titanz/NGINX-Configs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge default server configs

Browse Source
This commit is contained in:
Tommy
2025-01-03 06:34:57 -07:00
committed by GitHub
parent 1ade01cd11
commit 275d68ce12
5 changed files with 38 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
etc/nginx/conf.d/default.conf
View File

@@ -1,3 +1,41 @@
# Use http2
http2 on;
# Shared TLS configuration
## Use strong ciphers
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
ssl_conf_command Options PrioritizeChaCha;
## Configure ssl session cache
## Improves performance but we don't wanna keep this forever
## Session ticket creation and rotation is handled by GrapheneOS's scripts:
## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-create-session-ticket-keys
## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-rotate-session-ticket-keys
ssl_session_cache shared:SSL:10m; # About 40000 sessions
ssl_session_timeout 1d;
ssl_session_ticket_key session-ticket-keys/4.key;
ssl_session_ticket_key session-ticket-keys/3.key;
ssl_session_ticket_key session-ticket-keys/2.key;
ssl_session_ticket_key session-ticket-keys/1.key;
## Enable HSTS header
proxy_hide_header Strict-Transport-Security;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
## The following settings need to be declared manually per vhost:
# ssl_certificate
# ssl_certificate_key
# ssl_trusted_certificate
# ssl_stapling_file
# Disable server tokens
server_tokens off;
server {
listen ipv4_1:80 default_server;
listen [ipv6_1]:80 default_server;

3
etc/nginx/conf.d/http2.conf
View File

@@ -1,3 +0,0 @@
# This is all it takes to enable http2 globally
http2 on;

1
etc/nginx/conf.d/server_tokens.conf
View File

@@ -1 +0,0 @@
server_tokens off;

31
etc/nginx/conf.d/tls.conf
View File

@@ -1,31 +0,0 @@
# Shared TLS configuration
## Use strong ciphers
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers on;
ssl_conf_command Options PrioritizeChaCha;
## Configure ssl session cache
## Improves performance but we don't wanna keep this forever
## Session ticket creation and rotation is handled by GrapheneOS's scripts:
## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-create-session-ticket-keys
## https://github.com/GrapheneOS/infrastructure/blob/main/nginx-rotate-session-ticket-keys
ssl_session_cache shared:SSL:10m; # About 40000 sessions
ssl_session_timeout 1d;
ssl_session_ticket_key session-ticket-keys/4.key;
ssl_session_ticket_key session-ticket-keys/3.key;
ssl_session_ticket_key session-ticket-keys/2.key;
ssl_session_ticket_key session-ticket-keys/1.key;
# Enable HSTS header
proxy_hide_header Strict-Transport-Security;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
## The following settings need to be declared manually per vhost:
# ssl_certificate
# ssl_certificate_key
# ssl_trusted_certificate
# ssl_stapling_file