Aurelien
/
dm4
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
dm4/roles/nginx/templates/infra.conf.j2

72 lines
2.1 KiB
Django/Jinja
Raw Blame History

# On fait ses configurations pour cacher l'utilisation dans les headers d'un serveur nginx
server_tokens off; # version dans les headers
more_set_headers 'Server'; # header Server
add_header X-XSS-Protection "1: mode=block" always; # XSS
add_header X-Frame_Options "SAMEORIGIN" always; # clickjacking
add_header Permission-Policy "";
add_header Content-Security-Policy "default-src 'self';" always; # CSRF
add_header X-Content-Type-Options "nosniff" always; # sniffing
# HTTP requests redirected to HTTPS
server {
listen 80;
listen [::]:80;
return 301 https://$host$request_uri;
}
# reverse-proxy to Apache -> 8000
server {
listen 443 ssl; # IPv4, on écoute sur le port HTTPS (443)
listen [::]:443; # IPv6
location /blog/ {
proxy_pass http://localhost:8000/; # Redirect localhost port 8000
}
ssl_certificate {{ nginx_cert_position }};
ssl_certificate_key {{ nginx_key_position }};
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
# OCSP Response
ssl_stapling on;
ssl_stapling_verify on;
# MITM
add_header Strict-Transport-Security "max-age=63072000" always;
}
# web HTTPS
server {
listen 443 ssl;
listen [::]:443;
root /var/www/html;
index index.html;
error_page 404 /;
ssl_certificate {{ nginx_cert_position }};
ssl_certificate_key {{ nginx_key_position }};
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=63072000" always;
location / {
limit_except GET POST PUT {
deny all;
}
# Autre directives
}
}
Reference in New Issue View Git Blame Copy Permalink