ops/nginx-kit
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

update

Browse source
This commit is contained in:
Dallas Lu 2026-06-05 14:04:17 +08:00
parent a16316979c
commit a2929be104
No known key found for this signature in database
6 changed files with 43 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

7
README.md
View file

@ -21,6 +21,7 @@ systemctl reload nginx
This repository is organized by nginx context: This repository is organized by nginx context:
- `http/`: snippets that must be included inside `http {}`. - `http/`: snippets that must be included inside `http {}`.
- `fastcgi/`: FastCGI-specific snippets for `location {}` or `server {}` blocks.
- `ssl/`: HTTPS and TLS snippets for `server {}` blocks. - `ssl/`: HTTPS and TLS snippets for `server {}` blocks.
- `proxy_pass/`: reverse proxy snippets for `location {}` blocks. - `proxy_pass/`: reverse proxy snippets for `location {}` blocks.
- `redirect/`: host and canonical URL redirects for `server {}` blocks. - `redirect/`: host and canonical URL redirects for `server {}` blocks.
@ -132,13 +133,16 @@ server {
- `kit/http/gzip.conf`: gzip compression for common text-based responses. Must be included inside `http {}`. - `kit/http/gzip.conf`: gzip compression for common text-based responses. Must be included inside `http {}`.
- `kit/http/websocket-map.conf`: defines `$connection_upgrade` for websocket proxying. Must be included inside `http {}`. - `kit/http/websocket-map.conf`: defines `$connection_upgrade` for websocket proxying. Must be included inside `http {}`.
- `kit/security.conf`: common security headers and host normalization. Intended for `server {}`. - `kit/security.conf`: common low-risk security headers and host normalization. Intended for `server {}`.
- `kit/security-legacy.conf`: optional legacy compatibility headers such as `X-Download-Options` and `X-Permitted-Cross-Domain-Policies`.
- `kit/fastcgi/hide-powered-by.conf`: hides `X-Powered-By` from FastCGI upstream responses.
- `kit/ssl/security.conf`: TLS protocol and session resumption settings. Intended for `server {}`. - `kit/ssl/security.conf`: TLS protocol and session resumption settings. Intended for `server {}`.
- `kit/ssl/hsts.conf`: HSTS header for HTTPS responses. Intended for `server {}`. - `kit/ssl/hsts.conf`: HSTS header for HTTPS responses. Intended for `server {}`.
- `kit/ssl/hsts-preload.conf`: HSTS variant with `preload`. Use only if the whole domain tree is preload-safe. - `kit/ssl/hsts-preload.conf`: HSTS variant with `preload`. Use only if the whole domain tree is preload-safe.
- `kit/ssl/force.conf`: redirects HTTP requests to HTTPS. Intended for `server {}`. - `kit/ssl/force.conf`: redirects HTTP requests to HTTPS. Intended for `server {}`.
- `kit/redirect/to-primary-domain.conf`: redirects aliases to the primary `server_name`. Intended for `server {}`. - `kit/redirect/to-primary-domain.conf`: redirects aliases to the primary `server_name`. Intended for `server {}`.
- `kit/proxy_pass/forwarded.conf`: standard reverse proxy headers. Intended for `location {}`. - `kit/proxy_pass/forwarded.conf`: standard reverse proxy headers. Intended for `location {}`.
- `kit/proxy_pass/hide-powered-by.conf`: hides `X-Powered-By` from proxied upstream responses.
- `kit/proxy_pass/websocket.conf`: websocket upgrade headers. Requires `kit/http/websocket-map.conf`. - `kit/proxy_pass/websocket.conf`: websocket upgrade headers. Requires `kit/http/websocket-map.conf`.
- `kit/proxy_pass/timeout-300.conf`: longer proxy timeouts. Intended for `location {}`. - `kit/proxy_pass/timeout-300.conf`: longer proxy timeouts. Intended for `location {}`.
@ -160,3 +164,4 @@ The script validates:
- `gzip_proxied` does not remove `ETag` or `Last-Modified` headers. It only controls when nginx may gzip requests that arrived through another proxy. - `gzip_proxied` does not remove `ETag` or `Last-Modified` headers. It only controls when nginx may gzip requests that arrived through another proxy.
- `text/html` does not need to appear in `gzip_types`; nginx compresses it automatically. - `text/html` does not need to appear in `gzip_types`; nginx compresses it automatically.
- Gzip over HTTPS can contribute to BREACH-style risk for responses that reflect attacker-controlled input alongside secrets. Keep that in mind for highly sensitive dynamic pages. - Gzip over HTTPS can contribute to BREACH-style risk for responses that reflect attacker-controlled input alongside secrets. Keep that in mind for highly sensitive dynamic pages.
- `kit/security.conf` intentionally does not set `X-Robots-Tag: none` or `X-XSS-Protection: 1; mode=block`; those are too risky or too obsolete for a default site-wide baseline.

1
fastcgi/hide-powered-by.conf Normal file
View file

@ -0,0 +1 @@
fastcgi_hide_header X-Powered-By;

1
proxy_pass/hide-powered-by.conf Normal file
View file

@ -0,0 +1 @@
proxy_hide_header X-Powered-By;

27
scripts/validate-docker.ps1
View file

@ -22,6 +22,30 @@ $serverSnippetConfig = @(
$serverSnippetConfigShell = $serverSnippetConfig -replace "`n", "\\n" $serverSnippetConfigShell = $serverSnippetConfig -replace "`n", "\\n"
$optionalSnippetConfig = @(
"events {}"
""
"http {"
" include /etc/nginx/mime.types;"
" default_type application/octet-stream;"
""
" server {"
" listen 8080;"
" include /etc/nginx/kit/security-legacy.conf;"
""
" location /fastcgi {"
" include /etc/nginx/kit/fastcgi/hide-powered-by.conf;"
" }"
""
" location /proxy {"
" include /etc/nginx/kit/proxy_pass/hide-powered-by.conf;"
" }"
" }"
"}"
) -join "\n"
$optionalSnippetConfigShell = $optionalSnippetConfig -replace "`n", "\\n"
$containerCommand = @( $containerCommand = @(
"set -eu" "set -eu"
"apk add --no-cache openssl >/dev/null" "apk add --no-cache openssl >/dev/null"
@ -35,10 +59,13 @@ $containerCommand = @(
"ln -s /etc/nginx/kit /tmp/nginx-kit/examples/kit" "ln -s /etc/nginx/kit /tmp/nginx-kit/examples/kit"
"cp /etc/nginx/kit/examples/reverse-proxy.nginx.conf /tmp/nginx-kit/examples/reverse-proxy.nginx.conf" "cp /etc/nginx/kit/examples/reverse-proxy.nginx.conf /tmp/nginx-kit/examples/reverse-proxy.nginx.conf"
"printf '%b' '$serverSnippetConfigShell' > /tmp/nginx-kit/server-snippet.nginx.conf" "printf '%b' '$serverSnippetConfigShell' > /tmp/nginx-kit/server-snippet.nginx.conf"
"printf '%b' '$optionalSnippetConfigShell' > /tmp/nginx-kit/optional-snippets.nginx.conf"
"echo 'Validating examples/example.com.conf'" "echo 'Validating examples/example.com.conf'"
"nginx -t -c /tmp/nginx-kit/server-snippet.nginx.conf" "nginx -t -c /tmp/nginx-kit/server-snippet.nginx.conf"
"echo 'Validating examples/reverse-proxy.nginx.conf'" "echo 'Validating examples/reverse-proxy.nginx.conf'"
"nginx -t -c /tmp/nginx-kit/examples/reverse-proxy.nginx.conf" "nginx -t -c /tmp/nginx-kit/examples/reverse-proxy.nginx.conf"
"echo 'Validating optional security and hide-powered-by snippets'"
"nginx -t -c /tmp/nginx-kit/optional-snippets.nginx.conf"
) -join "; " ) -join "; "
docker run --rm ` docker run --rm `

2
security-legacy.conf Normal file
View file

@ -0,0 +1,2 @@
add_header X-Download-Options noopen always;
add_header X-Permitted-Cross-Domain-Policies none always;

15
security.conf
View file

@ -1,15 +1,12 @@
server_tokens off;
## Don't show the nginx version number, a security best practice ## Don't show the nginx version number, a security best practice
server_tokens off;
add_header Referrer-Policy origin-when-cross-origin always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
#add_header X-XSS-Protection "1; mode=block" always;
add_header X-XSS-Protection "0";
#more_clear_headers 'X-Powered-By'; add_header Referrer-Policy strict-origin-when-cross-origin always;
add_header X-Frame-Options SAMEORIGIN always;
add_header X-Content-Type-Options nosniff always;
add_header X-XSS-Protection "0" always;
# Redirect `example.com.` to `example.com` # Redirect `example.com.` to `example.com`
if ($http_host ~ "\.$" ){ if ($http_host ~ "\.$" ){
rewrite ^(.*) $scheme://$host$1 permanent; rewrite ^(.*) $scheme://$host$1 permanent;
} }