A security focused nginx configuration to protect apps and websites and indications to create a neat and robust certificate signed byt Let's Encrypt to use with the server.
A set of configuration files to allow easy integration of new apps, modular security and performance features, and easy debugging.
WARNING :
- If you use these files, please consider understanding their effects. Use them wisely.
- This server DOES NOT protect against vulnerabilities of the webapp your using behind the proxy, nor against misconfiguration of your machine
- Clear tree of linked files that is easy to maintain and update
- Easy inclusion of new apps behind the nginx proxy
- High security features by default
- Content Security Policy for a Ghost Blog
Maximum score on popular web security scanning tools :
- SSLabs : A+
- Security Headers : A+
- Hardenize : All green
- Google CSP Evaluator : All good
- Mozilla HTTP Observatory : 135/100
Joined is a certificate creation script, helping to create a robust certificate for your server. Make sure to understand how it works. You also may want to automate the renewal process, which can be included, but you'll have to integrate the steps concerning your DNS provider.
- Uses a 256-bit Elliptic Curve
- Auto-renewal
- Signed by Let's Encrypt
- Wildcard-able certificate
- OCSP Must-Staple TLS extension
- Certificate Transparency TLS Extension
This configuration is made with paranoia. All configuration parameters are set to the most secure and resilient values. We also add some more layers of security with OCSP Stapling and HSTS.
- www/80 to www/443
- www/443 to non-www/443
- http/80 to https/443, forcing all connections to be secured
- Restrict to TLS 1.3 and TLS 1.2
- TLS Key Exchange restricted to ECDHE
- TLS Handshake restricted to ECDSA
- TLS ciphers restricted to ChaCha20-Poly1305 and AES
- AES modes restricted to GCM and CCM
- OCSP Stapling
- HSTS set to 1 year, including subdomains and preloading
- Expect-Staple set to 1 year, include subdomains and preload
- Expect-CT set to 1 year, enforced
- X-Frame-Options always denied, to protect agains clickjacking (can be overridden with CSP)
- Always "nosniff" X-Content-Type-Options
- XSS Protection
- No permitted Cross-Domain-Policies
- Download Options to noopen
- Refferer Policy and Feature Policy to absolut minimum
- __Host- security prefix (more powerful than __Secure)
- __Secure- security prefix
- Path=/
- value_locked
- Secure
- HttpOnly
- SameSite=Strict
Tailored for a Ghost Blog
- default-src to 'none'
- no 'unsafe_inline'
- strict-dynamic script-src
- true random nonces for style-source and script-source elements
- automatic injection of these nonces in scripts, stylesheets and stylesheet evocation
- frame-ancestors control
- Require SRI for scripts and styles
- no 'unsafe-eval' in script-src
- For OCSP Stapling, resolvers used are Cloudflare (1.1.1.1) and Quad9 (9.9.9.9) - but Google (8.8.8.8 and/or 8.8.4.4) would do well, too
- X-Robots-Tag to none
- Support for RSA certificate keys (if you have such - shame on you - simply change config accordingly in snippets/tls-params.conf)
- Run nginx as low-priviledged user (non-root) on higher, "userland" ports
- create a unique system account (e.g. "nginx", but not "nobody")
- groupadd -r nginx
- useradd nginx -r -g nginx -d /var/cache/nginx -s /sbin/nologin
- in nginx.conf : "user nginx;"
- Use PF or iptables to redirect traffic from port 80 and 443 internally to nginx
- create a unique system account (e.g. "nginx", but not "nobody")
- Secure files correctly (change owner, group, and access modes)
- If you don't use the given script for your certificates, use an Elliptic Curve in your server certificate (e.g. EdDSA when available, or at least secp256k1)
- Must-Staple your server certificate
- Enlist your top domain to the HSTS preload list and include all subdomains
- Take some time to mess with your CSP