├── media.conf
├── assets.conf
├── html.conf
├── LICENSE
├── README.md
├── server.conf
└── http.conf
/media.conf:
--------------------------------------------------------------------------------
1 | # Expires 1 year
2 | add_header Cache-Control "max-age=31536000, immutable";
3 |
4 | # Disable access log
5 | access_log off;
6 |
7 | # Tell browsers to load this domain and subdomains exclusively over HTTPS
8 | add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
9 |
--------------------------------------------------------------------------------
/assets.conf:
--------------------------------------------------------------------------------
1 | # Expires 1 year
2 | add_header Cache-Control "max-age=31536000, immutable";
3 |
4 | # Disable access log
5 | access_log off;
6 |
7 | # MIME type sniffing security protection
8 | add_header X-Content-Type-Options nosniff always;
9 |
10 | # Tell browsers to load this domain and subdomains exclusively over HTTPS
11 | add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
12 |
--------------------------------------------------------------------------------
/html.conf:
--------------------------------------------------------------------------------
1 | # Force the latest IE version
2 | add_header "X-UA-Compatible" "ie=edge";
3 |
4 | # Prevent mobile network providers from modifying your site
5 | # https://developers.google.com/speed/pagespeed/module/configuration#notransform
6 | add_header "Cache-Control" "no-transform";
7 |
8 | # The X-Frame-Options header indicates whether a browser should be allowed
9 | # to render a page within a frame or iframe.
10 | add_header X-Frame-Options SAMEORIGIN always;
11 |
12 | # The X-XSS-Protection header is used by Internet Explorer version 8+
13 | # The header instructs IE to enable its inbuilt anti-cross-site scripting filter.
14 | add_header X-XSS-Protection "1; mode=block" always;
15 |
16 | # Tell browsers to load this domain and subdomains exclusively over HTTPS
17 | add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
18 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2018 Oscar Otero
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # nginx-snippets
2 |
3 | Custom snippets for nginx with http2
4 |
5 | ## Install
6 |
7 | ```
8 | cd /etc/nginx/snippets
9 | git clone https://github.com/oscarotero/nginx-snippets.git
10 | ```
11 |
12 | ## Snippets
13 |
14 | This package contains a set of config files with best practices that you can include in your nginx config.
15 |
16 | - `http.conf`: Common http settings to include inside the `http` block.
17 | - `server.conf`: Common http settings to include inside each `server` block.
18 | - `html.conf`: Settings, headers and security stuff to use with html responses.
19 | - `media.conf`: Settings, headers and security stuff to use with media responses (images, videos, audio, fonts, etc).
20 | - `assets.conf`: Settings, headers and security stuff to use with text-based assets like css and javascript.
21 |
22 | ## Usage
23 |
24 | ```conf
25 | http {
26 | include snippets/nginx-snippets/http.conf;
27 |
28 | server {
29 | listen 443 ssl http2;
30 | listen [::]:443 ssl http2;
31 |
32 | include snippets/nginx-snippets/server.conf;
33 |
34 | location / {
35 | include snippets/nginx-snippets/html.conf;
36 | }
37 |
38 | # Media and fonts
39 | location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|mp4|ogg|ogv|webm|htc|ttf|ttc|otf|eot|woff|woff2)$ {
40 | include snippets/nginx-snippets/media.conf;
41 | }
42 |
43 | # Assets: css, javascript, etc
44 | location ~* \.(?:css|js|webmanifest)$ {
45 | include snippets/nginx-snippets/assets.conf;
46 | }
47 | }
48 | }
49 | ```
50 |
51 | ## Other tools
52 |
53 | - Configure CSP: [CSP is Awesome](https://www.cspisawesome.com/):
54 | - Configure SSL: [Mozilla SSL Configuration Generator](https://mozilla.github.io/server-side-tls/ssl-config-generator/)
55 | - NGINX Config Generator: [nginxconfig.io](https://nginxconfig.io/)
56 | - NGINX Quick Reference: [trimstray/nginx-quick-reference](https://github.com/trimstray/nginx-quick-reference)
57 |
58 | ## Testing
59 |
60 | - [Observatory by Mozilla](https://observatory.mozilla.org/)
61 | - [Webhint](https://webhint.io/scanner/)
62 | - [PageSpeed Insights](https://developers.google.com/speed/pagespeed/insights/)
63 |
--------------------------------------------------------------------------------
/server.conf:
--------------------------------------------------------------------------------
1 | # Prevent clients from accessing hidden files (starting with a dot)
2 | # This is particularly important if you store .htpasswd files in the site hierarchy
3 | # Access to `/.well-known/` is allowed.
4 | # https://www.mnot.net/blog/2010/04/07/well-known
5 | # https://tools.ietf.org/html/rfc5785
6 | location ~* /\.(?!well-known\/) {
7 | deny all;
8 | }
9 |
10 | # SSL Configuration
11 | # Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8
12 | # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.1e&hsts=yes&profile=modern
13 |
14 | # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
15 | ssl_session_timeout 1d;
16 | ssl_session_cache shared:SSL:50m;
17 | ssl_session_tickets off;
18 |
19 | # modern configuration. tweak to your needs.
20 | ssl_protocols TLSv1.2;
21 | ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
22 | ssl_prefer_server_ciphers on;
23 |
24 | # Enable gzip compression
25 | gzip on;
26 |
27 | # Proxies Cache
28 | gzip_vary on;
29 | gzip_proxied any;
30 |
31 | # Compression level (1-9)
32 | gzip_comp_level 5;
33 |
34 | # Don't compress anything small than 256 bytes
35 | gzip_min_length 256;
36 |
37 | # Gzip applied to the following MIME-types
38 | gzip_types
39 | application/atom+xml
40 | application/javascript
41 | application/json
42 | application/ld+json
43 | application/manifest+json
44 | application/rss+xml
45 | application/vnd.geo+json
46 | application/vnd.ms-fontobject
47 | application/x-font-ttf
48 | application/x-web-app-manifest+json
49 | application/xhtml+xml
50 | application/xml
51 | font/opentype
52 | image/bmp
53 | image/svg+xml
54 | image/x-icon
55 | text/cache-manifest
56 | text/css
57 | text/javascript
58 | text/plain
59 | text/vcard
60 | text/vnd.rim.location.xloc
61 | text/vtt
62 | text/x-component
63 | text/x-cross-domain-policy;
64 |
65 | # Specify a charset
66 | charset utf-8;
67 |
68 | # Custom 404 page
69 | error_page 404 /404.html;
70 |
71 | # Default index
72 | index index.html index.php;
73 |
--------------------------------------------------------------------------------
/http.conf:
--------------------------------------------------------------------------------
1 | # Hide nginx version information.
2 | server_tokens off;
3 |
4 | # Specify MIME types for files.
5 | types {
6 |
7 | # Data interchange
8 |
9 | application/atom+xml atom;
10 | application/json json map topojson;
11 | application/ld+json jsonld;
12 | application/rss+xml rss;
13 | application/vnd.geo+json geojson;
14 | application/xml rdf xml;
15 |
16 |
17 | # JavaScript
18 |
19 | # Servers should use text/javascript for JavaScript resources.
20 | # https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages
21 | text/javascript js;
22 |
23 |
24 | # Manifest files
25 |
26 | application/manifest+json webmanifest;
27 | application/x-web-app-manifest+json webapp;
28 | text/cache-manifest appcache;
29 |
30 |
31 | # Media files
32 |
33 | audio/midi mid midi kar;
34 | audio/mp4 aac f4a f4b m4a;
35 | audio/mpeg mp3;
36 | audio/ogg oga ogg opus;
37 | audio/x-realaudio ra;
38 | audio/x-wav wav;
39 | image/bmp bmp;
40 | image/gif gif;
41 | image/jpeg jpeg jpg;
42 | image/jxr jxr hdp wdp;
43 | image/png png;
44 | image/svg+xml svg svgz;
45 | image/tiff tif tiff;
46 | image/vnd.wap.wbmp wbmp;
47 | image/webp webp;
48 | image/x-jng jng;
49 | video/3gpp 3gp 3gpp;
50 | video/mp4 f4p f4v m4v mp4;
51 | video/mpeg mpeg mpg;
52 | video/ogg ogv;
53 | video/quicktime mov;
54 | video/webm webm;
55 | video/x-flv flv;
56 | video/x-mng mng;
57 | video/x-ms-asf asf asx;
58 | video/x-ms-wmv wmv;
59 | video/x-msvideo avi;
60 |
61 | # Serving `.ico` image files with a different media type
62 | # prevents Internet Explorer from displaying then as images:
63 | # https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee
64 |
65 | image/x-icon cur ico;
66 |
67 |
68 | # Microsoft Office
69 |
70 | application/msword doc;
71 | application/vnd.ms-excel xls;
72 | application/vnd.ms-powerpoint ppt;
73 | application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
74 | application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
75 | application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
76 |
77 |
78 | # Web fonts
79 |
80 | font/woff woff;
81 | font/woff2 woff2;
82 | application/vnd.ms-fontobject eot;
83 | font/ttf ttf;
84 | font/collection ttc;
85 | font/otf otf;
86 |
87 |
88 | # Other
89 |
90 | application/java-archive ear jar war;
91 | application/mac-binhex40 hqx;
92 | application/octet-stream bin deb dll dmg exe img iso msi msm msp safariextz;
93 | application/pdf pdf;
94 | application/postscript ai eps ps;
95 | application/rtf rtf;
96 | application/vnd.google-earth.kml+xml kml;
97 | application/vnd.google-earth.kmz kmz;
98 | application/vnd.wap.wmlc wmlc;
99 | application/x-7z-compressed 7z;
100 | application/x-bb-appworld bbaw;
101 | application/x-bittorrent torrent;
102 | application/x-chrome-extension crx;
103 | application/x-cocoa cco;
104 | application/x-java-archive-diff jardiff;
105 | application/x-java-jnlp-file jnlp;
106 | application/x-makeself run;
107 | application/x-opera-extension oex;
108 | application/x-perl pl pm;
109 | application/x-pilot pdb prc;
110 | application/x-rar-compressed rar;
111 | application/x-redhat-package-manager rpm;
112 | application/x-sea sea;
113 | application/x-shockwave-flash swf;
114 | application/x-stuffit sit;
115 | application/x-tcl tcl tk;
116 | application/x-x509-ca-cert crt der pem;
117 | application/x-xpinstall xpi;
118 | application/xhtml+xml xhtml;
119 | application/xslt+xml xsl;
120 | application/zip zip;
121 | text/css css;
122 | text/csv csv;
123 | text/html htm html shtml;
124 | text/markdown md;
125 | text/mathml mml;
126 | text/plain txt;
127 | text/vcard vcard vcf;
128 | text/vnd.rim.location.xloc xloc;
129 | text/vnd.sun.j2me.app-descriptor jad;
130 | text/vnd.wap.wml wml;
131 | text/vtt vtt;
132 | text/x-component htc;
133 | }
134 |
135 | # Update charset_types to match updated mime.types.
136 | # text/html is always included by charset module.
137 | # Default: text/html text/xml text/plain text/vnd.wap.wml application/javascript application/rss+xml
138 | charset_types
139 | text/css
140 | text/plain
141 | text/vnd.wap.wml
142 | text/javascript
143 | application/json
144 | application/rss+xml
145 | application/xml
146 | application/manifest+json;
147 |
--------------------------------------------------------------------------------