From 10290dcd0b05f95cd3a3f4d4be2cd18bb91c7819 Mon Sep 17 00:00:00 2001 From: Bozhidar Slaveykov Date: Sat, 25 Nov 2023 22:57:44 +0200 Subject: [PATCH] Update nginx.conf --- compilators/debian/nginx/nginx.conf | 46 ++++------------------------- 1 file changed, 6 insertions(+), 40 deletions(-) diff --git a/compilators/debian/nginx/nginx.conf b/compilators/debian/nginx/nginx.conf index 7ed6f7e..05964b2 100644 --- a/compilators/debian/nginx/nginx.conf +++ b/compilators/debian/nginx/nginx.conf @@ -2,7 +2,7 @@ user phyreweb; worker_processes 1; worker_rlimit_nofile 65535; -error_log /var/log/phyre/nginx-error.log; +#error_log /var/log/phyre/nginx-error.log; pid /run/phyre-nginx.pid; pcre_jit on; @@ -15,7 +15,7 @@ events { http { # Main settings - http2 on; + #http2 on; sendfile on; tcp_nopush on; tcp_nodelay on; @@ -45,7 +45,6 @@ http { # Proxy settings proxy_redirect off; proxy_set_header Host $host; - proxy_set_header Early-Data $rfc_early_data; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass_header Set-Cookie; @@ -58,7 +57,7 @@ http { proxy_send_timeout 180s; # Log format log_format main '$remote_addr - $remote_user [$time_local] $request "$status" $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"'; - access_log /var/log/phyre/nginx-access.log main; + #access_log /var/log/phyre/nginx-access.log main; # Mime settings include mime.types; default_type application/octet-stream; @@ -71,23 +70,7 @@ http { gzip_http_version 1.1; gzip_types text/css text/javascript text/js text/plain text/richtext text/shtml text/x-component text/x-java-source text/x-markdown text/x-script text/xml image/bmp image/svg+xml image/vnd.microsoft.icon image/x-icon font/otf font/ttf font/x-woff multipart/bag multipart/mixed application/eot application/font application/font-sfnt application/font-woff application/javascript application/javascript-binast application/json application/ld+json application/manifest+json application/opentype application/otf application/rss+xml application/ttf application/truetype application/vnd.api+json application/vnd.ms-fontobject application/wasm application/xhtml+xml application/xml application/xml+rss application/x-httpd-cgi application/x-javascript application/x-opentype application/x-otf application/x-perl application/x-protobuf application/x-ttf; gzip_proxied any; - # SSL PCI compliance - ssl_buffer_size 1369; - ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256"; - ssl_conf_command Ciphersuites TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384; - ssl_conf_command Options PrioritizeChaCha; - ssl_dhparam /etc/ssl/dhparam.pem; - ssl_early_data on; - ssl_ecdh_curve auto; - ssl_prefer_server_ciphers on; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets on; - ssl_session_timeout 7d; - ssl_stapling on; - ssl_stapling_verify on; - resolver 1.0.0.1 8.8.4.4 1.1.1.1 8.8.8.8 valid=300s ipv6=off; - resolver_timeout 5s; + # Security headers add_header X-Content-Type-Options nosniff; add_header X-Frame-Options SAMEORIGIN; @@ -104,19 +87,10 @@ http { "~Firefox/((58|59)|([6-9]\d)|([1-9]\d{2,}))\.\d+" 1; } - map "$ssl_early_data:$ar_idempotent:$ar_support_425" $anti_replay { - 1:0:0 307; - 1:0:1 425; - } - - map "$ssl_early_data:$ar_support_425" $rfc_early_data { - 1:1 1; - } - # Vhost server { - listen 4990 ssl; - listen [::]:4990 ssl; + listen 4990; + listen [::]:4990; server_name _; root /usr/local/phyre/web; # Fix error "The plain HTTP request was sent to HTTPS port" @@ -126,13 +100,6 @@ http { error_page 410 /error/410.html; error_page 500 501 502 503 504 505 /error/50x.html; - ssl_certificate /usr/local/phyre/ssl/certificate.crt; - ssl_certificate_key /usr/local/phyre/ssl/certificate.key; - - # TLS 1.3 0-RTT anti-replay - if ($anti_replay = 307) { return 307 https://$host:$server_port$request_uri; } - if ($anti_replay = 425) { return 425; } - location / { expires off; index index.php; @@ -153,7 +120,6 @@ http { location ~ \.php$ { include fastcgi_params; - fastcgi_param HTTP_EARLY_DATA $rfc_early_data if_not_empty; fastcgi_param SCRIPT_FILENAME /usr/local/phyre/web/$fastcgi_script_name; fastcgi_pass unix:/run/phyre-php.sock; fastcgi_intercept_errors on;