|
@@ -2,7 +2,7 @@
|
|
|
user phyreweb;
|
|
user phyreweb;
|
|
|
worker_processes 1;
|
|
worker_processes 1;
|
|
|
worker_rlimit_nofile 65535;
|
|
worker_rlimit_nofile 65535;
|
|
|
-error_log /var/log/phyre/nginx-error.log;
|
|
|
|
|
|
|
+#error_log /var/log/phyre/nginx-error.log;
|
|
|
pid /run/phyre-nginx.pid;
|
|
pid /run/phyre-nginx.pid;
|
|
|
pcre_jit on;
|
|
pcre_jit on;
|
|
|
|
|
|
|
@@ -15,7 +15,7 @@ events {
|
|
|
|
|
|
|
|
http {
|
|
http {
|
|
|
# Main settings
|
|
# Main settings
|
|
|
- http2 on;
|
|
|
|
|
|
|
+ #http2 on;
|
|
|
sendfile on;
|
|
sendfile on;
|
|
|
tcp_nopush on;
|
|
tcp_nopush on;
|
|
|
tcp_nodelay on;
|
|
tcp_nodelay on;
|
|
@@ -45,7 +45,6 @@ http {
|
|
|
# Proxy settings
|
|
# Proxy settings
|
|
|
proxy_redirect off;
|
|
proxy_redirect off;
|
|
|
proxy_set_header Host $host;
|
|
proxy_set_header Host $host;
|
|
|
- proxy_set_header Early-Data $rfc_early_data;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
proxy_pass_header Set-Cookie;
|
|
proxy_pass_header Set-Cookie;
|
|
@@ -58,7 +57,7 @@ http {
|
|
|
proxy_send_timeout 180s;
|
|
proxy_send_timeout 180s;
|
|
|
# Log format
|
|
# Log format
|
|
|
log_format main '$remote_addr - $remote_user [$time_local] $request "$status" $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
|
|
log_format main '$remote_addr - $remote_user [$time_local] $request "$status" $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
|
|
|
- access_log /var/log/phyre/nginx-access.log main;
|
|
|
|
|
|
|
+ #access_log /var/log/phyre/nginx-access.log main;
|
|
|
# Mime settings
|
|
# Mime settings
|
|
|
include mime.types;
|
|
include mime.types;
|
|
|
default_type application/octet-stream;
|
|
default_type application/octet-stream;
|
|
@@ -71,23 +70,7 @@ http {
|
|
|
gzip_http_version 1.1;
|
|
gzip_http_version 1.1;
|
|
|
gzip_types text/css text/javascript text/js text/plain text/richtext text/shtml text/x-component text/x-java-source text/x-markdown text/x-script text/xml image/bmp image/svg+xml image/vnd.microsoft.icon image/x-icon font/otf font/ttf font/x-woff multipart/bag multipart/mixed application/eot application/font application/font-sfnt application/font-woff application/javascript application/javascript-binast application/json application/ld+json application/manifest+json application/opentype application/otf application/rss+xml application/ttf application/truetype application/vnd.api+json application/vnd.ms-fontobject application/wasm application/xhtml+xml application/xml application/xml+rss application/x-httpd-cgi application/x-javascript application/x-opentype application/x-otf application/x-perl application/x-protobuf application/x-ttf;
|
|
gzip_types text/css text/javascript text/js text/plain text/richtext text/shtml text/x-component text/x-java-source text/x-markdown text/x-script text/xml image/bmp image/svg+xml image/vnd.microsoft.icon image/x-icon font/otf font/ttf font/x-woff multipart/bag multipart/mixed application/eot application/font application/font-sfnt application/font-woff application/javascript application/javascript-binast application/json application/ld+json application/manifest+json application/opentype application/otf application/rss+xml application/ttf application/truetype application/vnd.api+json application/vnd.ms-fontobject application/wasm application/xhtml+xml application/xml application/xml+rss application/x-httpd-cgi application/x-javascript application/x-opentype application/x-otf application/x-perl application/x-protobuf application/x-ttf;
|
|
|
gzip_proxied any;
|
|
gzip_proxied any;
|
|
|
- # SSL PCI compliance
|
|
|
|
|
- ssl_buffer_size 1369;
|
|
|
|
|
- ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256";
|
|
|
|
|
- ssl_conf_command Ciphersuites TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384;
|
|
|
|
|
- ssl_conf_command Options PrioritizeChaCha;
|
|
|
|
|
- ssl_dhparam /etc/ssl/dhparam.pem;
|
|
|
|
|
- ssl_early_data on;
|
|
|
|
|
- ssl_ecdh_curve auto;
|
|
|
|
|
- ssl_prefer_server_ciphers on;
|
|
|
|
|
- ssl_protocols TLSv1.2 TLSv1.3;
|
|
|
|
|
- ssl_session_cache shared:SSL:10m;
|
|
|
|
|
- ssl_session_tickets on;
|
|
|
|
|
- ssl_session_timeout 7d;
|
|
|
|
|
- ssl_stapling on;
|
|
|
|
|
- ssl_stapling_verify on;
|
|
|
|
|
- resolver 1.0.0.1 8.8.4.4 1.1.1.1 8.8.8.8 valid=300s ipv6=off;
|
|
|
|
|
- resolver_timeout 5s;
|
|
|
|
|
|
|
+
|
|
|
# Security headers
|
|
# Security headers
|
|
|
add_header X-Content-Type-Options nosniff;
|
|
add_header X-Content-Type-Options nosniff;
|
|
|
add_header X-Frame-Options SAMEORIGIN;
|
|
add_header X-Frame-Options SAMEORIGIN;
|
|
@@ -104,19 +87,10 @@ http {
|
|
|
"~Firefox/((58|59)|([6-9]\d)|([1-9]\d{2,}))\.\d+" 1;
|
|
"~Firefox/((58|59)|([6-9]\d)|([1-9]\d{2,}))\.\d+" 1;
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
- map "$ssl_early_data:$ar_idempotent:$ar_support_425" $anti_replay {
|
|
|
|
|
- 1:0:0 307;
|
|
|
|
|
- 1:0:1 425;
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
- map "$ssl_early_data:$ar_support_425" $rfc_early_data {
|
|
|
|
|
- 1:1 1;
|
|
|
|
|
- }
|
|
|
|
|
-
|
|
|
|
|
# Vhost
|
|
# Vhost
|
|
|
server {
|
|
server {
|
|
|
- listen 4990 ssl;
|
|
|
|
|
- listen [::]:4990 ssl;
|
|
|
|
|
|
|
+ listen 4990;
|
|
|
|
|
+ listen [::]:4990;
|
|
|
server_name _;
|
|
server_name _;
|
|
|
root /usr/local/phyre/web;
|
|
root /usr/local/phyre/web;
|
|
|
# Fix error "The plain HTTP request was sent to HTTPS port"
|
|
# Fix error "The plain HTTP request was sent to HTTPS port"
|
|
@@ -126,13 +100,6 @@ http {
|
|
|
error_page 410 /error/410.html;
|
|
error_page 410 /error/410.html;
|
|
|
error_page 500 501 502 503 504 505 /error/50x.html;
|
|
error_page 500 501 502 503 504 505 /error/50x.html;
|
|
|
|
|
|
|
|
- ssl_certificate /usr/local/phyre/ssl/certificate.crt;
|
|
|
|
|
- ssl_certificate_key /usr/local/phyre/ssl/certificate.key;
|
|
|
|
|
-
|
|
|
|
|
- # TLS 1.3 0-RTT anti-replay
|
|
|
|
|
- if ($anti_replay = 307) { return 307 https://$host:$server_port$request_uri; }
|
|
|
|
|
- if ($anti_replay = 425) { return 425; }
|
|
|
|
|
-
|
|
|
|
|
location / {
|
|
location / {
|
|
|
expires off;
|
|
expires off;
|
|
|
index index.php;
|
|
index index.php;
|
|
@@ -153,7 +120,6 @@ http {
|
|
|
|
|
|
|
|
location ~ \.php$ {
|
|
location ~ \.php$ {
|
|
|
include fastcgi_params;
|
|
include fastcgi_params;
|
|
|
- fastcgi_param HTTP_EARLY_DATA $rfc_early_data if_not_empty;
|
|
|
|
|
fastcgi_param SCRIPT_FILENAME /usr/local/phyre/web/$fastcgi_script_name;
|
|
fastcgi_param SCRIPT_FILENAME /usr/local/phyre/web/$fastcgi_script_name;
|
|
|
fastcgi_pass unix:/run/phyre-php.sock;
|
|
fastcgi_pass unix:/run/phyre-php.sock;
|
|
|
fastcgi_intercept_errors on;
|
|
fastcgi_intercept_errors on;
|
Bozhidar Slaveykov