Commit blank nginx config

2016-05-23 20:17:49 +02:00
commit 29c04348c1
24 changed files with 5006 additions and 0 deletions
--- a/snippets/fastcgi-php.conf
+++ b/snippets/fastcgi-php.conf
@ -0,0 +1,20 @@
+# regex to split $uri to $fastcgi_script_name and $fastcgi_path
+fastcgi_split_path_info ^(.+\.php)(/.+)$;
+
+include fastcgi_params;
+
+fastcgi_param PATH_INFO $fastcgi_path_info;
+fastcgi_param modHeadersAvailable true;
+
+# Check that the PHP script exists before passing it
+try_files $fastcgi_script_name =404;
+
+# Bypass the fact that try_files resets $fastcgi_path_info
+# see: http://trac.nginx.org/nginx/ticket/321
+set $path_info $fastcgi_path_info;
+fastcgi_param PATH_INFO $path_info;
+
+fastcgi_index index.php;
+include fastcgi.conf;
+
+fastcgi_pass php-handler;
--- a/snippets/force-ssl.conf
+++ b/snippets/force-ssl.conf
@ -0,0 +1,3 @@
+if ( $scheme != https ) {
+        return 301 https://$http_host$request_uri;
+}
--- a/snippets/md.conf
+++ b/snippets/md.conf
@ -0,0 +1,13 @@
+location ~ \.md$ {
+	try_files $uri =404;
+	fastcgi_pass    unix:/var/run/php5-fpm.sock;
+	fastcgi_param   DOCUMENT_ROOT    $document_root;
+	fastcgi_param   SCRIPT_NAME      $uri;
+	fastcgi_param   SCRIPT_FILENAME  /etc/nginx/parser/markdown/md.php;
+	include fastcgi_params;
+}
+
+location ~ ^(.*)\.md/raw$ {
+	try_files $1.md =404;
+	default_type text/plain;
+}
--- a/snippets/no-www.conf
+++ b/snippets/no-www.conf
@ -0,0 +1,5 @@
+if ($host ~* www\.(.*)) {
+	set $host_without_www $1;
+	#rewrite ^ $scheme://$host_without_www$request_uri permanent;
+	return 301 https://$host_without_www$request_uri;
+}
--- a/snippets/ocsp-vhost.conf
+++ b/snippets/ocsp-vhost.conf
@ -0,0 +1,6 @@
+# OCSP Stapling config
+
+ssl_stapling on;
+ssl_stapling_verify on;
+
+ssl_trusted_certificate /etc/letsencrypt/live/domain.tld/chain.pem;
--- a/snippets/php-fpm.conf
+++ b/snippets/php-fpm.conf
@ -0,0 +1,14 @@
+# pass the PHP scripts to FastCGI server (php5-fpm)
+
+#location ~ \.php$ {
+#	include snippets/fastcgi-php.conf;
+#	fastcgi_pass unix:/var/run/php5-fpm.sock;
+#}
+
+location ~ \.php$ {
+	try_files $uri =404;
+	fastcgi_split_path_info ^(.+\.php)(/.+)$;
+	fastcgi_pass unix:/var/run/php5-fpm.sock;
+	fastcgi_index index.php;
+	include fastcgi.conf;
+}
--- a/snippets/random.conf
+++ b/snippets/random.conf
@ -0,0 +1,73 @@
+content_by_lua '
+	--requires nginx-extras to be installed
+	--commented some things out because of blank pages
+	--with "include snippets/random.conf;" in location block
+
+	rand_codes = {
+	--	100	 --[[Continue]],
+	--	101	 --[[Switching Protocols]],
+	--	102	 --[[Processing]],
+	--	200	 --[[OK]],
+	--	201	 --[[Created]],
+	--	202	 --[[Accepted]],
+	--	203	 --[[Non-Authoritative Information]],
+	--	204	 --[[No Content]],
+	--	205	 --[[Reset Content]],
+	--	206	 --[[Partial Content]],
+	--	207	 --[[Multi-Status]],
+	--	208	 --[[Already Reported]],
+	--	226	 --[[IM Used]],
+		300	 --[[Multiple Choices]],
+		301	 --[[Moved Permanently]],
+		302	 --[[Found]],
+		303	 --[[See Other]],
+	--	304	 --[[Not Modified]],
+		305	 --[[Use Proxy]],
+	--	306	 --[[(Unused, who cares)]],
+	--	307	 --[[Temporary Redirect]],
+		308	 --[[Permanent Redirect]],
+		400	 --[[Bad Request]],
+		401	 --[[Unauthorized]],
+		402	 --[[Payment Required]],
+		403	 --[[Forbidden]],
+		404	 --[[Not Found]],
+		405	 --[[Method Not Allowed]],
+		406	 --[[Not Acceptable]],
+		407	 --[[Proxy Authentication Required]],
+		408	 --[[Request Timeout]],
+		409	 --[[Conflict]],
+		410	 --[[Gone]],
+		411	 --[[Length Required]],
+		412	 --[[Precondition Failed]],
+		413	 --[[Payload Too Large]],
+		414	 --[[URI Too Long]],
+		415	 --[[Unsupported Media Type]],
+		416	 --[[Range Not Satisfiable]],
+	--	417	 --[[Expectation Failed]],
+		418	 --[[I\'m a teapot <3]],
+		421	 --[[Misdirected Request]],
+	--	422	 --[[Unprocessable Entity]],
+	--	423	 --[[Locked]],
+	--	424	 --[[Failed Dependency]],
+	--	426	 --[[Upgrade Required]],
+	--	428	 --[[Precondition Required]],
+	--	429	 --[[Too Many Requests]],
+	--	431	 --[[Request Header Fields Too Large]],
+		500	 --[[Internal Server Error]],
+		501	 --[[Not Implemented]],
+		502	 --[[Bad Gateway]],
+		503	 --[[Service Unavailable]],
+		504	 --[[Gateway Timeout]],
+		505	 --[[HTTP Version Not Supported]],
+		506	 --[[Variant Also Negotiates]],
+		507	 --[[Insufficient Storage]],
+	--	508	 --[[Loop Detected]],
+	--	510	 --[[Not Extended]],
+	--	511	 --[[Network Authentication Required]],
+		1337	 --[[some extra fun]]
+	}
+
+	ngx.status = rand_codes[math.random(#rand_codes)]
+	--ngx.say("optional error page content")
+	ngx.exit(ngx.status)
+';
--- a/snippets/snakeoil.conf
+++ b/snippets/snakeoil.conf
@ -0,0 +1,5 @@
+# Self signed certificates generated by the ssl-cert package
+# Don't use them in a production server!
+
+ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
+ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
--- a/snippets/ssl-fallback.conf
+++ b/snippets/ssl-fallback.conf
@ -0,0 +1,13 @@
+# For permissions see: https://blog.kamal.io/post/nginx-and-ssl-root-key-security/
+ssl_certificate /etc/nginx/certs/default.crt;
+ssl_certificate_key /etc/nginx/certs/default.key;
+
+ssl_dhparam /etc/nginx/certs/dhparam4096.pem;
+
+#ssl_trusted_certificate /etc/letsencrypt/live/domain.tld/chain.pem;
+
+# For preload see: https://hstspreload.appspot.com
+add_header Strict-Transport-Security "max-age=31536000; preload";
+# valid for 365 days
+
+
--- a/snippets/ssl-vhost.conf
+++ b/snippets/ssl-vhost.conf
@ -0,0 +1,15 @@
+# For permissions see: https://blog.kamal.io/post/nginx-and-ssl-root-key-security/
+ssl_certificate /etc/letsencrypt/live/domain.tld/fullchain.pem;
+ssl_certificate_key /etc/letsencrypt/live/domain.tld/privkey.pem;
+
+ssl_dhparam /etc/letsencrypt/live/domain.tld/dhparams.pem;
+
+ssl_trusted_certificate /etc/letsencrypt/live/domain.tld/chain.pem;
+
+# For preload see: https://hstspreload.appspot.com
+add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
+# valid for 365 days
+
+# Pinned certs: Lets-Enc-x1, Lets-Enc-x2
+add_header Public-Key-Pins-Report-Only 'pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; pin-sha256="sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis="; report-uri="https://report-uri.io/report/12345678/reportOnly"; max-age=7776000';
+# valid for 90 days (report-only)
--- a/snippets/ssl.conf
+++ b/snippets/ssl.conf
@ -0,0 +1,19 @@
+ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
+#cipherli.st: ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+ssl_ciphers "EECDH+AES256GCM:EDH+AES256GCM:AES256+EECDH:AES256+EDH";
+ssl_prefer_server_ciphers on;
+
+ssl_ecdh_curve secp384r1;
+
+ssl_session_cache shared:SSL:10m;
+ssl_session_timeout 10m;
+
+ssl_session_tickets off;
+ssl_stapling on;
+ssl_stapling_verify on;
+
+#sources
+#  http://tautt.com/best-nginx-configuration-for-security/
+#  https://sherbers.de/howto/nginx/
+#  http://blog.rlove.org/2013/12/strong-ssl-crypto.html
+#  https://cipherli.st
--- a/snippets/www.conf
+++ b/snippets/www.conf
@ -0,0 +1,4 @@
+server {
+	server_name "~^(?!www.).*" ;
+	return 301 $scheme://www.$host$request_uri;
+}