Secure NGINX configs
A repository of virtual-host configuration templates for use with NGINX, pre-configued for security. All templates score A+ on Qualys SSL Labs.
Browser/client support
The templates only support modern clients and browsers. Legacy clients, including Internet Explorer 9 or below on Windows XP, are not supported. To modify legacy-client support, tweak the SSL cipher list (see here for more info).
Requirements
- NGINX, tested on version 1.10.0 (Ubuntu)
- SSL certificate
Template notes
General:
- SEO best-practice is to do a "Class B" redirect, i.e. redirect bare-domains (without www) to www.domain.com (see here for more info)
WordPress:
- Requires PHP7.0 FPM
- Tested with WordPress 4.5.2
- X-Frame-Options header is set to "SAMEORIGIN"; setting to "DENY" causes issues in WP-Admin - i.e. cannot preview site when changing themes, need to reload page to see changes
CloudFlare:
- Requires a free or paid account
- CloudFlare can also redirect HTTP to HTTPS using a page rule, however in testing this seems to cause chained-301 redirects - i.e. http://example.com to https://example.com to https://www.example.com
- Pre-configured to restore the visitor's original IP; the list of CloudFlare IP addresses must be periodically updated (see here for more info)
Credits
The template is based on the following resources: