docker_images/nginx/root.conf

server {
    listen       ${NGINX_PORT} default_server;
    listen       ${NGINX_SSL_PORT} ssl http2 default_server;
    server_name ${NGINX_HOST};
    ssl_certificate ${CERTIFICATE_PATH};
    ssl_certificate_key ${CERTIFICATE_KEY_PATH};

    ssl_protocols ${SSL_PROTOCOLS};
    ssl_ciphers ${SSL_CIPHERS};
    ssl_prefer_server_ciphers off;

    ssl_dhparam /etc/nginx/certs/dhparams.pem; # Logjam

    ssl_session_timeout 1d;
    ssl_session_tickets off;
    ssl_session_cache shared:TLS:10m; # About 40k sessions

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    # Set HSTS to 365 days
    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains' always;

    # resolver 127.0.0.1;

    # DDoS
    client_body_buffer_size ${CLIENT_BODY_BUFFER_SIZE};
    client_header_buffer_size ${CLIENT_HEADER_BUFFER_SIZE};
    client_max_body_size ${CLIENT_MAX_BODY_SIZE};
    large_client_header_buffers ${LARGE_CLIENT_HEADER_BUFFERS};

    location / {
        root   /var/www/html;
        index  index.html index.htm index.php;
    }
}
[ADD]Nginx generic image 2016-10-04 09:32:47 +02:00			`server {`
[IMP]Manage nginx ports 2017-07-01 15:48:03 +02:00			`listen ${NGINX_PORT} default_server;`
[IMP]Nginx : add HTTP2 per default 2021-04-17 17:43:42 +02:00			`listen ${NGINX_SSL_PORT} ssl http2 default_server;`
[ADD]Nginx generic image 2016-10-04 09:32:47 +02:00			`server_name ${NGINX_HOST};`
[IMP]Nginx base image : make certificat paths configurable 2021-03-29 10:59:57 +02:00			`ssl_certificate ${CERTIFICATE_PATH};`
			`ssl_certificate_key ${CERTIFICATE_KEY_PATH};`
[IMP]Nginx : security improvements * Updated ciphers / protocols and other base conf ; * Run as nginx user, no more root then fork. 2021-03-29 09:51:14 +02:00
[IMP]Nginx image : ssl protocols and ciphers configurables 2021-03-29 20:13:54 +02:00			`ssl_protocols ${SSL_PROTOCOLS};`
			`ssl_ciphers ${SSL_CIPHERS};`
[IMP]Nginx : security improvements * Updated ciphers / protocols and other base conf ; * Run as nginx user, no more root then fork. 2021-03-29 09:51:14 +02:00			`ssl_prefer_server_ciphers off;`

[ADD]Nginx generic image 2016-10-04 09:32:47 +02:00			`ssl_dhparam /etc/nginx/certs/dhparams.pem; # Logjam`
[IMP]Nginx : security improvements * Updated ciphers / protocols and other base conf ; * Run as nginx user, no more root then fork. 2021-03-29 09:51:14 +02:00
			`ssl_session_timeout 1d;`
			`ssl_session_tickets off;`
			`ssl_session_cache shared:TLS:10m; # About 40k sessions`

[IMP]Improve base configuration for TLS/SSL on Nginx 2017-04-07 12:13:43 +02:00			`# OCSP stapling`
			`ssl_stapling on;`
			`ssl_stapling_verify on;`
			`# Set HSTS to 365 days`
[IMP]Nginx : security improvements * Updated ciphers / protocols and other base conf ; * Run as nginx user, no more root then fork. 2021-03-29 09:51:14 +02:00			`add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains' always;`

			`# resolver 127.0.0.1;`
[IMP]Improve base configuration for TLS/SSL on Nginx 2017-04-07 12:13:43 +02:00
[IMP]Nginx : security improvements * Updated ciphers / protocols and other base conf ; * Run as nginx user, no more root then fork. 2021-03-29 09:51:14 +02:00			`# DDoS`
[IMP]Nginx : new configurable params (buffers) 2021-03-30 10:53:25 +02:00			`client_body_buffer_size ${CLIENT_BODY_BUFFER_SIZE};`
			`client_header_buffer_size ${CLIENT_HEADER_BUFFER_SIZE};`
			`client_max_body_size ${CLIENT_MAX_BODY_SIZE};`
			`large_client_header_buffers ${LARGE_CLIENT_HEADER_BUFFERS};`
[ADD]Nginx generic image 2016-10-04 09:32:47 +02:00
			`location / {`
			`root /var/www/html;`
			`index index.html index.htm index.php;`
			`}`
			`}`