|
|
@@ -1,6 +1,7 @@
|
|
|
user www-data;
|
|
|
worker_processes 4;
|
|
|
pid /run/nginx.pid;
|
|
|
+include /etc/nginx/modules-enabled/*.conf;
|
|
|
|
|
|
events {
|
|
|
worker_connections 768;
|
|
|
@@ -21,8 +22,11 @@ http {
|
|
|
keepalive_timeout 65;
|
|
|
types_hash_max_size 2048;
|
|
|
# server_tokens off;
|
|
|
-
|
|
|
+{% if 'frontend' in salt['pillar.get']('nodes:' ~ grains.id ~ ':roles', []) %}
|
|
|
+ server_names_hash_bucket_size 64;
|
|
|
+{%- else %}
|
|
|
# server_names_hash_bucket_size 64;
|
|
|
+{%- endif %}
|
|
|
# server_name_in_redirect off;
|
|
|
|
|
|
include /etc/nginx/mime.types;
|
|
|
@@ -32,8 +36,19 @@ http {
|
|
|
# SSL Settings
|
|
|
##
|
|
|
|
|
|
- ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3/TLSv1, ref: POODLE
|
|
|
ssl_prefer_server_ciphers on;
|
|
|
+ ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3/TLSv1, ref: POODLE
|
|
|
+ ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
|
|
|
+ ssl_dhparam /etc/ssl/dhparam.pem;
|
|
|
+ ssl_ecdh_curve secp384r1;
|
|
|
+ ssl_session_cache shared:SSL:10m;
|
|
|
+ add_header Strict-Transport-Security "max-age=2592000; preload";
|
|
|
+ add_header X-Frame-Options SAMEORIGIN;
|
|
|
+ add_header X-Content-Type-Options nosniff;
|
|
|
+ add_header X-XSS-Protection "1; mode=block";
|
|
|
+ add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval' always; upgrade-insecure-requests";
|
|
|
+ add_header Referrer-Policy "strict-origin-when-cross-origin";
|
|
|
+ ssl_session_timeout 1d;
|
|
|
|
|
|
##
|
|
|
# Logging Settings
|
