide range of clients, this configuration
# is reasonably balanced.
#
# (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known to be weak
# and potentially vulnerable but are required to support Microsoft Edge
# and Safari.
# https://safecurves.cr.yp.to/
#
# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html
ssl_protocols TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+AES;
# (1)
ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
================================================
FILE: h5bp/tls/policy_strict.conf
================================================
# ----------------------------------------------------------------------
# | SSL policy - Strict |
# ----------------------------------------------------------------------
# For services that don't need backward compatibility, the parameters below
# provide the highest level of security and performance.
#
# (!) This policy enforces a strong TLS configuration, which may raise
# errors with old clients.
# If a more compatible profile is required, use the "balanced" policy.
#
# (!) TLSv1.3 and its 0-RTT feature require NGINX >=1.15.4 and OpenSSL >=1.1.1
# to be installed.
#
# (!) Don't enable `ssl_early_data` blindly! Requests sent within early data are
# subject to replay attacks.
#
# (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known to be weak
# and potentially vulnerable.
#
# Add them back to the parameter `ssl_ecdh_curve` below to support
# Microsoft Edge and Safari.
#
# https://safecurves.cr.yp.to/
#
# (2) Enables TLS 1.3 0-RTT, allows for faster resumption of TLS sessions.
#
# (!) Requests sent within early data are subject to replay attacks.
# To protect against such attacks at the application layer, the
# `$ssl_early_data` variable should be used:
#
# proxy_set_header Early-Data $ssl_early_data;
#
# The application should return response code 425 "Too Early" for anything
# that could contain user supplied data.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/425
#
# https://github.com/certbot/certbot/issues/6367
# https://github.com/mozilla/server-side-tls/issues/217
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+CHACHA20:EECDH+AES;
# (1)
ssl_ecdh_curve X25519;
# (2)
#ssl_early_data on;
================================================
FILE: h5bp/tls/ssl_engine.conf
================================================
# ----------------------------------------------------------------------
# | SSL engine |
# ----------------------------------------------------------------------
# (1) Optimize SSL by caching session parameters for 24 hours.
# This cuts down on the number of expensive SSL handshakes.
# By enabling a cache, we tell the client to re-use the already
# negotiated state.
# Here 10m (10 MB) in ssl_session_cache is size value (not time).
# 1 MB cache can store about 4000 sessions, so we can store 40000 sessions.
#
# (2) Use a higher keepalive timeout to reduce the need for repeated handshakes
# (!) Shouldn't be done unless you serve primarily HTTPS.
# Default is 75s
#
# (3) SSL buffer size
# Set 1400 bytes to fit in one MTU.
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size
#
# (4) Disable session tickets
# Session tickets keys are not auto-rotated. Only a HUP / restart will do
# so and when a restart is performed the previous key is lost, which resets
# all previous sessions.
# Only enable session tickets if you set up a manual rotation mechanism.
# https://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets
#
# (5) The TLS 1.2 and 1.3 ciphers in use in current policies are not considered
# dangerous. This directive let the client choose the one that best fits their needs.
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_prefer_server_ciphers
# https://wiki.mozilla.org/Security/Server_Side_TLS
# (1)
ssl_session_timeout 24h;
ssl_session_cache shared:SSL:10m;
# (2)
keepalive_timeout 300s;
# (3)
# ssl_buffer_size 1400;
# (4)
ssl_session_tickets off;
# (5)
ssl_prefer_server_ciphers off;
================================================
FILE: h5bp/web_performance/cache-control.conf
================================================
# ----------------------------------------------------------------------
# | Cache Control |
# ----------------------------------------------------------------------
# Serve resources with appropriate cache control directives.
#
# The `Cache-Control` header field holds directives (instructions) that control
# caching in browsers and shared caches (e.g. Proxies, CDNs).
# Its use targets web performances improvement by specifying the expected
# client and network caches behaviors.
#
# The usable cache directives are listed here:
# https://www.iana.org/assignments/http-cache-directives/http-cache-directives.xml
#
# The cache directives are documented here:
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control#response_directives
#
# (!) Enable and configure this configuration with care.
# Default values should embrace conformance for static files and simple
# apps, but cache control definition at backend level is highly preferred.
# Incorrect directives can lead to data leaks, or can degrade performances.
#
# More specifically, in-depth understanding on `public` vs `private`
# directives meanings is highly recommended. A resource with `public` will
# be cached by shared caches like CDN, even if a user session is active.
#
# (*) To avoid duplication of the directive `no-cache` on `Cache-Control`,
# the value is skipped here.
# The directive `no-cache` is already defined by Nginx `expires` when set
# to `epoch`. This ensure a correct value enforcement whenever cache
# control configuration is used or not.
# Cache expiration configuration `expires` is described in the file
# h5bp/web_performance/cache_expiration.conf.
# https://nginx.org/en/docs/http/ngx_http_headers_module.html#expires
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
# https://www.rfc-editor.org/rfc/rfc9111.html
# https://www.rfc-editor.org/rfc/rfc8246.html
# https://www.rfc-editor.org/rfc/rfc5861.html
# https://www.iana.org/assignments/http-cache-directives/http-cache-directives.xml
# https://cache-tests.fyi/
add_header Cache-Control $cache_control;
================================================
FILE: h5bp/web_performance/cache-file-descriptors.conf
================================================
# ----------------------------------------------------------------------
# | Cache file-descriptors |
# ----------------------------------------------------------------------
# This tells Nginx to cache open file handles, "Not Found" errors and
# metadata about files and their permissions.
#
# Based on these cached metadata, Nginx can immediately begin sending data when
# a popular file is requested, and will also know to immediately send a 404 if a
# file is missing on disk, and so on.
#
# (!) It also means that the server won't react immediately to changes on disk,
# which may be undesirable.
# As only metadata are cached, edited files may be truncated until the cache
# is refreshed.
# https://github.com/h5bp/server-configs-nginx/issues/203
#
# In the below configuration, inactive files are released from the cache after
# 20 seconds, whereas active (recently requested) files are re-validated every
# 30 seconds.
# Descriptors will not be cached unless they are used at least 2 times within
# 20 seconds (the inactive time).
# A maximum of the 1000 most recently used file descriptors can be cached at
# any time.
#
# Production servers with stable file collections will definitely want to enable
# the cache.
#
# https://nginx.org/en/docs/http/ngx_http_core_module.html#open_file_cache
open_file_cache max=1000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
================================================
FILE: h5bp/web_performance/cache_expiration.conf
================================================
# ----------------------------------------------------------------------
# | Cache expiration |
# ----------------------------------------------------------------------
# Serve resources with a far-future expiration date.
#
# (!) If you don't control versioning with filename-based cache busting, you
# should consider lowering the cache times to something like one week.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expires
# https://nginx.org/en/docs/http/ngx_http_headers_module.html#expires
map $sent_http_content_type $expires {
# Default: Fallback
default 1y;
# Default: No content
"" off;
# Specific: Assets
~*image/svg\+xml 1y;
~*image/vnd.microsoft.icon 1w;
~*image/x-icon 1w;
# Specific: Manifests
~*application/manifest\+json 1w;
~*text/cache-manifest epoch;
# Specific: Data interchange
~*application/atom\+xml 1h;
~*application/rdf\+xml 1h;
~*application/rss\+xml 1h;
# Specific: Documents
~*text/html epoch;
~*text/markdown epoch;
~*text/calendar epoch;
# Specific: Other
~*text/x-cross-domain-policy 1w;
# Generic: Data
~*json epoch;
~*xml epoch;
# Generic: WebAssembly
# ~*application/wasm 1y; # default
# Generic: Assets
# ~*application/javascript 1y; # default
# ~*application/x-javascript 1y; # default
# ~*text/javascript 1y; # default
# ~*text/css 1y; # default
# Generic: Medias
# ~*audio/ 1y; # default
# ~*image/ 1y; # default
# ~*video/ 1y; # default
# ~*font/ 1y; # default
}
expires $expires;
================================================
FILE: h5bp/web_performance/compression.conf
================================================
# ----------------------------------------------------------------------
# | Compression |
# ----------------------------------------------------------------------
# https://nginx.org/en/docs/http/ngx_http_gzip_module.html
# Enable gzip compression.
# Default: off
gzip on;
# Compression level (1-9).
# 5 is a perfect compromise between size and CPU usage, offering about 75%
# reduction for most ASCII files (almost identical to level 9).
# Default: 1
gzip_comp_level 5;
# Don't compress anything that's already small and unlikely to shrink much if at
# all (the default is 20 bytes, which is bad as that usually leads to larger
# files after gzipping).
# Default: 20
gzip_min_length 256;
# Compress data even for clients that are connecting to us via proxies,
# identified by the "Via" header (required for CloudFront).
# Default: off
gzip_proxied any;
# Tell proxies to cache both the gzipped and regular version of a resource
# whenever the client's Accept-Encoding capabilities header varies;
# Avoids the issue where a non-gzip capable client (which is extremely rare
# today) would display gibberish if their proxy gave them the gzipped version.
# Default: off
gzip_vary on;
# Compress all output labeled with one of the following MIME-types.
# `text/html` is always compressed by gzip module.
# Default: text/html
gzip_types
application/atom+xml
application/geo+json
application/javascript
application/x-javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/vnd.ms-fontobject
application/wasm
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/eot
font/otf
font/ttf
image/bmp
image/svg+xml
image/vnd.microsoft.icon
image/x-icon
text/cache-manifest
text/calendar
text/css
text/javascript
text/markdown
text/plain
text/xml
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
================================================
FILE: h5bp/web_performance/content_transformation.conf
================================================
# ----------------------------------------------------------------------
# | Content transformation |
# ----------------------------------------------------------------------
# Prevent intermediate caches or proxies (such as those used by mobile
# network providers) and browsers data-saving features from modifying
# the website's content using the `no-transform` directive for
# `Cache-Control` header.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
# https://tools.ietf.org/html/rfc7234#section-5.2.2.4
#
# (!) Carefully consider the impact on your visitors before disabling
# content transformation. These transformations are performed to
# improve the experience for data- and cost-constrained users
# (e.g. users on a 2G connection).
#
# You can test the effects of content transformation applied by
# Google's Lite Mode by visiting: https://googleweblight.com/i?u=https://www.example.com
#
# https://support.google.com/webmasters/answer/6211428
#
# (!) If you are using `ngx_pagespeed`, note that disabling this will
# prevent `PageSpeed` from rewriting HTML files, and, if the
# `pagespeed DisableRewriteOnNoTransform` directive isn't set to
# `off`, also from rewriting other resources.
#
# https://developers.google.com/speed/pagespeed/module/configuration#notransform
add_header Cache-Control "no-transform";
================================================
FILE: h5bp/web_performance/pre-compressed_content_brotli.conf
================================================
# ----------------------------------------------------------------------
# | Brotli pre-compressed content |
# ----------------------------------------------------------------------
# Serve brotli compressed CSS, JS, HTML, SVG, ICS and JSON files if they exist
# and if the client accepts br encoding.
#
# (!) To make this part relevant, you need to generate encoded files by your
# own. Enabling this part will not auto-generate brotlied files.
#
# Note that some clients (e.g. browsers) require a secure connection to request
# brotli-compressed resources.
# https://www.chromestatus.com/feature/5420797577396224
#
# https://github.com/eustas/ngx_brotli/#brotli_static
brotli_static on;
================================================
FILE: h5bp/web_performance/pre-compressed_content_gzip.conf
================================================
# ----------------------------------------------------------------------
# | GZip pre-compressed content |
# ----------------------------------------------------------------------
# Serve gzip compressed CSS, JS, HTML, SVG, ICS, and JSON files if they exist
# and if the client accepts gzip encoding.
#
# (!) To make this part relevant, you need to generate encoded files by your
# own. Enabling this part will not auto-generate gziped files.
#
# https://nginx.org/en/docs/http/ngx_http_gzip_static_module.html
gzip_static on;
================================================
FILE: mime.types
================================================
types {
# Data interchange
application/atom+xml atom;
application/json json map topojson;
application/ld+json jsonld;
application/rss+xml rss;
# Normalize to standard type.
# https://tools.ietf.org/html/rfc7946#section-12
application/geo+json geojson;
application/xml xml;
# Normalize to standard type.
# https://tools.ietf.org/html/rfc3870#section-2
application/rdf+xml rdf;
# JavaScript
# Servers should use text/javascript for JavaScript resources.
# https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages
text/javascript js mjs;
application/wasm wasm;
# Manifest files
application/manifest+json webmanifest;
application/x-web-app-manifest+json webapp;
text/cache-manifest appcache;
# Media files
audio/midi mid midi kar;
audio/mp4 aac f4a f4b m4a;
audio/mpeg mp3;
audio/ogg oga ogg opus;
audio/x-realaudio ra;
audio/x-wav wav;
image/apng apng;
image/avif avif avifs;
image/bmp bmp;
image/gif gif;
image/jpeg jpeg jpg;
image/jxl jxl;
image/jxr jxr hdp wdp;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-jng jng;
video/3gpp 3gp 3gpp;
video/mp4 f4p f4v m4v mp4;
video/mpeg mpeg mpg;
video/ogg ogv;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-mng mng;
video/x-ms-asf asf asx;
video/x-msvideo avi;
# Serving `.ico` image files with a different media type
# prevents Internet Explorer from displaying then as images:
# https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee
image/x-icon cur ico;
# Microsoft Office
application/msword doc;
application/vnd.ms-excel xls;
application/vnd.ms-powerpoint ppt;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
# Web fonts
font/woff woff;
font/woff2 woff2;
application/vnd.ms-fontobject eot;
font/ttf ttf;
font/collection ttc;
font/otf otf;
# Other
application/java-archive ear jar war;
application/mac-binhex40 hqx;
application/octet-stream bin deb dll dmg exe img iso msi msm msp safariextz;
application/pdf pdf;
application/postscript ai eps ps;
application/rtf rtf;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.wap.wmlc wmlc;
application/x-7z-compressed 7z;
application/x-bb-appworld bbaw;
application/x-bittorrent torrent;
application/x-chrome-extension crx;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-opera-extension oex;
application/x-perl pl pm;
application/x-pilot pdb prc;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert crt der pem;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xslt+xml xsl;
application/zip zip;
text/calendar ics;
text/css css;
text/csv csv;
text/html htm html shtml;
text/markdown md markdown;
text/mathml mml;
text/plain txt;
text/vcard vcard vcf;
text/vnd.rim.location.xloc xloc;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/vtt vtt;
text/x-component htc;
}
================================================
FILE: nginx.conf
================================================
# Configuration File - Nginx Server Configs
# https://nginx.org/en/docs/
# Run as a unique, less privileged user for security reasons.
# Default: nobody nobody
# https://nginx.org/en/docs/ngx_core_module.html#user
# https://en.wikipedia.org/wiki/Principle_of_least_privilege
user www-data;
# Sets the worker threads to the number of CPU cores available in the system for
# best performance. Should be > the number of CPU cores.
# Maximum number of connections = worker_processes * worker_connections
# Default: 1
# https://nginx.org/en/docs/ngx_core_module.html#worker_processes
worker_processes auto;
# Maximum number of open files per worker process.
# Should be > worker_connections.
# Default: no limit
# https://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile
worker_rlimit_nofile 8192;
# Provides the configuration file context in which the directives that affect
# connection processing are specified.
# https://nginx.org/en/docs/ngx_core_module.html#events
events {
# If you need more connections than this, you start optimizing your OS.
# That's probably the point at which you hire people who are smarter than you
# as this is *a lot* of requests.
# Should be < worker_rlimit_nofile.
# Default: 512
# https://nginx.org/en/docs/ngx_core_module.html#worker_connections
worker_connections 8000;
}
# Log errors and warnings to this file
# This is only used when you don't override it on a `server` level
# Default: logs/error.log error
# https://nginx.org/en/docs/ngx_core_module.html#error_log
error_log /var/log/nginx/error.log warn;
# The file storing the process ID of the main process
# Default: logs/nginx.pid
# https://nginx.org/en/docs/ngx_core_module.html#pid
pid /var/run/nginx.pid;
# Include files in the custom.d folder.
# Custom configuration and value files should be placed in the custom.d
# folder.
# The configurations should be disabled by prefixing files with a dot.
include custom.d/*.conf;
http {
# Hide Nginx version information.
include h5bp/security/server_software_information.conf;
# Specify media (MIME) types for files.
include h5bp/media_types/media_types.conf;
# Set character encodings.
include h5bp/media_types/character_encodings.conf;
# Include $http_x_forwarded_for within default format used in log files
# https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
# Log access to this file
# This is only used when you don't override it on a `server` level
# Default: logs/access.log combined
# https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log
access_log /var/log/nginx/access.log main;
# How long to allow each connection to stay idle.
# Longer values are better for each individual client, particularly for SSL,
# but means that worker connections are tied up longer.
# Default: 75s
# https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
keepalive_timeout 20s;
# Speed up file transfers by using `sendfile()` to copy directly between
# descriptors rather than using `read()`/`write()``.
# For performance reasons, on FreeBSD systems w/ ZFS this option should be
# disabled as ZFS's ARC caches frequently used files in RAM by default.
# Default: off
# https://nginx.org/en/docs/http/ngx_http_core_module.html#sendfile
sendfile on;
# Don't send out partial frames; this increases throughput since TCP frames
# are filled up before being sent out.
# Default: off
# https://nginx.org/en/docs/http/ngx_http_core_module.html#tcp_nopush
tcp_nopush on;
# Enable gzip compression.
include h5bp/web_performance/compression.conf;
# Specify file cache expiration.
include h5bp/web_performance/cache_expiration.conf;
# Add Cache-Control.
# h5bp/web_performance/cache-control.conf
map $sent_http_content_type $cache_control {
default "public, immutable, stale-while-revalidate";
# No content
"" "no-store";
# Manifest files
~*application/manifest\+json "public";
~*text/cache-manifest ""; # `no-cache` (*)
# Assets
~*image/svg\+xml "public, immutable, stale-while-revalidate";
# Data interchange
~*application/(atom|rdf|rss)\+xml "public, stale-while-revalidate";
# Documents
~*text/html "private, must-revalidate";
~*text/markdown "private, must-revalidate";
~*text/calendar "private, must-revalidate";
# Data
~*json ""; # `no-cache` (*)
~*xml ""; # `no-cache` (*)
}
# Add X-Frame-Options for HTML documents.
# h5bp/security/x-frame-options.conf
map $sent_http_content_type $x_frame_options {
~*text/html DENY;
}
# Add Content-Security-Policy for HTML documents.
# h5bp/security/content-security-policy.conf
map $sent_http_content_type $content_security_policy {
~*text/(html|javascript)|application/pdf|xml "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; object-src 'none'; upgrade-insecure-requests";
}
# Add Permissions-Policy for HTML documents.
# h5bp/security/permissions-policy.conf
map $sent_http_content_type $permissions_policy {
~*text/(html|javascript)|application/pdf|xml "accelerometer=(),autoplay=(),browsing-topics=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=()";
}
# Add Referrer-Policy for HTML documents.
# h5bp/security/referrer-policy.conf
map $sent_http_content_type $referrer_policy {
~*text/(css|html|javascript)|application\/pdf|xml "strict-origin-when-cross-origin";
}
# Add Cross-Origin-Policies for HTML documents.
# h5bp/security/cross-origin-policy.conf
# Cross-Origin-Embedder-Policy
map $sent_http_content_type $coep_policy {
~*text/(html|javascript)|application/pdf|xml "require-corp";
}
# Cross-Origin-Opener-Policy
map $sent_http_content_type $coop_policy {
~*text/(html|javascript)|application/pdf|xml "same-origin";
}
# Cross-Origin-Resource-Policy
map $sent_http_content_type $corp_policy {
~*text/(html|javascript)|application/pdf|xml "same-origin";
}
# Add Access-Control-Allow-Origin.
# h5bp/cross-origin/requests.conf
map $sent_http_content_type $cors {
# Images
~*image/ "*";
# Web fonts
~*font/ "*";
~*application/vnd.ms-fontobject "*";
~*application/x-font-ttf "*";
~*application/font-woff "*";
~*application/x-font-woff "*";
~*application/font-woff2 "*";
}
# Include files in the conf.d folder.
# `server` configuration files should be placed in the conf.d folder.
# The configurations should be disabled by prefixing files with a dot.
include conf.d/*.conf;
}