RE: nginx configuration on Debian sanity check?

To: <debian-user@lists.debian.org>
Subject: RE: nginx configuration on Debian sanity check?
From: "Ming Kuang" <ming@imkuang.com>
Date: Sat, 15 Jul 2023 16:38:03 +0800
Message-id: <[🔎] 002b01d9b6f7$acdd1e50$06975af0$@imkuang.com>
In-reply-to: <[🔎] CAPORhP51ZB_=nGrLwUtzjaK-wPqKd7ADWk0ZcfO8fG6h3xCB=w@mail.gmail.com>
References: <[🔎] CAPORhP51ZB_=nGrLwUtzjaK-wPqKd7ADWk0ZcfO8fG6h3xCB=w@mail.gmail.com>

Hi，

If you go to http://example.com, you now need two redirects, maybe each
redirect could be directed to the final destination?

# Redirect http://example.com port 80 to https://www.example.com port 443
server {
listen      80;
access_log  off;
error_log   off;
server_name example.com;
return         301 https://www. example.com /$request_uri;
}

On Saturday, July 15, 2023 3:21 PM,
David Mehler <dave.mehler@gmail.com> wrote
> 
> Hello,
> 
> Can I get a sanity check on this config? I'm running Debian 12, Nginx
> 1.24.0, and PHP 8.2.
> 
> My goal is to have all non-www traffic redirected to the equivalent
> www, then all that redirected to https, basically no https no www no
> work. I'd also appreciate an assessment of my ssl ciphers, running
> protocols 1.2 and 1.3 only and want to ensure I've got the best
> security setup.
> 
> Thanks.
> Dave.
> 
> #
> # example.com virtual host configuration
> #
> # enforce HTTPS
> # Redirect www.example.com port 80 to www.example.com port 443
> server {
> listen       80;
> server_name www.example.com;
> access_log  off;
> error_log   off;
> return 301   https://$host$request_uri;
> }
> 
> # Redirect https://example.com port 80 to https://example.com port 443
> server {
> listen      80;
> access_log  off;
> error_log   off;
> server_name example.com;
> return         301 https://$server_name$request_uri;
> }
> 
> ### redirect https example.com to https www.example.com
> server {
> listen 443 ssl http2;
> server_name example.com;
> ssl_certificate /etc/ssl/example.com/example.com.fullchain.crt;
> ssl_certificate_key /etc/ssl/example.com/example.com.key;
> return 301 https://www.example.com$request_uri;
> }
> 
> # The www.example.com https virtual host
> server {
> listen       443 ssl http2;
> 
> server_name www.example.com;
> 
> access_log  /var/log/nginx/www.example.com_access.log;
> error_log   /var/log/nginx/www.example.com_error.log;
> 
> # TLS/SSL CONFIG
> # RSA certificates (dual config)
> ssl_certificate /etc/ssl/example.com/example.com.fullchain.crt;
> ssl_certificate_key /etc/ssl/example.com/example.com.key;
> 
> # ECC/ECDSA certificates (dual config)
> ssl_certificate /etc/ssl/example.com/example.com.fullchain.crt.ecc;
> ssl_certificate_key /etc/ssl/example.com/example.com.key.ecc;
> 
> # A little bit of optimization
> #ssl_session_timeout 1d;
> #ssl_session_cache shared:GoofyPizzaSSL:50m;
> #ssl_session_tickets off;
> #ssl_dhparam  /etc/ssl/example.com/dhparams.pem;
> 
> # TLS version 1.2 and 1.3 only
> #ssl_protocols TLSv1.2 TLSv1.3;
> #ssl_ciphers
> 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-E
> CDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AE
> S128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA
> 384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES
> 128-SHA256';
> #ssl_ciphers
> 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-E
> CDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AE
> S256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SH
> A256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-
> AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-
> RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECD
> HE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-A
> ES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-
> DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA
> 384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!D
> SS';
> #ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
> #ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
> #ssl_prefer_server_ciphers on;
> 
> # HSTS (ngx_http_headers_module is required)
> #
> *****************************************************************
> ********
> # WARNING - Wrong headers can create problems. Read docs otherwise
> #           all 3rd party scripts/ads won't load and in some case
> #           browser won't work. Read docs @ https://developer.mozilla.org
> #
> *****************************************************************
> ********
> #add_header Strict-Transport-Security "max-age=63072000" always;
> #add_header X-Content-Type-Options "nosniff" always;
> #add_header X-Frame-Options "SAMEORIGIN" always;
> #add_header X-Xss-Protection "1; mode=block" always;
> #add_header Referrer-Policy  strict-origin-when-cross-origin always;
> #add_header Feature-policy "accelerometer 'none'; camera 'none';
> geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone
> 'none'; payment 'none'; usb 'none'" always;
> #
> *****************************************************************
> **********************************
> # WARNING: The HTTP Content-Security-Policy response header allows
> sysadmin/developers
> # to control resources the user agent is allowed to load for a given page.
> # Wrong config can create problems for third party scripts/ad
> networks. Hence read the following url:
> #
> https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-
> Policy
> #
> *****************************************************************
> ***********************************
> #add_header content-security-policy "default-src
> https://www.example.com:443"; always;
> #ssl_stapling on;
> #ssl_stapling_verify on;
> # Replace with the IP address of your resolver
> #resolver 1.1.1.1;
> #ssl_buffer_size 8k;
> 
> root /var/www/example.com;
> 
> index index.php index.html index.nginx-debian.html;
> 
> location / {
> try_files $uri $uri/ /index.php?$query_string;
> }
> 
> # Directives to send expires headers and turn off 404 error logging.
> #location ~*
> ^.+\.(css|js|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|pn
> g|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$
> {
> #access_log off; log_not_found off; expires max;
> #}
> 
> # Pass PHP Scripts To FastCGI Server
> location ~ \.php$ {
> fastcgi_split_path_info ^(.+\.php)(/.+)$;
> fastcgi_pass unix:/run/php/php8.2-fpm.sock; #depends on PHP versions
> fastcgi_index index.php;
> fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
> include fastcgi_params;
> }
> 
> # Password-protected directory with autoindex
> #location /quickdir/ {
> #auth_basic            "Quickdir Access";
> #auth_basic_user_file  /var/www/quickdir/htpasswd;
> #root /var/www/quickdir/;
> #autoindex on;
> #}
> }

Attachment: openpgp-digital-signature.asc
Description: PGP signature

Reply to:

References:
- nginx configuration on Debian sanity check?
  - From: David Mehler <dave.mehler@gmail.com>

Prev by Date: Re: General question regarding SSD and harddrive
Next by Date: RE: General question regarding SSD and harddrive
Previous by thread: nginx configuration on Debian sanity check?
Next by thread: RE: nginx configuration on Debian sanity check?
Index(es):
- Date
- Thread