├── .editorconfig ├── LICENSE ├── README.md ├── alpine ├── Dockerfile ├── Makefile └── README.md ├── amazonlinux ├── Dockerfile ├── Makefile └── README.md ├── centos ├── Dockerfile ├── Makefile └── README.md └── nginx ├── .gitignore ├── Makefile ├── REAMDE.md ├── alpine └── Dockerfile ├── amazonlinux └── Dockerfile ├── centos └── Dockerfile └── shared ├── docker-entrypoint.d ├── 10-listen-on-ipv6-by-default.sh └── 20-envsubst-on-templates.sh ├── docker-entrypoint.sh └── nginx ├── conf.d └── default.conf ├── h5bp ├── basic.conf ├── cross-origin │ ├── requests.conf │ └── resource_timing.conf ├── errors │ └── custom_errors.conf ├── internet_explorer │ └── x-ua-compatible.conf ├── location │ ├── security_file_access.conf │ ├── web_performance_filename-based_cache_busting.conf │ └── web_performance_svgz-compression.conf ├── media_types │ ├── character_encodings.conf │ └── media_types.conf ├── security │ ├── content-security-policy.conf │ ├── referrer-policy.conf │ ├── server_software_information.conf │ ├── strict-transport-security.conf │ ├── x-content-type-options.conf │ ├── x-frame-options.conf │ └── x-xss-protection.conf ├── ssl │ ├── certificate_files.conf │ ├── ocsp_stapling.conf │ ├── policy_deprecated.conf │ ├── policy_fips.conf │ ├── policy_intermediate.conf │ ├── policy_modern.conf │ └── ssl_engine.conf └── web_performance │ ├── cache-file-descriptors.conf │ ├── cache_expiration.conf │ ├── compression.conf │ ├── content_transformation.conf │ ├── pre-compressed_content_brotli.conf │ └── pre-compressed_content_gzip.conf ├── mime.types └── nginx.conf /.editorconfig: -------------------------------------------------------------------------------- 1 | # EditorConfig is awesome: https://EditorConfig.org 2 | 3 | # top-most EditorConfig file 4 | root = true 5 | 6 | # Unix-style newlines with a newline ending every file 7 | [*] 8 | end_of_line = lf 9 | insert_final_newline = true 10 | 11 | # Matches multiple files with brace expansion notation 12 | # Set default charset 13 | [*.{js,py}] 14 | charset = utf-8 15 | 16 | # 4 space indentation 17 | [*.py] 18 | indent_style = space 19 | indent_size = 4 20 | 21 | # Tab indentation (no size specified) 22 | [Makefile] 23 | indent_style = tab 24 | 25 | # Indentation override for all JS under lib directory 26 | [lib/**.js] 27 | indent_style = space 28 | indent_size = 2 29 | 30 | # Matches the exact files either package.json or .travis.yml 31 | [{package.json,.travis.yml}] 32 | indent_style = space 33 | indent_size = 2 34 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2020 Alex Rhea 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # FIPS 140-2 Compliant Docker Images 2 | 3 | This repository contains sample implementations of FIPS 140-2 compliant container images. Containers need to run on host operating systems that have FIPS 140-2 enabled. 4 | 5 | - [Alpine Linux](./alpine/) - Compiles the FIPS 140-2 compliant OpenSSL 1.0.2k-fips on Alpine 6 | - [Amazon Linux 2](./amazonlinux/) - Installs the FIPS 140-2 compliant OpenSSL and `dracut-fips` package 7 | - [CentOS 7](./centos/) - Installs the FIPS 140-2 compliant OpenSSL and `dracut-fips` package 8 | - [NGINX](./nginx/) - Compiles NGINX using a FIPS 140-2 compliant version of OpenSSL 9 | 10 | ## Usage 11 | 12 | These are reference implementations and have not been validated by NIST, FedRAMP, or DoD CC SRG accreditations bodies. I recommend working with your security organization, Third Party Assessment Organizations (3PAO), or authorizing official (AO). 13 | 14 | For deployment, I recommend building and storing these images within your environment for building, testing, and scanning. 15 | 16 | ## What is FIPS 140-2? 17 | 18 | The Federal Information Processing Standard Publication 140-2, (FIPS PUB 140-2),[1][2] is a U.S. government computer security standard used to approve cryptographic modules. The title is Security Requirements for Cryptographic Modules. Initial publication was on May 25, 2001 and was last updated December 3, 2002. 19 | 20 | For more information, visit the [FIPS 140-2 Wikipedia Page](https://en.wikipedia.org/wiki/FIPS_140-2). 21 | 22 | ## License 23 | 24 | This library is licensed under the MIT-0 License. See the [LICENSE file](./LICENSE). 25 | -------------------------------------------------------------------------------- /alpine/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM alpine:3 2 | 3 | # OpenSSL FIPS Configuration 4 | ARG OPENSSL_FIPS_VERSION=2.0.16 5 | ARG OPENSSL_FIPS_HASH=a3cd13d0521d22dd939063d3b4a0d4ce24494374b91408a05bdaca8b681c63d4 6 | 7 | # OpenSSL Configuration 8 | ARG OPENSSL_VERSION=1.0.2k 9 | ARG OPENSSL_HASH=6b3977c61f2aedf0f96367dcfb5c6e578cf37e7b8d913b4ecb6643c3cb88d8c0 10 | 11 | RUN apk update \ 12 | && mkdir -p /tmp \ 13 | && cd /tmp \ 14 | && apk add ca-certificates \ 15 | && apk add --no-cache --virtual .build-deps \ 16 | wget \ 17 | gcc \ 18 | gzip \ 19 | tar \ 20 | libc-dev \ 21 | ca-certificates \ 22 | perl \ 23 | make \ 24 | coreutils \ 25 | linux-headers \ 26 | zlib-dev \ 27 | gnupg \ 28 | && wget --quiet https://www.openssl.org/source/openssl-fips-$OPENSSL_FIPS_VERSION.tar.gz \ 29 | && wget --quiet https://www.openssl.org/source/openssl-fips-$OPENSSL_FIPS_VERSION.tar.gz.asc \ 30 | && echo "$OPENSSL_FIPS_HASH openssl-fips-$OPENSSL_FIPS_VERSION.tar.gz" | sha256sum -c - | grep OK \ 31 | && tar -xzf openssl-fips-$OPENSSL_FIPS_VERSION.tar.gz \ 32 | && cd openssl-fips-$OPENSSL_FIPS_VERSION \ 33 | && ./config \ 34 | && make \ 35 | && make install \ 36 | && cd /tmp \ 37 | && wget --quiet https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz \ 38 | && wget --quiet https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz.asc \ 39 | && echo "$OPENSSL_HASH openssl-$OPENSSL_VERSION.tar.gz" | sha256sum -c - | grep OK \ 40 | && tar -xzf openssl-$OPENSSL_VERSION.tar.gz \ 41 | && cd openssl-$OPENSSL_VERSION \ 42 | && perl ./Configure linux-x86_64 \ 43 | --with-fipsdir=/usr/local/ssl/fips-2.0 \ 44 | fips shared no-ssl2 no-ssl3 \ 45 | && make \ 46 | && make install \ 47 | && ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl \ 48 | && rm -rf /tmp \ 49 | && apk del .build-deps 50 | 51 | ENV OPENSSL_FIPS 1 52 | ENV PATH /usr/local/ssl/bin::$PATH 53 | 54 | -------------------------------------------------------------------------------- /alpine/Makefile: -------------------------------------------------------------------------------- 1 | 2 | IMAGE_REGISTRY=073455283520.dkr.ecr.us-east-2.amazonaws.com 3 | IMAGE_NAME:=fips/alpine 4 | IMAGE_TAG:=3 5 | 6 | build: 7 | @docker image build \ 8 | --no-cache \ 9 | -t $(IMAGE_NAME):$(IMAGE_TAG) \ 10 | -t $(IMAGE_REGISTRY)/$(IMAGE_NAME):$(IMAGE_TAG) . 11 | 12 | build-dev: 13 | @docker image build \ 14 | -t $(IMAGE_NAME):$(IMAGE_TAG) \ 15 | -t $(IMAGE_REGISTRY)/$(IMAGE_NAME):$(IMAGE_TAG) . 16 | 17 | push: build 18 | @docker image push $(IMAGE_REGISTRY)/$(IMAGE_NAME):$(IMAGE_TAG) 19 | 20 | clean: 21 | @docker image rm $(IMAGE_REGISTRY)/$(IMAGE_NAME):$(IMAGE_TAG) 22 | @docker image rm $(IMAGE_NAME):$(IMAGE_TAG) 23 | 24 | test: 25 | @docker container run --rm -it $(IMAGE_NAME):$(IMAGE_TAG) openssl version 26 | -------------------------------------------------------------------------------- /alpine/README.md: -------------------------------------------------------------------------------- 1 | # Alpine Linux with FIPS Support 2 | 3 | This repository will build a FIPS 140-2 compliant OpenSSL version, `1.0.2k-fips`, on top of [alpine:3](https://hub.docker.com/_/alpine). It will not replace the existing OpenSSL version because that will interfere with `apk` and could get overwritten. Instead, the FIPS compatible version is added to the PATH. 4 | 5 | ## Building 6 | 7 | | Options | Default | Supported Values | Description | 8 | |---|---|---| 9 | | IMAGE_REGISTRY | `073455283520.dkr.ecr.us-east-2.amazonaws.com` | Any Docker Registry | The URL of the Docker registry to push the images. | 10 | | IMAGE_NAME | `fips/alpine` | Any | The name of the image repository within the Docker registry. | 11 | | IMAGE_TAG | `3` | Any | The image tag associated with the build. | 12 | 13 | ```bash 14 | make build 15 | ``` 16 | -------------------------------------------------------------------------------- /amazonlinux/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM amazonlinux:2 2 | 3 | RUN yum update -y \ 4 | && yum install -y dracut-fips openssl \ 5 | && yum clean all \ 6 | && rm -rf /var/cache/yum 7 | 8 | ENV OPENSSL_FIPS=1 9 | -------------------------------------------------------------------------------- /amazonlinux/Makefile: -------------------------------------------------------------------------------- 1 | 2 | IMAGE_NAME:=arhea/amazonlinux 3 | IMAGE_TAG:=2-fips 4 | 5 | build: 6 | @docker image build -t $(IMAGE_NAME):$(IMAGE_TAG) . 7 | 8 | push: 9 | docker image push $(IMAGE_NAME):$(IMAGE_TAG) 10 | 11 | clean: 12 | @docker image rm $(IMAGE_NAME):$(IMAGE_TAG) 13 | 14 | test: 15 | @docker container run --rm -it $(IMAGE_NAME):$(IMAGE_TAG) openssl version 16 | -------------------------------------------------------------------------------- /amazonlinux/README.md: -------------------------------------------------------------------------------- 1 | # Amazon Linux 2 in FIPS Mode 2 | 3 | This repository uses the [amazonlinux:2](https://hub.docker.com/_/amazonlinux) base image and adds the `dracut-fips` and `openssl` to make an FIPS 140-2 compliant base image. 4 | 5 | ## Building 6 | 7 | | Options | Default | Supported Values | Description | 8 | |---|---|---| 9 | | IMAGE_REGISTRY | `073455283520.dkr.ecr.us-east-2.amazonaws.com` | Any Docker Registry | The URL of the Docker registry to push the images. | 10 | | IMAGE_NAME | `fips/amazonlinux` | Any | The name of the image repository within the Docker registry. | 11 | | IMAGE_TAG | `2` | Any | The image tag associated with the build. | 12 | 13 | ```bash 14 | make build 15 | ``` 16 | -------------------------------------------------------------------------------- /centos/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM centos:7 2 | 3 | RUN yum update -y \ 4 | && yum install -y dracut-fips openssl \ 5 | && yum clean all \ 6 | && rm -rf /var/cache/yum 7 | 8 | ENV OPENSSL_FIPS=1 9 | -------------------------------------------------------------------------------- /centos/Makefile: -------------------------------------------------------------------------------- 1 | 2 | IMAGE_REGISTRY=073455283520.dkr.ecr.us-east-2.amazonaws.com 3 | IMAGE_NAME:=fips/centos 4 | IMAGE_TAG:=7 5 | 6 | build: 7 | @docker image build \ 8 | --no-cache \ 9 | -t $(IMAGE_NAME):$(IMAGE_TAG) \ 10 | -t $(IMAGE_REGISTRY)/$(IMAGE_NAME):$(IMAGE_TAG) . 11 | 12 | build-dev: 13 | @docker image build \ 14 | -t $(IMAGE_NAME):$(IMAGE_TAG) \ 15 | -t $(IMAGE_REGISTRY)/$(IMAGE_NAME):$(IMAGE_TAG) . 16 | 17 | push: build 18 | @docker image push $(IMAGE_REGISTRY)/$(IMAGE_NAME):$(IMAGE_TAG) 19 | 20 | clean: 21 | @docker image rm $(IMAGE_REGISTRY)/$(IMAGE_NAME):$(IMAGE_TAG) 22 | @docker image rm $(IMAGE_NAME):$(IMAGE_TAG) 23 | 24 | test: 25 | @docker container run --rm -it $(IMAGE_NAME):$(IMAGE_TAG) openssl version 26 | @docker container run --rm -it $(IMAGE_NAME):$(IMAGE_TAG) printenv 27 | -------------------------------------------------------------------------------- /centos/README.md: -------------------------------------------------------------------------------- 1 | # CentOS in FIPS Mode 2 | 3 | This repository uses the [centos:7](https://hub.docker.com/_/centos) base image and adds the `dracut-fips` and `openssl` to make an FIPS 140-2 compliant base image. 4 | 5 | ## Building 6 | 7 | | Options | Default | Supported Values | Description | 8 | |---|---|---| 9 | | IMAGE_REGISTRY | `073455283520.dkr.ecr.us-east-2.amazonaws.com` | Any Docker Registry | The URL of the Docker registry to push the images. | 10 | | IMAGE_NAME | `fips/centos` | Any | The name of the image repository within the Docker registry. | 11 | | IMAGE_TAG | `7` | Any | The image tag associated with the build. | 12 | 13 | ```bash 14 | make build 15 | ``` 16 | -------------------------------------------------------------------------------- /nginx/.gitignore: -------------------------------------------------------------------------------- 1 | default.crt 2 | default.key 3 | default.conf 4 | -------------------------------------------------------------------------------- /nginx/Makefile: -------------------------------------------------------------------------------- 1 | 2 | DISTRO_NAME=alpine 3 | IMAGE_REGISTRY=073455283520.dkr.ecr.us-east-2.amazonaws.com 4 | IMAGE_NAME:=fips/nginx 5 | IMAGE_TAG:=1.17-$(DISTRO_NAME) 6 | NGINX_VERSION=1.17.10 7 | 8 | define DEFAULT_SERVER_CONFIG 9 | server { 10 | listen [::]:80 default_server; 11 | listen 80 default_server; 12 | 13 | server_name _; 14 | 15 | return 301 https://$$host$$request_uri; 16 | } 17 | 18 | server { 19 | listen [::]:443 ssl http2; 20 | listen 443 ssl http2; 21 | 22 | server_name _; 23 | 24 | # SSL Configuration 25 | include h5bp/ssl/ssl_engine.conf; 26 | include h5bp/ssl/certificate_files.conf; 27 | include h5bp/ssl/policy_fips.conf; 28 | 29 | # Custom error pages 30 | include h5bp/errors/custom_errors.conf; 31 | 32 | # Include the basic h5bp config set 33 | include h5bp/basic.conf; 34 | 35 | # Path for static files 36 | location / { 37 | root /usr/share/nginx/html; 38 | index index.html index.htm; 39 | } 40 | } 41 | endef 42 | 43 | export DEFAULT_SERVER_CONFIG 44 | 45 | build: 46 | @docker image build \ 47 | -f ./$(DISTRO_NAME)/Dockerfile \ 48 | -t $(IMAGE_NAME):$(IMAGE_TAG) \ 49 | --build-arg NGINX_VERSION=$(NGINX_VERSION) \ 50 | -t $(IMAGE_REGISTRY)/$(IMAGE_NAME):$(IMAGE_TAG) . 51 | 52 | build-dev: 53 | @docker image build \ 54 | -f ./$(DISTRO_NAME)/Dockerfile \ 55 | -t $(IMAGE_NAME):$(IMAGE_TAG) \ 56 | --build-arg NGINX_VERSION=$(NGINX_VERSION) \ 57 | -t $(IMAGE_REGISTRY)/$(IMAGE_NAME):$(IMAGE_TAG) . 58 | 59 | push: build 60 | @docker image push $(IMAGE_REGISTRY)/$(IMAGE_NAME):$(IMAGE_TAG) 61 | 62 | clean: 63 | @docker image rm $(IMAGE_REGISTRY)/$(IMAGE_NAME):$(IMAGE_TAG) 64 | @docker image rm $(IMAGE_NAME):$(IMAGE_TAG) 65 | 66 | gen-certs: 67 | ifeq (,$(wildcard ./default.key)) 68 | openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout default.key -out default.crt 69 | endif 70 | 71 | gen-conf: 72 | @echo "$$DEFAULT_SERVER_CONFIG" > default.conf 73 | 74 | test: gen-certs gen-conf 75 | @docker container run --rm --name=fips-nginx \ 76 | -p 8080:80 \ 77 | -p 8443:443 \ 78 | -v $(shell pwd)/default.conf:/etc/nginx/conf.d/default.conf \ 79 | -v $(shell pwd)/default.crt:/etc/nginx/certs/default.crt \ 80 | -v $(shell pwd)/default.key:/etc/nginx/certs/default.key \ 81 | $(IMAGE_NAME):$(IMAGE_TAG) 82 | -------------------------------------------------------------------------------- /nginx/REAMDE.md: -------------------------------------------------------------------------------- 1 | # NGINX 2 | 3 | This container is based on the [official NGINX container image](https://github.com/nginxinc/docker-nginx) from the open source NGINX project. This container also contains the [NGINX configuration from the H5BP project](https://github.com/h5bp/server-configs-nginx). This configuration contains best practice configurations, optimizations, and security helpers. 4 | 5 | ## Usage 6 | 7 | To create a FIPS compliant endpoint, first create an OpenSSL certificate with a FIPS enabled installation of OpenSSL. 8 | 9 | ```bash 10 | openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout default.key -out default.crt 11 | ``` 12 | 13 | Then create a configuration for the server that matches your specifications. 14 | 15 | ```text 16 | # default.conf 17 | 18 | server { 19 | listen [::]:80 default_server; 20 | listen 80 default_server; 21 | 22 | server_name _; 23 | 24 | return 301 https://$host$request_uri; 25 | } 26 | 27 | server { 28 | listen [::]:443 ssl http2; 29 | listen 443 ssl http2; 30 | 31 | server_name _; 32 | 33 | # SSL Configuration 34 | include h5bp/ssl/ssl_engine.conf; 35 | include h5bp/ssl/certificate_files.conf; 36 | include h5bp/ssl/policy_fips.conf; 37 | 38 | # Custom error pages 39 | include h5bp/errors/custom_errors.conf; 40 | 41 | # Include the basic h5bp config set 42 | include h5bp/basic.conf; 43 | 44 | # Path for static files 45 | location / { 46 | root /usr/share/nginx/html; 47 | index index.html index.htm; 48 | } 49 | } 50 | ``` 51 | 52 | Now that we have a configuration, run the container. 53 | 54 | ```bash 55 | docker container run --rm --name=fips-nginx \ 56 | -p 8443:443 \ 57 | -v $(pwd)/default.crt:/etc/nginx/certs/default.crt \ 58 | -v $(pwd)/default.key:/etc/nginx/certs/default.key \ 59 | -v $(pwd)/mysite.conf:/etc/nginx/conf.d/default.conf \ 60 | fips/nginx:1.17.10-alpine 61 | ``` 62 | 63 | ## Building 64 | 65 | This image supports multiple base images and different configurations. 66 | 67 | | Options | Default | Supported Values | Description | 68 | |---|---|---| 69 | | DISTRO_NAME | `alpine` | `alpine`, `centos`, `amazonlinux` | Configure which base image to use for the nginx container. | 70 | | IMAGE_REGISTRY | `073455283520.dkr.ecr.us-east-2.amazonaws.com` | Any Docker Registry | The URL of the Docker registry to push the images. | 71 | | IMAGE_NAME | `fips/nginx` | Any | The name of the image repository within the Docker registry. | 72 | | IMAGE_TAG | `1.17-$(DISTRO_NAME)` | Any | The image tag associated with the build. | 73 | | NGINX_VERSION | `1.17.10` | [Versions](http://nginx.org/en/download.html) | The NGINX version to build. | 74 | 75 | ```bash 76 | make DISTRO_NAME=alpine build 77 | make DISTRO_NAME=centos build 78 | make DISTRO_NAME=amazonlinux build 79 | ``` 80 | -------------------------------------------------------------------------------- /nginx/alpine/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM 073455283520.dkr.ecr.us-east-2.amazonaws.com/fips/alpine:3 2 | 3 | ARG NGINX_VERSION=1.17.10 4 | 5 | RUN mkdir -p /tmp \ 6 | && cd /tmp \ 7 | && addgroup -g 101 -S nginx \ 8 | && adduser -S -D -H -u 101 -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx \ 9 | && apk add --no-cache gnupg gzip perl pcre zlib ca-certificates tzdata \ 10 | && apk add --no-cache --virtual .build-deps \ 11 | wget \ 12 | gcc \ 13 | libc-dev \ 14 | make \ 15 | tar \ 16 | linux-headers \ 17 | libxslt-dev \ 18 | gd-dev \ 19 | geoip-dev \ 20 | perl-dev \ 21 | libedit-dev \ 22 | bash \ 23 | alpine-sdk \ 24 | findutils \ 25 | pcre-dev \ 26 | zlib-dev \ 27 | coreutils \ 28 | && cd /tmp \ 29 | && wget --quiet http://nginx.org/download/nginx-$NGINX_VERSION.tar.gz \ 30 | && tar -xzf nginx-$NGINX_VERSION.tar.gz \ 31 | && cd nginx-$NGINX_VERSION \ 32 | && ./configure \ 33 | --prefix=/etc/nginx \ 34 | --sbin-path=/usr/sbin/nginx \ 35 | --modules-path=/usr/lib/nginx/modules \ 36 | --conf-path=/etc/nginx/nginx.conf \ 37 | --error-log-path=/var/log/nginx/error.log \ 38 | --pid-path=/var/run/nginx.pid \ 39 | --lock-path=/var/run/nginx.lock \ 40 | --with-select_module \ 41 | --with-poll_module \ 42 | --with-threads \ 43 | --with-file-aio \ 44 | --with-http_ssl_module \ 45 | --with-http_v2_module \ 46 | --with-http_realip_module \ 47 | --with-http_addition_module \ 48 | --with-http_xslt_module=dynamic \ 49 | --with-http_image_filter_module=dynamic \ 50 | --with-http_geoip_module=dynamic \ 51 | --with-http_sub_module \ 52 | --with-http_dav_module \ 53 | --with-http_flv_module \ 54 | --with-http_mp4_module \ 55 | --with-http_gunzip_module \ 56 | --with-http_gzip_static_module \ 57 | --with-http_auth_request_module \ 58 | --with-http_random_index_module \ 59 | --with-http_secure_link_module \ 60 | --with-http_degradation_module \ 61 | --with-http_slice_module \ 62 | --with-http_stub_status_module \ 63 | --with-http_perl_module=dynamic \ 64 | --with-perl=/usr/bin/perl \ 65 | --http-log-path=/var/log/nginx/access.log \ 66 | --http-client-body-temp-path=/var/cache/nginx/client_temp \ 67 | --http-proxy-temp-path=/var/cache/nginx/proxy_temp \ 68 | --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp \ 69 | --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp \ 70 | --http-scgi-temp-path=/var/cache/nginx/scgi_temp \ 71 | --with-mail=dynamic \ 72 | --with-mail_ssl_module \ 73 | --with-stream=dynamic \ 74 | --with-stream_ssl_module \ 75 | --with-stream_realip_module \ 76 | --with-stream_geoip_module=dynamic \ 77 | --with-stream_ssl_preread_module \ 78 | --with-compat \ 79 | --user=nginx \ 80 | --group=nginx \ 81 | --with-ld-opt="-L/usr/local/ssl/lib -Wl,-rpath,/usr/local/ssl/lib -lssl -lcrypto -ldl -lz" \ 82 | --with-cc-opt="-I/usr/local/ssl/include" \ 83 | && make \ 84 | && make install \ 85 | && cd /root \ 86 | && apk del .build-deps \ 87 | && rm -rf /tmp \ 88 | && apk add --no-cache curl tzdata ca-certificates \ 89 | && ln -sf /dev/stdout /var/log/nginx/access.log \ 90 | && ln -sf /dev/stderr /var/log/nginx/error.log \ 91 | && mkdir -p /usr/share/nginx \ 92 | && mkdir -p /var/cache/nginx \ 93 | && mv /etc/nginx/html /usr/share/nginx/html \ 94 | && chown nginx:nginx -R /usr/share/nginx \ 95 | && chown nginx:nginx -R /var/cache/nginx \ 96 | && rm -f /etc/nginx/*.default 97 | 98 | COPY shared/nginx/nginx.conf /etc/nginx/nginx.conf 99 | COPY shared/nginx/mime.types /etc/nginx/mime.types 100 | COPY shared/nginx/h5bp /etc/nginx/h5bp 101 | COPY shared/nginx/conf.d /etc/nginx/conf.d 102 | COPY shared/docker-entrypoint.sh / 103 | COPY shared/docker-entrypoint.d /docker-entrypoint.d 104 | 105 | ENTRYPOINT ["/docker-entrypoint.sh"] 106 | 107 | EXPOSE 80 108 | 109 | STOPSIGNAL SIGTERM 110 | 111 | CMD ["nginx", "-g", "daemon off;"] 112 | -------------------------------------------------------------------------------- /nginx/amazonlinux/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM 073455283520.dkr.ecr.us-east-2.amazonaws.com/fips/amazonlinux:2 2 | 3 | ARG NGINX_VERSION=1.17.10 4 | 5 | RUN echo "[nginx]" > /etc/yum.repos.d/nginx.repo \ 6 | && echo "name=nginx repo" >> /etc/yum.repos.d/nginx.repo \ 7 | && echo "baseurl=https://nginx.org/packages/mainline/centos/7/\$basearch/" >> /etc/yum.repos.d/nginx.repo \ 8 | && echo "gpgcheck=0" >> /etc/yum.repos.d/nginx.repo \ 9 | && echo "enabled=1" >> /etc/yum.repos.d/nginx.repo \ 10 | && echo "name=nginx repo" >> /etc/yum.repos.d/nginx.repo \ 11 | && yum update -y \ 12 | && yum install -y nginx-$NGINX_VERSION openssl dracut-fips \ 13 | && ln -sf /dev/stdout /var/log/nginx/access.log \ 14 | && ln -sf /dev/stderr /var/log/nginx/error.log 15 | 16 | COPY shared/nginx/nginx.conf /etc/nginx/nginx.conf 17 | COPY shared/nginx/mime.types /etc/nginx/mime.types 18 | COPY shared/nginx/h5bp /etc/nginx/h5bp 19 | COPY shared/nginx/conf.d /etc/nginx/conf.d 20 | COPY shared/docker-entrypoint.sh / 21 | COPY shared/docker-entrypoint.d /docker-entrypoint.d 22 | 23 | ENTRYPOINT ["/docker-entrypoint.sh"] 24 | 25 | EXPOSE 80 26 | 27 | STOPSIGNAL SIGTERM 28 | 29 | CMD ["nginx", "-g", "daemon off;"] 30 | -------------------------------------------------------------------------------- /nginx/centos/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM 073455283520.dkr.ecr.us-east-2.amazonaws.com/fips/centos:7 2 | 3 | ARG NGINX_VERSION=1.17.10 4 | 5 | RUN echo "[nginx]" > /etc/yum.repos.d/nginx.repo \ 6 | && echo "name=nginx repo" >> /etc/yum.repos.d/nginx.repo \ 7 | && echo "baseurl=https://nginx.org/packages/mainline/centos/7/\$basearch/" >> /etc/yum.repos.d/nginx.repo \ 8 | && echo "gpgcheck=0" >> /etc/yum.repos.d/nginx.repo \ 9 | && echo "enabled=1" >> /etc/yum.repos.d/nginx.repo \ 10 | && echo "name=nginx repo" >> /etc/yum.repos.d/nginx.repo \ 11 | && yum update -y \ 12 | && yum install -y nginx-$NGINX_VERSION openssl dracut-fips \ 13 | && ln -sf /dev/stdout /var/log/nginx/access.log \ 14 | && ln -sf /dev/stderr /var/log/nginx/error.log 15 | 16 | COPY shared/nginx/nginx.conf /etc/nginx/nginx.conf 17 | COPY shared/nginx/mime.types /etc/nginx/mime.types 18 | COPY shared/nginx/h5bp /etc/nginx/h5bp 19 | COPY shared/nginx/conf.d /etc/nginx/conf.d 20 | COPY shared/docker-entrypoint.sh / 21 | COPY shared/docker-entrypoint.d /docker-entrypoint.d 22 | 23 | ENTRYPOINT ["/docker-entrypoint.sh"] 24 | 25 | EXPOSE 80 26 | 27 | STOPSIGNAL SIGTERM 28 | 29 | CMD ["nginx", "-g", "daemon off;"] 30 | -------------------------------------------------------------------------------- /nginx/shared/docker-entrypoint.d/10-listen-on-ipv6-by-default.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # vim:sw=4:ts=4:et 3 | 4 | set -e 5 | 6 | ME=$(basename $0) 7 | DEFAULT_CONF_FILE="etc/nginx/conf.d/default.conf" 8 | 9 | # check if we have ipv6 available 10 | if [ ! -f "/proc/net/if_inet6" ]; then 11 | echo "$ME: ipv6 not available, exiting" 1>&2 12 | exit 0 13 | fi 14 | 15 | if [ ! -f "/$DEFAULT_CONF_FILE" ]; then 16 | echo "$ME: /$DEFAULT_CONF_FILE is not a file or does not exist, exiting" 1>&2 17 | exit 0 18 | fi 19 | 20 | # check if the file is already modified, e.g. on a container restart 21 | grep -q "listen \[::]\:80;" /$DEFAULT_CONF_FILE && { echo "$ME: IPv6 listen already enabled, exiting"; exit 0; } 22 | 23 | if [ -f "/etc/os-release" ]; then 24 | . /etc/os-release 25 | else 26 | echo "$ME: can not guess the operating system, exiting" 1>&2 27 | exit 0 28 | fi 29 | 30 | echo "$ME: Getting the checksum of /$DEFAULT_CONF_FILE" 31 | 32 | case "$ID" in 33 | "debian") 34 | CHECKSUM=$(dpkg-query --show --showformat='${Conffiles}\n' nginx | grep $DEFAULT_CONF_FILE | cut -d' ' -f 3) 35 | echo "$CHECKSUM /$DEFAULT_CONF_FILE" | md5sum -c - >/dev/null 2>&1 || { 36 | echo "$ME: /$DEFAULT_CONF_FILE differs from the packaged version, exiting" 1>&2 37 | exit 0 38 | } 39 | ;; 40 | "alpine") 41 | CHECKSUM=$(apk manifest nginx 2>/dev/null| grep $DEFAULT_CONF_FILE | cut -d' ' -f 1 | cut -d ':' -f 2) 42 | echo "$CHECKSUM /$DEFAULT_CONF_FILE" | sha1sum -c - >/dev/null 2>&1 || { 43 | echo "$ME: /$DEFAULT_CONF_FILE differs from the packages version, exiting" 1>&2 44 | exit 0 45 | } 46 | ;; 47 | *) 48 | echo "$ME: Unsupported distribution, exiting" 1>&2 49 | exit 0 50 | ;; 51 | esac 52 | 53 | # enable ipv6 on default.conf listen sockets 54 | sed -i -E 's,listen 80;,listen 80;\n listen [::]:80;,' /$DEFAULT_CONF_FILE 55 | 56 | echo "$ME: Enabled listen on IPv6 in /$DEFAULT_CONF_FILE" 57 | 58 | exit 0 59 | -------------------------------------------------------------------------------- /nginx/shared/docker-entrypoint.d/20-envsubst-on-templates.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | set -e 4 | 5 | ME=$(basename $0) 6 | 7 | auto_envsubst() { 8 | local template_dir="${NGINX_ENVSUBST_TEMPLATE_DIR:-/etc/nginx/templates}" 9 | local suffix="${NGINX_ENVSUBST_TEMPLATE_SUFFIX:-.template}" 10 | local output_dir="${NGINX_ENVSUBST_OUTPUT_DIR:-/etc/nginx/conf.d}" 11 | 12 | local template defined_envs relative_path output_path subdir 13 | defined_envs=$(printf '${%s} ' $(env | cut -d= -f1)) 14 | [ -d "$template_dir" ] || return 0 15 | if [ ! -w "$output_dir" ]; then 16 | echo "$ME: ERROR: $template_dir exists, but $output_dir is not writable, exiting" 1>&2 17 | return 0 18 | fi 19 | find "$template_dir" -follow -type f -name "*$suffix" -print | while read -r template; do 20 | relative_path="${template#$template_dir/}" 21 | output_path="$output_dir/${relative_path%$suffix}" 22 | subdir=$(dirname "$relative_path") 23 | # create a subdirectory where the template file exists 24 | mkdir -p "$output_dir/$subdir" 25 | echo "$ME: Running envsubst on $template to $output_path" 26 | envsubst "$defined_envs" < "$template" > "$output_path" 27 | done 28 | } 29 | 30 | auto_envsubst 31 | 32 | exit 0 33 | -------------------------------------------------------------------------------- /nginx/shared/docker-entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env sh 2 | # vim:sw=4:ts=4:et 3 | 4 | set -e 5 | 6 | if [ "$1" = "nginx" -o "$1" = "nginx-debug" ]; then 7 | if /usr/bin/find "/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then 8 | echo "$0: /docker-entrypoint.d/ is not empty, will attempt to perform configuration" 9 | 10 | echo "$0: Looking for shell scripts in /docker-entrypoint.d/" 11 | find "/docker-entrypoint.d/" -follow -type f -print | sort -n | while read -r f; do 12 | case "$f" in 13 | *.sh) 14 | if [ -x "$f" ]; then 15 | echo "$0: Launching $f"; 16 | "$f" 17 | else 18 | # warn on shell scripts without exec bit 19 | echo "$0: Ignoring $f, not executable"; 20 | fi 21 | ;; 22 | *) echo "$0: Ignoring $f";; 23 | esac 24 | done 25 | 26 | echo "$0: Configuration complete; ready for start up" 27 | else 28 | echo "$0: No files found in /docker-entrypoint.d/, skipping configuration" 29 | fi 30 | fi 31 | 32 | exec "$@" 33 | -------------------------------------------------------------------------------- /nginx/shared/nginx/conf.d/default.conf: -------------------------------------------------------------------------------- 1 | server { 2 | listen 80; 3 | server_name localhost; 4 | 5 | location / { 6 | root /usr/share/nginx/html; 7 | index index.html index.htm; 8 | } 9 | 10 | error_page 500 502 503 504 /50x.html; 11 | location = /50x.html { 12 | root /usr/share/nginx/html; 13 | } 14 | } 15 | -------------------------------------------------------------------------------- /nginx/shared/nginx/h5bp/basic.conf: -------------------------------------------------------------------------------- 1 | # Nginx Server Configs | MIT License 2 | # https://github.com/h5bp/server-configs-nginx 3 | 4 | include h5bp/internet_explorer/x-ua-compatible.conf; 5 | include h5bp/security/referrer-policy.conf; 6 | include h5bp/security/x-content-type-options.conf; 7 | include h5bp/security/x-frame-options.conf; 8 | include h5bp/security/x-xss-protection.conf; 9 | include h5bp/location/security_file_access.conf; 10 | include h5bp/cross-origin/requests.conf; 11 | -------------------------------------------------------------------------------- /nginx/shared/nginx/h5bp/cross-origin/requests.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | Cross-origin requests | 3 | # ---------------------------------------------------------------------- 4 | 5 | # Allow cross-origin requests. 6 | # 7 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS 8 | # https://enable-cors.org/ 9 | # https://www.w3.org/TR/cors/ 10 | 11 | # (!) Do not use this without understanding the consequences. 12 | # This will permit access from any other website. 13 | # Instead of using this file, consider using a specific rule such as 14 | # allowing access based on (sub)domain: 15 | # 16 | # add_header Access-Control-Allow-Origin "subdomain.example.com"; 17 | 18 | add_header Access-Control-Allow-Origin $cors; 19 | -------------------------------------------------------------------------------- /nginx/shared/nginx/h5bp/cross-origin/resource_timing.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | Cross-origin resource timing | 3 | # ---------------------------------------------------------------------- 4 | 5 | # Allow cross-origin access to the timing information for all resources. 6 | # 7 | # If a resource isn't served with a `Timing-Allow-Origin` header that would 8 | # allow its timing information to be shared with the document, some of the 9 | # attributes of the `PerformanceResourceTiming` object will be set to zero. 10 | # 11 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Timing-Allow-Origin 12 | # https://www.w3.org/TR/resource-timing/ 13 | # https://www.stevesouders.com/blog/2014/08/21/resource-timing-practical-tips/ 14 | 15 | add_header Timing-Allow-Origin "*"; 16 | -------------------------------------------------------------------------------- /nginx/shared/nginx/h5bp/errors/custom_errors.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | Custom error messages/pages | 3 | # ---------------------------------------------------------------------- 4 | 5 | # Customize what Nginx returns to the client in case of an error. 6 | # 7 | # https://nginx.org/en/docs/http/ngx_http_core_module.html#error_page 8 | 9 | error_page 404 /404.html; 10 | -------------------------------------------------------------------------------- /nginx/shared/nginx/h5bp/internet_explorer/x-ua-compatible.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | Document modes | 3 | # ---------------------------------------------------------------------- 4 | 5 | # Force Internet Explorer 8/9/10 to render pages in the highest mode 6 | # available in various cases when it may not. 7 | # 8 | # https://hsivonen.fi/doctype/#ie8 9 | # 10 | # (!) Starting with Internet Explorer 11, document modes are deprecated. 11 | # If your business still relies on older web apps and services that were 12 | # designed for older versions of Internet Explorer, you might want to 13 | # consider enabling `Enterprise Mode` throughout your company. 14 | # 15 | # https://msdn.microsoft.com/en-us/library/ie/bg182625.aspx#docmode 16 | # https://blogs.msdn.microsoft.com/ie/2014/04/02/stay-up-to-date-with-enterprise-mode-for-internet-explorer-11/ 17 | # https://msdn.microsoft.com/en-us/library/ff955275.aspx 18 | 19 | add_header X-UA-Compatible $x_ua_compatible; 20 | -------------------------------------------------------------------------------- /nginx/shared/nginx/h5bp/location/security_file_access.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | File access | 3 | # ---------------------------------------------------------------------- 4 | 5 | # Block access to all hidden files and directories except for the 6 | # visible content from within the `/.well-known/` hidden directory. 7 | # 8 | # These types of files usually contain user preferences or the preserved state 9 | # of a utility, and can include rather private places like, for example, the 10 | # `.git` or `.svn` directories. 11 | # 12 | # The `/.well-known/` directory represents the standard (RFC 5785) path prefix 13 | # for "well-known locations" (e.g.: `/.well-known/manifest.json`, 14 | # `/.well-known/keybase.txt`), and therefore, access to its visible content 15 | # should not be blocked. 16 | # 17 | # https://www.mnot.net/blog/2010/04/07/well-known 18 | # https://tools.ietf.org/html/rfc5785 19 | 20 | location ~* /\.(?!well-known\/) { 21 | deny all; 22 | } 23 | 24 | # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 25 | 26 | # Block access to files that can expose sensitive information. 27 | # 28 | # By default, block access to backup and source files that may be left by some 29 | # text editors and can pose a security risk when anyone has access to them. 30 | # 31 | # https://feross.org/cmsploit/ 32 | # 33 | # (!) Update the `location` regular expression from below to include any files 34 | # that might end up on your production server and can expose sensitive 35 | # information about your website. These files may include: configuration 36 | # files, files that contain metadata about the project (e.g.: project 37 | # dependencies, build scripts, etc.). 38 | 39 | location ~* (?:#.*#|\.(?:bak|conf|dist|fla|in[ci]|log|orig|psd|sh|sql|sw[op])|~)$ { 40 | deny all; 41 | } 42 | -------------------------------------------------------------------------------- /nginx/shared/nginx/h5bp/location/web_performance_filename-based_cache_busting.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | Filename-based cache busting | 3 | # ---------------------------------------------------------------------- 4 | 5 | # If you're not using a build process to manage your filename version revving, 6 | # you might want to consider enabling the following directives. 7 | # 8 | # To understand why this is important and even a better solution than using 9 | # something like `*.css?v231`, please see: 10 | # https://www.stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring/ 11 | 12 | location ~* (.+)\.(?:\w+)\.(bmp|css|cur|gif|ico|jpe?g|m?js|png|svgz?|webp|webmanifest)$ { 13 | try_files $uri $1.$2; 14 | } 15 | -------------------------------------------------------------------------------- /nginx/shared/nginx/h5bp/location/web_performance_svgz-compression.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | SVGZ Compression | 3 | # ---------------------------------------------------------------------- 4 | 5 | # SVGZ files are already compressed. 6 | # Disable gzip function for `.svgz` files. 7 | 8 | location ~* \.svgz$ { 9 | gzip off; 10 | add_header Content-Encoding gzip; 11 | 12 | include h5bp/security/x-content-type-options.conf; 13 | include h5bp/security/content-security-policy.conf; 14 | include h5bp/security/referrer-policy.conf; 15 | include h5bp/cross-origin/requests.conf; 16 | } 17 | -------------------------------------------------------------------------------- /nginx/shared/nginx/h5bp/media_types/character_encodings.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | Character encodings | 3 | # ---------------------------------------------------------------------- 4 | 5 | # Serve all resources labeled as `text/html` or `text/plain` with the media type 6 | # `charset` parameter set to `UTF-8`. 7 | # 8 | # https://nginx.org/en/docs/http/ngx_http_charset_module.html#charset 9 | 10 | charset utf-8; 11 | 12 | # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 13 | 14 | # Update charset_types to match updated mime.types. 15 | # `text/html` is always included by charset module. 16 | # Default: text/html text/xml text/plain text/vnd.wap.wml application/javascript application/rss+xml 17 | # 18 | # https://nginx.org/en/docs/http/ngx_http_charset_module.html#charset_types 19 | 20 | charset_types 21 | text/css 22 | text/plain 23 | text/vnd.wap.wml 24 | text/javascript 25 | text/markdown 26 | text/calendar 27 | text/x-component 28 | text/vcard 29 | text/cache-manifest 30 | text/vtt 31 | application/json 32 | application/manifest+json; 33 | -------------------------------------------------------------------------------- /nginx/shared/nginx/h5bp/media_types/media_types.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | Media types | 3 | # ---------------------------------------------------------------------- 4 | 5 | # Serve resources with the proper media types (f.k.a. MIME types). 6 | # 7 | # https://www.iana.org/assignments/media-types/media-types.xhtml 8 | # https://nginx.org/en/docs/http/ngx_http_core_module.html#types 9 | 10 | include mime.types; 11 | 12 | # - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 13 | 14 | # Default: text/plain 15 | # 16 | # https://nginx.org/en/docs/http/ngx_http_core_module.html#default_type 17 | 18 | default_type application/octet-stream; 19 | -------------------------------------------------------------------------------- /nginx/shared/nginx/h5bp/security/content-security-policy.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | Content Security Policy (CSP) | 3 | # ---------------------------------------------------------------------- 4 | 5 | # Mitigate the risk of cross-site scripting and other content-injection 6 | # attacks. 7 | # 8 | # This can be done by setting a `Content Security Policy` which whitelists 9 | # trusted sources of content for your website. 10 | # 11 | # There is no policy that fits all websites, you will have to modify the 12 | # `Content-Security-Policy` directives in the example depending on your needs. 13 | # 14 | # To make your CSP implementation easier, you can use an online CSP header 15 | # generator such as: 16 | # https://report-uri.com/home/generate/ 17 | # 18 | # It is encouraged that you validate your CSP header using a CSP validator 19 | # such as: 20 | # https://csp-evaluator.withgoogle.com 21 | # 22 | # https://csp.withgoogle.com/docs/ 23 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy 24 | # https://www.html5rocks.com/en/tutorials/security/content-security-policy/ 25 | # https://www.w3.org/TR/CSP/ 26 | 27 | add_header Content-Security-Policy $content_security_policy always; 28 | -------------------------------------------------------------------------------- /nginx/shared/nginx/h5bp/security/referrer-policy.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | Referrer Policy | 3 | # ---------------------------------------------------------------------- 4 | 5 | # Set a strict Referrer Policy to mitigate information leakage. 6 | # 7 | # (1) The `Referrer-Policy` header is included in responses for resources 8 | # that are able to request (or navigate to) other resources. 9 | # 10 | # This includes the commonly used resource types: 11 | # HTML, CSS, XML/SVG, PDF documents, scripts and workers. 12 | # 13 | # To prevent referrer leakage entirely, specify the `no-referrer` value 14 | # instead. Note that the effect could impact analytics metrics negatively. 15 | # 16 | # To check your Referrer Policy, you can use an online service, such as: 17 | # https://securityheaders.com/ 18 | # https://observatory.mozilla.org/ 19 | # 20 | # https://scotthelme.co.uk/a-new-security-header-referrer-policy/ 21 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy 22 | 23 | add_header Referrer-Policy $referrer_policy always; 24 | -------------------------------------------------------------------------------- /nginx/shared/nginx/h5bp/security/server_software_information.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | Server software information | 3 | # ---------------------------------------------------------------------- 4 | 5 | # Prevent Nginx from sending its version number in the "Server" response header. 6 | # 7 | # https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens 8 | 9 | server_tokens off; 10 | -------------------------------------------------------------------------------- /nginx/shared/nginx/h5bp/security/strict-transport-security.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | HTTP Strict Transport Security (HSTS) | 3 | # ---------------------------------------------------------------------- 4 | 5 | # Force client-side TLS (Transport Layer Security) redirection. 6 | # 7 | # If a user types `example.com` in their browser, even if the server redirects 8 | # them to the secure version of the website, that still leaves a window of 9 | # opportunity (the initial HTTP connection) for an attacker to downgrade or 10 | # redirect the request. 11 | # 12 | # The following header ensures that a browser only connects to your server 13 | # via HTTPS, regardless of what the users type in the browser's address bar. 14 | # 15 | # (!) Be aware that Strict Transport Security is not revokable and you 16 | # must ensure being able to serve the site over HTTPS for the duration 17 | # you've specified in the `max-age` directive. When you don't have a 18 | # valid TLS connection anymore (e.g. due to an expired TLS certificate) 19 | # your visitors will see a nasty error message even when attempting to 20 | # connect over HTTP. 21 | # 22 | # (1) Preloading Strict Transport Security. 23 | # To submit your site for HSTS preloading, it is required that: 24 | # * the `includeSubDomains` directive is specified 25 | # * the `preload` directive is specified 26 | # * the `max-age` is specified with a value of at least 31536000 seconds 27 | # (1 year). 28 | # https://hstspreload.org/#deployment-recommendations 29 | # 30 | # https://tools.ietf.org/html/rfc6797#section-6.1 31 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security 32 | # https://www.html5rocks.com/en/tutorials/security/transport-layer-security/ 33 | # https://blogs.msdn.microsoft.com/ieinternals/2014/08/18/strict-transport-security/ 34 | # https://hstspreload.org/ 35 | 36 | add_header Strict-Transport-Security "max-age=16070400; includeSubDomains" always; 37 | # (1) Enable your site for HSTS preload inclusion. 38 | # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; 39 | -------------------------------------------------------------------------------- /nginx/shared/nginx/h5bp/security/x-content-type-options.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | Content Type Options | 3 | # ---------------------------------------------------------------------- 4 | 5 | # Prevent some browsers from MIME-sniffing the response. 6 | # 7 | # This reduces exposure to drive-by download attacks and cross-origin data 8 | # leaks, and should be left uncommented, especially if the server is serving 9 | # user-uploaded content or content that could potentially be treated as 10 | # executable by the browser. 11 | # 12 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options 13 | # https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-v-comprehensive-protection/ 14 | # https://mimesniff.spec.whatwg.org/ 15 | 16 | add_header X-Content-Type-Options nosniff always; 17 | -------------------------------------------------------------------------------- /nginx/shared/nginx/h5bp/security/x-frame-options.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | Frame Options | 3 | # ---------------------------------------------------------------------- 4 | 5 | # Protect website against clickjacking. 6 | # 7 | # The example below sends the `X-Frame-Options` response header with the value 8 | # `DENY`, informing browsers not to display the content of the web page in any 9 | # frame. 10 | # 11 | # This might not be the best setting for everyone. You should read about the 12 | # other two possible values the `X-Frame-Options` header field can have: 13 | # `SAMEORIGIN` and `ALLOW-FROM`. 14 | # https://tools.ietf.org/html/rfc7034#section-2.1. 15 | # 16 | # Keep in mind that while you could send the `X-Frame-Options` header for all 17 | # of your website's pages, this has the potential downside that it forbids even 18 | # non-malicious framing of your content (e.g.: when users visit your website 19 | # using a Google Image Search results page). 20 | # 21 | # Nonetheless, you should ensure that you send the `X-Frame-Options` header for 22 | # all pages that allow a user to make a state-changing operation (e.g: pages 23 | # that contain one-click purchase links, checkout or bank-transfer confirmation 24 | # pages, pages that make permanent configuration changes, etc.). 25 | # 26 | # Sending the `X-Frame-Options` header can also protect your website against 27 | # more than just clickjacking attacks. 28 | # https://cure53.de/xfo-clickjacking.pdf. 29 | # 30 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options 31 | # https://tools.ietf.org/html/rfc7034 32 | # https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/ 33 | # https://www.owasp.org/index.php/Clickjacking 34 | 35 | add_header X-Frame-Options $x_frame_options always; 36 | -------------------------------------------------------------------------------- /nginx/shared/nginx/h5bp/security/x-xss-protection.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | Cross-Site Scripting (XSS) Protection | 3 | # ---------------------------------------------------------------------- 4 | 5 | # Protect website reflected Cross-Site Scripting (XSS) attacks. 6 | # 7 | # (1) Try to re-enable the cross-site scripting (XSS) filter built into most 8 | # web browsers. 9 | # 10 | # The filter is usually enabled by default, but in some cases, it may be 11 | # disabled by the user. However, in Internet Explorer, for example, it can be 12 | # re-enabled just by sending the `X-XSS-Protection` header with the value 13 | # of `1`. 14 | # 15 | # (2) Prevent web browsers from rendering the web page if a potential reflected 16 | # (a.k.a non-persistent) XSS attack is detected by the filter. 17 | # 18 | # By default, if the filter is enabled and browsers detect a reflected XSS 19 | # attack, they will attempt to block the attack by making the smallest 20 | # possible modifications to the returned web page. 21 | # 22 | # Unfortunately, in some browsers (e.g.: Internet Explorer), this default 23 | # behavior may allow the XSS filter to be exploited. Therefore, it's better 24 | # to inform browsers to prevent the rendering of the page altogether, 25 | # instead of attempting to modify it. 26 | # 27 | # https://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities 28 | # 29 | # (!) Do not rely on the XSS filter to prevent XSS attacks! Ensure that you are 30 | # taking all possible measures to prevent XSS attacks, the most obvious 31 | # being: validating and sanitizing your website's inputs. 32 | # 33 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection 34 | # https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-iv-the-xss-filter/ 35 | # https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter/ 36 | # https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29 37 | 38 | add_header X-XSS-Protection $x_xss_protection always; 39 | -------------------------------------------------------------------------------- /nginx/shared/nginx/h5bp/ssl/certificate_files.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | Certificate files | 3 | # ---------------------------------------------------------------------- 4 | 5 | # This default SSL certificate will be served whenever the client lacks support 6 | # for SNI (Server Name Indication). 7 | # Make it a symlink to the most important certificate you have, so that 8 | # users of IE 8 and below on WinXP can see your main site without SSL errors. 9 | # 10 | # (1) Certificate and key files location 11 | # The certificate file can contain intermediate certificate. 12 | # 13 | # https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate 14 | # 15 | # (2) Intermediate certificate location if loaded certificate (1) does not 16 | # contain intermediate certificate when enabling OCSP stapling. 17 | # 18 | # https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate 19 | # 20 | # (3) CA certificate file location for client certificate authentication 21 | # 22 | # https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_client_certificate 23 | 24 | # (1) 25 | ssl_certificate /etc/nginx/certs/default.crt; 26 | ssl_certificate_key /etc/nginx/certs/default.key; 27 | 28 | # (2) 29 | # ssl_trusted_certificate /path/to/ca.crt; 30 | 31 | # (3) 32 | # ssl_client_certificate /etc/nginx/default_ssl.crt; 33 | -------------------------------------------------------------------------------- /nginx/shared/nginx/h5bp/ssl/ocsp_stapling.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | Online Certificate Status Protocol stapling | 3 | # ---------------------------------------------------------------------- 4 | 5 | # OCSP is a lightweight, only one record to help clients verify the validity of 6 | # the server certificate. 7 | # OCSP stapling allows the server to send its cached OCSP record during the TLS 8 | # handshake, without the need of 3rd party OCSP responder. 9 | # 10 | # https://wiki.mozilla.org/Security/Server_Side_TLS#OCSP_Stapling 11 | # https://tools.ietf.org/html/rfc6066#section-8 12 | # https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling 13 | # 14 | # (1) Use Cloudflare 1.1.1.1 DNS resolver 15 | # https://developers.cloudflare.com/1.1.1.1/setting-up-1.1.1.1/ 16 | # 17 | # (2) Use Google 8.8.8.8 DNS resolver 18 | # https://developers.google.com/speed/public-dns/docs/using 19 | # 20 | # (3) Use OpenDNS resolver 21 | # https://use.opendns.com 22 | 23 | ssl_stapling on; 24 | ssl_stapling_verify on; 25 | 26 | resolver 27 | # (1) 28 | 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] 29 | # (2) 30 | 8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844] 31 | # (3) 32 | # 208.67.222.222 208.67.220.220 [2620:119:35::35] [2620:119:53::53] 33 | valid=60s; 34 | resolver_timeout 2s; 35 | -------------------------------------------------------------------------------- /nginx/shared/nginx/h5bp/ssl/policy_deprecated.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | SSL policy - Deprecated | 3 | # ---------------------------------------------------------------------- 4 | 5 | # For services that don't need compatibility with legacy clients (mostly WinXP), 6 | # but still need to support a wide range of clients, this configuration is 7 | # recommended. 8 | # 9 | # Protect against the BEAST and POODLE attacks by not using SSLv3 at all. 10 | # If you need to support older browsers (IE6) you may need to add SSLv3 to the 11 | # list of protocols. 12 | # 13 | # Based on intermediate profile recommended by Mozilla. 14 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/ 15 | # 16 | # (1) Diffie-Hellman parameter for DHE cipher suites 17 | # A 4096 bits or more DH parameter is recommended. 18 | # (!) A DH parameter generation is required to enable this directive. 19 | # openssl dhparam -out /etc/nginx/dhparam.pem 4096 20 | # https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam 21 | # 22 | # https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations 23 | # https://nginx.org/en/docs/http/ngx_http_ssl_module.html 24 | 25 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 26 | ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA; 27 | ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1; 28 | 29 | # (1) 30 | # ssl_dhparam /etc/nginx/dhparam.pem; 31 | -------------------------------------------------------------------------------- /nginx/shared/nginx/h5bp/ssl/policy_fips.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | SSL policy - FIPS | 3 | # ---------------------------------------------------------------------- 4 | 5 | # For services that want to be FIPS compliance, the parameters below 6 | # ensure FIPS compliant ciphers are used. 7 | # 8 | # https://github.com/certbot/certbot/issues/6367 9 | # https://github.com/mozilla/server-side-tls/issues/217 10 | # https://nginx.org/en/docs/http/ngx_http_ssl_module.html 11 | 12 | ssl_protocols TLSv1.2; 13 | ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256; 14 | -------------------------------------------------------------------------------- /nginx/shared/nginx/h5bp/ssl/policy_intermediate.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | SSL policy - Intermediate | 3 | # ---------------------------------------------------------------------- 4 | 5 | # For services that don't need backward compatibility, the parameters below 6 | # provide a higher level of security. 7 | # 8 | # (!) This policy enforces a strong SSL configuration, which may raise errors 9 | # with old clients. 10 | # If a more compatible profile is required, use the intermediate policy. 11 | # 12 | # (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known to be weak 13 | # and potentially vulnerable but are required to support Microsoft Edge 14 | # and Safari. 15 | # https://safecurves.cr.yp.to/ 16 | # 17 | # https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations 18 | # https://nginx.org/en/docs/http/ngx_http_ssl_module.html 19 | 20 | ssl_protocols TLSv1.2; 21 | ssl_ciphers EECDH+CHACHA20:EECDH+AES; 22 | 23 | # (1) 24 | ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1; 25 | -------------------------------------------------------------------------------- /nginx/shared/nginx/h5bp/ssl/policy_modern.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | SSL policy - Modern | 3 | # ---------------------------------------------------------------------- 4 | 5 | # For services that want to be on the bleeding edge, the parameters below 6 | # sacrifice compatibility for the highest level of security and performance. 7 | # 8 | # (!) TLSv1.3 and it's 0-RTT feature require NGINX >=1.15.4 and OpenSSL >=1.1.1 9 | # to be installed. 10 | # 11 | # (!) Don't enable `ssl_early_data` blindly! Requests sent within early data are 12 | # subject to replay attacks. 13 | # 14 | # (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known to be weak 15 | # and potentially vulnerable. 16 | # 17 | # Add them back to the parameter `ssl_ecdh_curve` below to support 18 | # Microsoft Edge and Safari. 19 | # 20 | # https://safecurves.cr.yp.to/ 21 | # 22 | # (2) Enables TLS 1.3 0-RTT, allows for faster resumption of TLS sessions. 23 | # 24 | # (!) Requests sent within early data are subject to replay attacks. 25 | # To protect against such attacks at the application layer, the 26 | # $ssl_early_data variable should be used: 27 | # proxy_set_header Early-Data $ssl_early_data; 28 | # 29 | # The application should return response code 425 "Too Early" for anything 30 | # that could contain user supplied data. 31 | # 32 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/425 33 | # 34 | # https://github.com/certbot/certbot/issues/6367 35 | # https://github.com/mozilla/server-side-tls/issues/217 36 | # https://nginx.org/en/docs/http/ngx_http_ssl_module.html 37 | 38 | ssl_protocols TLSv1.2 TLSv1.3; 39 | ssl_ciphers EECDH+CHACHA20:EECDH+AES; 40 | 41 | # (1) 42 | ssl_ecdh_curve X25519; 43 | 44 | # (2) 45 | #ssl_early_data on; 46 | -------------------------------------------------------------------------------- /nginx/shared/nginx/h5bp/ssl/ssl_engine.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | SSL engine | 3 | # ---------------------------------------------------------------------- 4 | 5 | # (1) Optimize SSL by caching session parameters for 24 hours. 6 | # This cuts down on the number of expensive SSL handshakes. 7 | # By enabling a cache, we tell the client to re-use the already 8 | # negotiated state. 9 | # Here 10m (10 MB) in ssl_session_cache is size value (not time). 10 | # 1 MB cache can store about 4000 sessions, so we can store 40000 sessions. 11 | # 12 | # (2) Use a higher keepalive timeout to reduce the need for repeated handshakes 13 | # (!) Shouldn't be done unless you serve primarily HTTPS. 14 | # Default is 75s 15 | # 16 | # (3) SSL buffer size 17 | # Set 1400 bytes to fit in one MTU. 18 | # https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size 19 | # 20 | # (4) Disable session tickets 21 | # Session tickets keys are not auto-rotated. Only a HUP / restart will do 22 | # so and when a restart is performed the previous key is lost, which resets 23 | # all previous sessions. 24 | # Only enable session tickets if you set up a manual rotation mechanism. 25 | # https://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx 26 | # https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets 27 | # 28 | # (5) Basic security improvements 29 | 30 | # (1) 31 | ssl_session_timeout 24h; 32 | ssl_session_cache shared:SSL:10m; 33 | 34 | # (2) 35 | keepalive_timeout 300s; 36 | 37 | # (3) 38 | # ssl_buffer_size 1400; 39 | 40 | # (4) 41 | ssl_session_tickets off; 42 | 43 | # (5) 44 | ssl_prefer_server_ciphers on; 45 | -------------------------------------------------------------------------------- /nginx/shared/nginx/h5bp/web_performance/cache-file-descriptors.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | Cache file-descriptors | 3 | # ---------------------------------------------------------------------- 4 | 5 | # This tells Nginx to cache open file handles, "Not Found" errors and 6 | # metadata about files and their permissions. 7 | # 8 | # Based on these cached metadata, Nginx can immediately begin sending data when 9 | # a popular file is requested, and will also know to immediately send a 404 if a 10 | # file is missing on disk, and so on. 11 | # 12 | # (!) It also means that the server won't react immediately to changes on disk, 13 | # which may be undesirable. 14 | # As only metadata are cached, edited files may be truncated until the cache 15 | # is refreshed. 16 | # https://github.com/h5bp/server-configs-nginx/issues/203 17 | # 18 | # In the below configuration, inactive files are released from the cache after 19 | # 20 seconds, whereas active (recently requested) files are re-validated every 20 | # 30 seconds. 21 | # Descriptors will not be cached unless they are used at least 2 times within 22 | # 20 seconds (the inactive time). 23 | # A maximum of the 1000 most recently used file descriptors can be cached at 24 | # any time. 25 | # 26 | # Production servers with stable file collections will definitely want to enable 27 | # the cache. 28 | # 29 | # https://nginx.org/en/docs/http/ngx_http_core_module.html#open_file_cache 30 | 31 | open_file_cache max=1000 inactive=20s; 32 | open_file_cache_valid 30s; 33 | open_file_cache_min_uses 2; 34 | open_file_cache_errors on; 35 | -------------------------------------------------------------------------------- /nginx/shared/nginx/h5bp/web_performance/cache_expiration.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | Cache expiration | 3 | # ---------------------------------------------------------------------- 4 | 5 | # Serve resources with a far-future expiration date. 6 | # 7 | # (!) If you don't control versioning with filename-based cache busting, you 8 | # should consider lowering the cache times to something like one week. 9 | # 10 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control 11 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expires 12 | # https://nginx.org/en/docs/http/ngx_http_headers_module.html#expires 13 | 14 | map $sent_http_content_type $expires { 15 | default 1M; 16 | 17 | # No content 18 | "" off; 19 | 20 | # CSS 21 | ~*text/css 1y; 22 | 23 | # Data interchange 24 | ~*application/atom\+xml 1h; 25 | ~*application/rdf\+xml 1h; 26 | ~*application/rss\+xml 1h; 27 | 28 | ~*application/json 0; 29 | ~*application/ld\+json 0; 30 | ~*application/schema\+json 0; 31 | ~*application/geo\+json 0; 32 | ~*application/xml 0; 33 | ~*text/calendar 0; 34 | ~*text/xml 0; 35 | 36 | # Favicon (cannot be renamed!) and cursor images 37 | ~*image/vnd.microsoft.icon 1w; 38 | ~*image/x-icon 1w; 39 | 40 | # HTML 41 | ~*text/html 0; 42 | 43 | # JavaScript 44 | ~*application/javascript 1y; 45 | ~*application/x-javascript 1y; 46 | ~*text/javascript 1y; 47 | 48 | # Manifest files 49 | ~*application/manifest\+json 1w; 50 | ~*application/x-web-app-manifest\+json 0; 51 | ~*text/cache-manifest 0; 52 | 53 | # Markdown 54 | ~*text/markdown 0; 55 | 56 | # Media files 57 | ~*audio/ 1M; 58 | ~*image/ 1M; 59 | ~*video/ 1M; 60 | 61 | # WebAssembly 62 | ~*application/wasm 1y; 63 | 64 | # Web fonts 65 | ~*font/ 1M; 66 | ~*application/vnd.ms-fontobject 1M; 67 | ~*application/x-font-ttf 1M; 68 | ~*application/x-font-woff 1M; 69 | ~*application/font-woff 1M; 70 | ~*application/font-woff2 1M; 71 | 72 | # Other 73 | ~*text/x-cross-domain-policy 1w; 74 | } 75 | 76 | expires $expires; 77 | -------------------------------------------------------------------------------- /nginx/shared/nginx/h5bp/web_performance/compression.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | Compression | 3 | # ---------------------------------------------------------------------- 4 | 5 | # https://nginx.org/en/docs/http/ngx_http_gzip_module.html 6 | 7 | # Enable gzip compression. 8 | # Default: off 9 | gzip on; 10 | 11 | # Compression level (1-9). 12 | # 5 is a perfect compromise between size and CPU usage, offering about 75% 13 | # reduction for most ASCII files (almost identical to level 9). 14 | # Default: 1 15 | gzip_comp_level 5; 16 | 17 | # Don't compress anything that's already small and unlikely to shrink much if at 18 | # all (the default is 20 bytes, which is bad as that usually leads to larger 19 | # files after gzipping). 20 | # Default: 20 21 | gzip_min_length 256; 22 | 23 | # Compress data even for clients that are connecting to us via proxies, 24 | # identified by the "Via" header (required for CloudFront). 25 | # Default: off 26 | gzip_proxied any; 27 | 28 | # Tell proxies to cache both the gzipped and regular version of a resource 29 | # whenever the client's Accept-Encoding capabilities header varies; 30 | # Avoids the issue where a non-gzip capable client (which is extremely rare 31 | # today) would display gibberish if their proxy gave them the gzipped version. 32 | # Default: off 33 | gzip_vary on; 34 | 35 | # Compress all output labeled with one of the following MIME-types. 36 | # `text/html` is always compressed by gzip module. 37 | # Default: text/html 38 | gzip_types 39 | application/atom+xml 40 | application/geo+json 41 | application/javascript 42 | application/x-javascript 43 | application/json 44 | application/ld+json 45 | application/manifest+json 46 | application/rdf+xml 47 | application/rss+xml 48 | application/vnd.ms-fontobject 49 | application/wasm 50 | application/x-web-app-manifest+json 51 | application/xhtml+xml 52 | application/xml 53 | font/eot 54 | font/otf 55 | font/ttf 56 | image/bmp 57 | image/svg+xml 58 | text/cache-manifest 59 | text/calendar 60 | text/css 61 | text/javascript 62 | text/markdown 63 | text/plain 64 | text/xml 65 | text/vcard 66 | text/vnd.rim.location.xloc 67 | text/vtt 68 | text/x-component 69 | text/x-cross-domain-policy; 70 | -------------------------------------------------------------------------------- /nginx/shared/nginx/h5bp/web_performance/content_transformation.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | Content transformation | 3 | # ---------------------------------------------------------------------- 4 | 5 | # Prevent intermediate caches or proxies (such as those used by mobile 6 | # network providers) and browsers data-saving features from modifying 7 | # the website's content using the `cache-control: no-transform` directive. 8 | # 9 | # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control 10 | # https://tools.ietf.org/html/rfc7234#section-5.2.2.4 11 | # 12 | # (!) Carefully consider the impact on your visitors before disabling 13 | # content transformation. These transformations are performed to 14 | # improve the experience for data- and cost-constrained users 15 | # (e.g. users on a 2G connection). 16 | # 17 | # You can test the effects of content transformation applied by 18 | # Google's Lite Mode by visiting: https://googleweblight.com/i?u=https://www.example.com 19 | # 20 | # https://support.google.com/webmasters/answer/6211428 21 | # 22 | # (!) If you are using `ngx_pagespeed`, note that disabling this will 23 | # prevent `PageSpeed` from rewriting HTML files, and, if the 24 | # `pagespeed DisableRewriteOnNoTransform` directive isn't set to 25 | # `off`, also from rewriting other resources. 26 | # 27 | # https://developers.google.com/speed/pagespeed/module/configuration#notransform 28 | 29 | add_header Cache-Control "no-transform"; 30 | -------------------------------------------------------------------------------- /nginx/shared/nginx/h5bp/web_performance/pre-compressed_content_brotli.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | Brotli pre-compressed content | 3 | # ---------------------------------------------------------------------- 4 | 5 | # Serve brotli compressed CSS, JS, HTML, SVG, ICS and JSON files if they exist 6 | # and if the client accepts br encoding. 7 | # 8 | # (!) To make this part relevant, you need to generate encoded files by your 9 | # own. Enabling this part will not auto-generate brotlied files. 10 | # 11 | # Note that some clients (eg. browsers) require a secure connection to request 12 | # brotli-compressed resources. 13 | # https://www.chromestatus.com/feature/5420797577396224 14 | # 15 | # https://github.com/eustas/ngx_brotli/#brotli_static 16 | 17 | brotli_static on; 18 | -------------------------------------------------------------------------------- /nginx/shared/nginx/h5bp/web_performance/pre-compressed_content_gzip.conf: -------------------------------------------------------------------------------- 1 | # ---------------------------------------------------------------------- 2 | # | GZip pre-compressed content | 3 | # ---------------------------------------------------------------------- 4 | 5 | # Serve gzip compressed CSS, JS, HTML, SVG, ICS, and JSON files if they exist 6 | # and if the client accepts gzip encoding. 7 | # 8 | # (!) To make this part relevant, you need to generate encoded files by your 9 | # own. Enabling this part will not auto-generate gziped files. 10 | # 11 | # https://nginx.org/en/docs/http/ngx_http_gzip_static_module.html 12 | 13 | gzip_static on; 14 | -------------------------------------------------------------------------------- /nginx/shared/nginx/mime.types: -------------------------------------------------------------------------------- 1 | types { 2 | 3 | # Data interchange 4 | 5 | application/atom+xml atom; 6 | application/json json map topojson; 7 | application/ld+json jsonld; 8 | application/rss+xml rss; 9 | # Normalize to standard type. 10 | # https://tools.ietf.org/html/rfc7946#section-12 11 | application/geo+json geojson; 12 | application/xml xml; 13 | # Normalize to standard type. 14 | # https://tools.ietf.org/html/rfc3870#section-2 15 | application/rdf+xml rdf; 16 | 17 | 18 | # JavaScript 19 | 20 | # Servers should use text/javascript for JavaScript resources. 21 | # https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages 22 | text/javascript js mjs; 23 | application/wasm wasm; 24 | 25 | 26 | # Manifest files 27 | 28 | application/manifest+json webmanifest; 29 | application/x-web-app-manifest+json webapp; 30 | text/cache-manifest appcache; 31 | 32 | 33 | # Media files 34 | 35 | audio/midi mid midi kar; 36 | audio/mp4 aac f4a f4b m4a; 37 | audio/mpeg mp3; 38 | audio/ogg oga ogg opus; 39 | audio/x-realaudio ra; 40 | audio/x-wav wav; 41 | audio/x-matroska mka; 42 | image/bmp bmp; 43 | image/gif gif; 44 | image/jpeg jpeg jpg; 45 | image/jxr jxr hdp wdp; 46 | image/png png; 47 | image/svg+xml svg svgz; 48 | image/tiff tif tiff; 49 | image/vnd.wap.wbmp wbmp; 50 | image/webp webp; 51 | image/x-jng jng; 52 | video/3gpp 3gp 3gpp; 53 | video/mp4 f4p f4v m4v mp4; 54 | video/mpeg mpeg mpg; 55 | video/ogg ogv; 56 | video/quicktime mov; 57 | video/webm webm; 58 | video/x-flv flv; 59 | video/x-mng mng; 60 | video/x-ms-asf asf asx; 61 | video/x-ms-wmv wmv; 62 | video/x-msvideo avi; 63 | video/x-matroska mkv mk3d; 64 | 65 | # Serving `.ico` image files with a different media type 66 | # prevents Internet Explorer from displaying then as images: 67 | # https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee 68 | 69 | image/x-icon cur ico; 70 | 71 | 72 | # Microsoft Office 73 | 74 | application/msword doc; 75 | application/vnd.ms-excel xls; 76 | application/vnd.ms-powerpoint ppt; 77 | application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; 78 | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; 79 | application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; 80 | 81 | 82 | # Web fonts 83 | 84 | font/woff woff; 85 | font/woff2 woff2; 86 | application/vnd.ms-fontobject eot; 87 | font/ttf ttf; 88 | font/collection ttc; 89 | font/otf otf; 90 | 91 | 92 | # Other 93 | 94 | application/java-archive ear jar war; 95 | application/mac-binhex40 hqx; 96 | application/octet-stream bin deb dll dmg exe img iso msi msm msp safariextz; 97 | application/pdf pdf; 98 | application/postscript ai eps ps; 99 | application/rtf rtf; 100 | application/vnd.google-earth.kml+xml kml; 101 | application/vnd.google-earth.kmz kmz; 102 | application/vnd.wap.wmlc wmlc; 103 | application/x-7z-compressed 7z; 104 | application/x-bb-appworld bbaw; 105 | application/x-bittorrent torrent; 106 | application/x-chrome-extension crx; 107 | application/x-cocoa cco; 108 | application/x-java-archive-diff jardiff; 109 | application/x-java-jnlp-file jnlp; 110 | application/x-makeself run; 111 | application/x-opera-extension oex; 112 | application/x-perl pl pm; 113 | application/x-pilot pdb prc; 114 | application/x-rar-compressed rar; 115 | application/x-redhat-package-manager rpm; 116 | application/x-sea sea; 117 | application/x-shockwave-flash swf; 118 | application/x-stuffit sit; 119 | application/x-tcl tcl tk; 120 | application/x-x509-ca-cert crt der pem; 121 | application/x-xpinstall xpi; 122 | application/xhtml+xml xhtml; 123 | application/xslt+xml xsl; 124 | application/zip zip; 125 | text/calendar ics; 126 | text/css css; 127 | text/csv csv; 128 | text/html htm html shtml; 129 | text/markdown md markdown; 130 | text/mathml mml; 131 | text/plain txt; 132 | text/vcard vcard vcf; 133 | text/vnd.rim.location.xloc xloc; 134 | text/vnd.sun.j2me.app-descriptor jad; 135 | text/vnd.wap.wml wml; 136 | text/vtt vtt; 137 | text/x-component htc; 138 | 139 | } 140 | -------------------------------------------------------------------------------- /nginx/shared/nginx/nginx.conf: -------------------------------------------------------------------------------- 1 | # Configuration File - Nginx Server Configs 2 | # https://nginx.org/en/docs/ 3 | 4 | # Run as a unique, less privileged user for security reasons. 5 | # Default: nobody nobody 6 | # https://nginx.org/en/docs/ngx_core_module.html#user 7 | # https://en.wikipedia.org/wiki/Principle_of_least_privilege 8 | user nginx; 9 | 10 | # Sets the worker threads to the number of CPU cores available in the system for 11 | # best performance. Should be > the number of CPU cores. 12 | # Maximum number of connections = worker_processes * worker_connections 13 | # Default: 1 14 | # https://nginx.org/en/docs/ngx_core_module.html#worker_processes 15 | worker_processes 1; 16 | 17 | # Maximum number of open files per worker process. 18 | # Should be > worker_connections. 19 | # Default: no limit 20 | # https://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile 21 | worker_rlimit_nofile 8192; 22 | 23 | # Provides the configuration file context in which the directives that affect 24 | # connection processing are specified. 25 | # https://nginx.org/en/docs/ngx_core_module.html#events 26 | events { 27 | 28 | # If you need more connections than this, you start optimizing your OS. 29 | # That's probably the point at which you hire people who are smarter than you 30 | # as this is *a lot* of requests. 31 | # Should be < worker_rlimit_nofile. 32 | # Default: 512 33 | # https://nginx.org/en/docs/ngx_core_module.html#worker_connections 34 | worker_connections 8000; 35 | 36 | } 37 | 38 | # Log errors and warnings to this file 39 | # This is only used when you don't override it on a `server` level 40 | # Default: logs/error.log error 41 | # https://nginx.org/en/docs/ngx_core_module.html#error_log 42 | error_log /var/log/nginx/error.log warn; 43 | 44 | # The file storing the process ID of the main process 45 | # Default: logs/nginx.pid 46 | # https://nginx.org/en/docs/ngx_core_module.html#pid 47 | pid /var/run/nginx.pid; 48 | 49 | http { 50 | 51 | # Hide Nginx version information. 52 | include h5bp/security/server_software_information.conf; 53 | 54 | # Specify media (MIME) types for files. 55 | include h5bp/media_types/media_types.conf; 56 | 57 | # Set character encodings. 58 | include h5bp/media_types/character_encodings.conf; 59 | 60 | # Include $http_x_forwarded_for within default format used in log files 61 | # https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format 62 | log_format main '$remote_addr - $remote_user [$time_local] "$request" ' 63 | '$status $body_bytes_sent "$http_referer" ' 64 | '"$http_user_agent" "$http_x_forwarded_for"'; 65 | 66 | # Log access to this file 67 | # This is only used when you don't override it on a `server` level 68 | # Default: logs/access.log combined 69 | # https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log 70 | access_log /var/log/nginx/access.log main; 71 | 72 | # How long to allow each connection to stay idle. 73 | # Longer values are better for each individual client, particularly for SSL, 74 | # but means that worker connections are tied up longer. 75 | # Default: 75s 76 | # https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout 77 | keepalive_timeout 20s; 78 | 79 | # Speed up file transfers by using `sendfile()` to copy directly between 80 | # descriptors rather than using `read()`/`write()``. 81 | # For performance reasons, on FreeBSD systems w/ ZFS this option should be 82 | # disabled as ZFS's ARC caches frequently used files in RAM by default. 83 | # Default: off 84 | # https://nginx.org/en/docs/http/ngx_http_core_module.html#sendfile 85 | sendfile on; 86 | 87 | # Don't send out partial frames; this increases throughput since TCP frames 88 | # are filled up before being sent out. 89 | # Default: off 90 | # https://nginx.org/en/docs/http/ngx_http_core_module.html#tcp_nopush 91 | tcp_nopush on; 92 | 93 | # Enable gzip compression. 94 | include h5bp/web_performance/compression.conf; 95 | 96 | # Specify file cache expiration. 97 | include h5bp/web_performance/cache_expiration.conf; 98 | 99 | # Add X-XSS-Protection for HTML documents. 100 | # h5bp/security/x-xss-protection.conf 101 | map $sent_http_content_type $x_xss_protection { 102 | # (1) (2) 103 | ~*text/html "1; mode=block"; 104 | } 105 | 106 | # Add X-Frame-Options for HTML documents. 107 | # h5bp/security/x-frame-options.conf 108 | map $sent_http_content_type $x_frame_options { 109 | ~*text/html DENY; 110 | } 111 | 112 | # Add Content-Security-Policy for HTML documents. 113 | # h5bp/security/content-security-policy.conf 114 | map $sent_http_content_type $content_security_policy { 115 | ~*text/(html|javascript)|application/pdf|xml "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests"; 116 | } 117 | 118 | # Add Referrer-Policy for HTML documents. 119 | # h5bp/security/referrer-policy.conf.conf 120 | map $sent_http_content_type $referrer_policy { 121 | ~*text/(css|html|javascript)|application\/pdf|xml "strict-origin-when-cross-origin"; 122 | } 123 | 124 | # Add X-UA-Compatible for HTML documents. 125 | # h5bp/internet_explorer/x-ua-compatible.conf 126 | map $sent_http_content_type $x_ua_compatible { 127 | ~*text/html "IE=edge"; 128 | } 129 | 130 | # Add Access-Control-Allow-Origin. 131 | # h5bp/cross-origin/requests.conf 132 | map $sent_http_content_type $cors { 133 | # Images 134 | ~*image/ "*"; 135 | 136 | # Web fonts 137 | ~*font/ "*"; 138 | ~*application/vnd.ms-fontobject "*"; 139 | ~*application/x-font-ttf "*"; 140 | ~*application/font-woff "*"; 141 | ~*application/x-font-woff "*"; 142 | ~*application/font-woff2 "*"; 143 | } 144 | 145 | # Include files in the conf.d folder. 146 | # `server` configuration files should be placed in the conf.d folder. 147 | # The configurations should be disabled by prefixing files with a dot. 148 | include conf.d/*.conf; 149 | 150 | } 151 | --------------------------------------------------------------------------------