|
@@ -32,7 +32,7 @@ http {
|
|
|
server_names_hash_max_size 512;
|
|
server_names_hash_max_size 512;
|
|
|
server_names_hash_bucket_size 512;
|
|
server_names_hash_bucket_size 512;
|
|
|
charset utf-8;
|
|
charset utf-8;
|
|
|
-
|
|
|
|
|
|
|
+
|
|
|
# FastCGI settings
|
|
# FastCGI settings
|
|
|
fastcgi_buffers 4 256k;
|
|
fastcgi_buffers 4 256k;
|
|
|
fastcgi_buffer_size 256k;
|
|
fastcgi_buffer_size 256k;
|
|
@@ -103,23 +103,22 @@ http {
|
|
|
#set_real_ip_from 2a06:98c0::/29;
|
|
#set_real_ip_from 2a06:98c0::/29;
|
|
|
real_ip_header CF-Connecting-IP;
|
|
real_ip_header CF-Connecting-IP;
|
|
|
|
|
|
|
|
- # SSL PCI Compliance
|
|
|
|
|
- ssl_session_cache shared:SSL:10m;
|
|
|
|
|
|
|
+ # SSL PCI compliance
|
|
|
|
|
+ ssl_session_cache shared:SSL:20m;
|
|
|
|
|
+ ssl_buffer_size 1400;
|
|
|
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
|
|
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
|
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_prefer_server_ciphers on;
|
|
|
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
|
|
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
|
|
|
ssl_dhparam /etc/ssl/dhparam.pem;
|
|
ssl_dhparam /etc/ssl/dhparam.pem;
|
|
|
- ssl_ecdh_curve secp384r1;
|
|
|
|
|
- ssl_session_cache shared:SSL:10m;
|
|
|
|
|
|
|
+ ssl_ecdh_curve secp384r1;
|
|
|
ssl_session_tickets off;
|
|
ssl_session_tickets off;
|
|
|
- ssl_stapling on;
|
|
|
|
|
|
|
+ ssl_stapling on;
|
|
|
ssl_stapling_verify on;
|
|
ssl_stapling_verify on;
|
|
|
- ssl_buffer_size 1400;
|
|
|
|
|
resolver 1.0.0.1 1.1.1.1 valid=300s;
|
|
resolver 1.0.0.1 1.1.1.1 valid=300s;
|
|
|
- resolver_timeout 5s;
|
|
|
|
|
- add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
|
|
|
|
|
- add_header X-Frame-Options SAMEORIGIN;
|
|
|
|
|
- add_header X-Content-Type-Options nosniff;
|
|
|
|
|
|
|
+ resolver_timeout 5s;
|
|
|
|
|
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
|
|
|
|
|
+ add_header X-Frame-Options SAMEORIGIN;
|
|
|
|
|
+ add_header X-Content-Type-Options nosniff;
|
|
|
|
|
|
|
|
# Error pages
|
|
# Error pages
|
|
|
error_page 403 /error/403.html;
|
|
error_page 403 /error/403.html;
|
|
@@ -141,7 +140,7 @@ http {
|
|
|
~wordpress_logged_in 1;
|
|
~wordpress_logged_in 1;
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
- # File cache settings
|
|
|
|
|
|
|
+ # File cache (static assets)
|
|
|
open_file_cache max=10000 inactive=30s;
|
|
open_file_cache max=10000 inactive=30s;
|
|
|
open_file_cache_valid 60s;
|
|
open_file_cache_valid 60s;
|
|
|
open_file_cache_min_uses 2;
|
|
open_file_cache_min_uses 2;
|
|
@@ -149,4 +148,4 @@ http {
|
|
|
|
|
|
|
|
# Wildcard include
|
|
# Wildcard include
|
|
|
include /etc/nginx/conf.d/*.conf;
|
|
include /etc/nginx/conf.d/*.conf;
|
|
|
-}
|
|
|
|
|
|
|
+}
|
Kristan Kenney