Last active
March 20, 2025 14:14
-
-
Save mtigas/8601685 to your computer and use it in GitHub Desktop.
Nginx configuration for securedrop.propublica.org. (Based on Ubuntu 13.10 / Nginx 1.4.1 default config.)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This configuration file is provided on an "as is" basis, | |
| # with no warranties or representations, and any use of it | |
| # is at the user's own risk. | |
| # | |
| # You will need to edit domain name information, IP addresses for redirection (at the bottom), | |
| # SSL certificate and key paths, and the "Public-Key-Pins" header. | |
| user www-data; | |
| worker_processes 4; | |
| pid /run/nginx.pid; | |
| events { | |
| worker_connections 768; | |
| # multi_accept on; | |
| } | |
| http { | |
| ## | |
| # Basic Settings | |
| ## | |
| sendfile on; | |
| tcp_nopush on; | |
| tcp_nodelay on; | |
| keepalive_timeout 65; | |
| types_hash_max_size 2048; | |
| # server_tokens off; | |
| # server_names_hash_bucket_size 64; | |
| # server_name_in_redirect off; | |
| include /etc/nginx/mime.types; | |
| default_type application/octet-stream; | |
| ## | |
| # Logging Settings | |
| ## | |
| access_log off; | |
| error_log off; | |
| ## | |
| # Gzip Settings | |
| ## | |
| gzip on; | |
| gzip_disable "msie6"; | |
| # gzip_vary on; | |
| # gzip_proxied any; | |
| # gzip_comp_level 6; | |
| # gzip_buffers 16 8k; | |
| # gzip_http_version 1.1; | |
| # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; | |
| ## | |
| # nginx-naxsi config | |
| ## | |
| # Uncomment it if you installed nginx-naxsi | |
| ## | |
| #include /etc/nginx/naxsi_core.rules; | |
| ## | |
| # nginx-passenger config | |
| ## | |
| # Uncomment it if you installed nginx-passenger | |
| ## | |
| #passenger_root /usr; | |
| #passenger_ruby /usr/bin/ruby; | |
| ## | |
| # Virtual Host Configs | |
| ## | |
| ##### | |
| # main | |
| ##### | |
| server { | |
| listen 443 ssl; | |
| server_name securedrop.example.com; | |
| add_header "Strict-Transport-Security" "max-age=86400"; | |
| # SEE THESE LINKS REGARDING HOW TO CONFIGURE THIS HEADER | |
| # http://tools.ietf.org/html/draft-ietf-websec-key-pinning-09 | |
| # http://blog.stalkr.net/2011/08/hsts-preloading-public-key-pinning-and.html | |
| add_header "Public-Key-Pins" "TODO"; | |
| add_header "Cache-Control" "max-age=0, no-cache, no-store, must-revalidate"; | |
| add_header "Pragma" "no-cache"; | |
| add_header "Expires" "-1"; | |
| add_header "X-Frame-Options" "DENY"; | |
| add_header "X-XSS-Protection" "1; mode-block"; | |
| add_header "X-Content-Type-Options" "nosniff"; | |
| add_header "X-Download-Options" "noopen"; | |
| add_header "X-Permitted-Cross-Domain-Policies" "master-only"; | |
| add_header "Content-Security-Policy" "default-rsc 'self'"; | |
| add_header "X-Content-Security-Policy" "default-src 'self'"; | |
| server_tokens off; | |
| ssl on; | |
| ssl_session_cache shared:SSL:5m; | |
| ssl_session_timeout 5m; | |
| ssl_stapling on; | |
| ssl_certificate_key /path/to/ssl_certificate.key; | |
| ssl_certificate /path/to/ssl_certificate.crt; | |
| #ssl_trusted_certificate /path/to/ssl_certificate.crt; # if "ssl_certificate.crt" does not contain CA intermediate certificates as well as your certificate | |
| ################### | |
| # Disable SSLv2 by not including it in this list. | |
| # Can remove SSLv3 if you don't need to support IE6 (or older) clients | |
| ################### | |
| ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; | |
| ################### | |
| # this list is basically a manually-defined, filtered/reordered list | |
| # based on the recommendations from: | |
| # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ | |
| # http://unhandledexpression.com/2013/01/25/5-easy-tips-to-accelerate-ssl/ | |
| # | |
| # Modifications include removing ECDSA, disabling almost all non-ephemeral | |
| # key exchange ciphersuites to strongly prefer perfect forward secrecy | |
| # (and only leave alternative as a fallback), removing fallbacks that | |
| # wouldn't realistically happen in real browsers. | |
| # | |
| # We end up with a list of 12 ciphersuites: 4 TLS 1.2 ciphersuites, 4 | |
| # fallbacks with PFS, then 4 weaker fallbacks for compatibility. | |
| # The low number of suites improves TLS handshake speed. | |
| # | |
| # Expanded list: https://gist.github.com/mtigas/8591092/raw/gistfile1.txt | |
| # | |
| # If you don't need to support IE WinXP (or older) clients you can remove | |
| # the weak fallbacks after DHE-RSA-AES128-SHA to force PFS ciphersuites | |
| # for all clients and protect against downgrade attacks. | |
| # | |
| # For performance, AES256 ciphersuites can be removed, too. (Leaves 4 or 7 | |
| # ciphersuites.) | |
| ################### | |
| ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDH-RSA-AES256-SHA:ECDH-RSA-AES128-SHA:AES128-SHA:DES-CBC3-SHA; | |
| ssl_prefer_server_ciphers on; | |
| root /home/ubuntu/html; | |
| index index.html index.htm; | |
| charset utf-8; | |
| } | |
| ##### | |
| # server redirects | |
| ##### | |
| server { | |
| # Redirect HTTP access to the HTTPS instance. | |
| listen 80; | |
| server_name securedrop.example.com; | |
| rewrite ^/(.*) https://securedrop.example.com/$1 permanent; | |
| add_header "Strict-Transport-Security" "max-age=86400"; | |
| add_header "Cache-Control" "max-age=0, no-cache, no-store, must-revalidate"; | |
| add_header "Pragma" "no-cache"; | |
| add_header "Expires" "-1"; | |
| add_header "X-Frame-Options" "DENY"; | |
| add_header "X-XSS-Protection" "1; mode-block"; | |
| add_header "X-Content-Type-Options" "nosniff"; | |
| add_header "X-Download-Options" "noopen"; | |
| add_header "X-Permitted-Cross-Domain-Policies" "master-only"; | |
| add_header "Content-Security-Policy" "default-src 'self'"; | |
| add_header "X-Content-Security-Policy" "default-src 'self'"; | |
| } | |
| server { | |
| # Redirect any other plain HTTP access to this server. (Same as above, but | |
| # without the Strict-Transport-Security header.) | |
| listen 80; | |
| server_name 127.0.0.1 123.123.123.123; # add other IPs for this box here | |
| rewrite ^/(.*) https://securedrop.example.com/$1 permanent; | |
| add_header "Cache-Control" "max-age=0, no-cache, no-store, must-revalidate"; | |
| add_header "Pragma" "no-cache"; | |
| add_header "Expires" "-1"; | |
| add_header "X-Frame-Options" "DENY"; | |
| add_header "X-XSS-Protection" "1; mode-block"; | |
| add_header "X-Content-Type-Options" "nosniff"; | |
| add_header "X-Download-Options" "noopen"; | |
| add_header "X-Permitted-Cross-Domain-Policies" "master-only"; | |
| add_header "Content-Security-Policy" "default-src 'self'"; | |
| add_header "X-Content-Security-Policy" "default-src 'self'"; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment