2022-09-15 14:23:34 -05:00
|
|
|
ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
2022-12-18 22:21:39 -06:00
|
|
|
ssl_certificate /etc/letsencrypt/live/{{ ssl.identity }}/fullchain.pem;
|
|
|
|
ssl_certificate_key /etc/letsencrypt/live/{{ ssl.identity }}/privkey.pem;
|
2022-09-15 14:23:34 -05:00
|
|
|
|
|
|
|
ssl_session_cache shared:SSL:1m;
|
|
|
|
ssl_session_timeout 5m;
|
|
|
|
|
|
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
2022-12-18 22:21:39 -06:00
|
|
|
ssl_ciphers "{{ ssl.ciphersuite }}";
|
2022-09-15 14:23:34 -05:00
|
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
|
|
|
|
add_header "Strict-Transport-Security" "max-age=63072000; includeSubDomains; preload";
|
|
|
|
add_header "X-Content-Type-Options" "nosniff";
|
2023-11-09 13:03:06 -06:00
|
|
|
add_header "Public-Key-Pins" "pin-sha256=\"sRHdihwgkaib1P1gxX8HFszlD+7/gTfNvuAybgLPNis=\"; pin-sha256=\"YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=\"; pin-sha256=\"C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=\"; max-age=60; includeSubDomains";
|
2022-09-15 14:23:34 -05:00
|
|
|
add_header "X-XSS-Protection" "1; mode=block";
|
|
|
|
|
|
|
|
# Cross-Origin Resource Sharing
|
|
|
|
# add_header 'Access-Control-Allow-Origin' '*' always;
|
|
|
|
# add_header 'Access-Control-Allow_Credentials' 'true' always;
|
|
|
|
# add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range' always;
|
|
|
|
# add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH' always;
|
2023-11-09 13:03:06 -06:00
|
|
|
|
|
|
|
# ModSecurity WAF
|
|
|
|
modsecurity on;
|
|
|
|
modsecurity_rules_file /etc/modsecurity/main.conf;
|