Skip to content

D
dev.biuro
Commit a6b73f4f authored by Simonas's avatar Simonas
Browse files
Options

in progress

parent 939239ac
Hide whitespace changes
Inline Side-by-side
Showing with 1241 additions and 262 deletions
README.md
View file @ a6b73f4f
......@@ -122,7 +122,8 @@ Restart docker (sometimes PC restart may be required)
### DB preview
- `docker exec -it mysql bash`
- `docker exec -it dev-biuro-wordpress bash`
- `docker exec -it dev-biuro-mysql bash`
- `mysql -uroot -pIiIjnsLi2wR9i1kWVbVpUAzP --default-character-set=utf8`
- `use wordpress;`
- `show tables;`
......
docker-compose.yml
View file @ a6b73f4f
......@@ -68,9 +68,17 @@ services:
- '80:80'
- '443:443'
volumes:
# - ./nginx:/etc/nginx/conf.d
- ./nginx/conf.d:/etc/nginx/conf.d
- ./nginx/h5bp:/etc/nginx/h5bp
- ./nginx/nginx.conf:/etc/nginx/nginx.conf
- ./nginx/redirects:/etc/nginx/redirects
- ./nginx/cache:/var/cache/nginx
# - ./nginx/nginx.conf:/etc/nginx/nginx.conf
# - ./nginx:/etc/nginx/conf.d
# - ./nginx/conf.d:/etc/nginx/conf.d
# - ./nginx/nginx.conf:/etc/nginx/nginx.conf
- ./logs/nginx:/var/log/nginx
......
nginx/conf.d/dev-biuro.conf
View file @ a6b73f4f
......@@ -15,253 +15,47 @@ server {
}
server {
listen 443 ssl http2;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name dev.biuro.lt;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;";
server_name dev.biuro.lt;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
include /etc/nginx/conf.d/server-shared.conf;
ssl_certificate /etc/letsencrypt/biuro.lt/certificate.crt;
ssl_certificate_key /etc/letsencrypt/biuro.lt/private.key;
ssl_trusted_certificate /etc/letsencrypt/biuro.lt/ca_bundle.crt;
# ssl_protocols TLSv1.2 TLSv1.3;
# ssl_ciphers EECDH+CHACHA20:EECDH+AES;
# # (1)
# ssl_ecdh_curve X25519;
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
# ssl_prefer_server_ciphers on;
# ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
root /var/www/html;
index index.php;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
# 301 redirects
include /etc/nginx/conf.d/redirects/biuro.lt.conf;
#
gzip on;
gzip_comp_level 5;
gzip_min_length 1024;
gzip_proxied any;
gzip_vary on;
gzip_types
application/atom+xml
application/javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-font-ttf
application/x-javascript text/xml
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
application/xml+rss text/javascript
font/opentype
image/svg+xml
image/x-icon
text/css
text/plain
text/x-component;
gzip_disable "MSIE [1-6]\.";
# brotli on;
# brotli_comp_level 6;
# brotli_types application/eot application/x-otf application/font application/x-perl application/font-sfnt application/x-ttf application/javascript
# font/eot application/json font/ttf application/opentype font/otf application/otf font/opentype application/pkcs7-mime image/svg+xml
# application/truetype text/css application/ttf text/csv application/vnd.ms-fontobject text/html application/xhtml+xml text/javascript
# application/xml text/js application/xml+rss text/plain application/x-font-opentype text/richtext application/x-font-truetype
# text/tab-separated-values application/x-font-ttf text/xml application/x-httpd-cgi text/x-script application/x-javascript
# text/x-component application/x-mpegurl text/x-java-source application/x-opentype
# ;
#
# Expire rules for static content
# https://serversforhackers.com/c/nginx-caching
# https://github.com/h5bp/server-configs-nginx
# cache.appcache, your document html and data
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
expires -1;
# access_log logs/static.log; # I don't usually include a static log
}
# Feed
location ~* \.(?:rss|atom)$ {
expires 1h;
add_header Cache-Control "public";
}
# Media: images, icons, video, audio, HTC
location ~* \.(?:webp|jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
expires 6M;
access_log off;
add_header Cache-Control "public";
}
# CSS and Javascript
location ~* \.(?:css|js)$ {
expires 1y;
access_log off;
add_header Cache-Control "public";
}
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass wordpress:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
include redirects/biuro.lt.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name dev.biuro.lv;
server_name dev.biuro.lv;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;";
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
include /etc/nginx/conf.d/server-shared.conf;
ssl_certificate /etc/letsencrypt/biuro.lv/certificate.pem;
ssl_certificate_key /etc/letsencrypt/biuro.lv/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/biuro.lv/ca-bundle.pem;
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
# ssl_prefer_server_ciphers on;
# ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
root /var/www/html;
index index.php;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
# 301 redirects
include /etc/nginx/conf.d/redirects/biuro.lv.conf;
gzip on;
gzip_vary on;
gzip_min_length 10240;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
gzip_disable "MSIE [1-6]\.";
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass wordpress:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
include redirects/biuro.lv.conf;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name dev.biuro.ee;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
server_name dev.biuro.ee;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;";
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
include /etc/nginx/conf.d/server-shared.conf;
ssl_certificate /etc/letsencrypt/biuro.ee/certificate.pem;
ssl_certificate_key /etc/letsencrypt/biuro.ee/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/biuro.ee/ca-bundle.pem;
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
# ssl_prefer_server_ciphers on;
# ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
root /var/www/html;
index index.php;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
# 301 redirects
include /etc/nginx/conf.d/redirects/biuro.ee.conf;
gzip on;
gzip_vary on;
gzip_min_length 10240;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
gzip_disable "MSIE [1-6]\.";
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass wordpress:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
include redirects/biuro.ee.conf;
}
# RewriteEngine On
# RewriteBase /
# RewriteRule ^index\.php$ - [L]
#
# # add a trailing slash to /wp-admin
# RewriteRule ^wp-admin$ wp-admin/ [R=301,L]
#
# RewriteCond %{REQUEST_FILENAME} -f [OR]
# RewriteCond %{REQUEST_FILENAME} -d
# RewriteRule ^ - [L]
# RewriteRule ^(wp-(content|admin|includes).*) $1 [L]
# RewriteRule ^(.*\.php)$ $1 [L]
# RewriteRule . index.php [L]
nginx/conf.d/server-shared.conf 0 → 100644
View file @ a6b73f4f
include h5bp/internet_explorer/x-ua-compatible.conf;
include h5bp/security/content-security-policy.conf;
include h5bp/security/referrer-policy.conf;
include h5bp/security/strict-transport-security.conf;
include h5bp/security/x-content-type-options.conf;
include h5bp/security/x-frame-options.conf;
include h5bp/security/x-xss-protection.conf;
include h5bp/location/security_file_access.conf;
include h5bp/location/web_performance_cache_expiration.conf;
include h5bp/web_performance/no-transform.conf;
include h5bp/cross-origin/requests.conf;
root /var/www/html;
index index.php;
location / {
try_files $uri $uri/ /index.php?$args;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass wordpress:9000;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
}
nginx/dev-biuro.conf deleted 100644 → 0
View file @ 939239ac
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
gzip on;
brotli on;
################################
# DO WHATEVER YOU WANT HERE :) #
################################
include /etc/nginx/conf.d/*.conf;
}
nginx/h5bp/basic.conf 0 → 100644
View file @ a6b73f4f
# Nginx Server Configs | MIT License
# https://github.com/h5bp/server-configs-nginx
include h5bp/internet_explorer/x-ua-compatible.conf;
include h5bp/security/content-security-policy.conf;
include h5bp/security/referrer-policy.conf;
include h5bp/security/x-content-type-options.conf;
include h5bp/security/x-frame-options.conf;
include h5bp/security/x-xss-protection.conf;
include h5bp/location/security_file_access.conf;
include h5bp/web_performance/no-transform.conf;
include h5bp/cross-origin/requests.conf;
nginx/h5bp/cross-origin/requests.conf 0 → 100644
View file @ a6b73f4f
# ----------------------------------------------------------------------
# | Cross-origin requests |
# ----------------------------------------------------------------------
# Allow cross-origin requests.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
# https://enable-cors.org/
# https://www.w3.org/TR/cors/
# (!) Do not use this without understanding the consequences.
# This will permit access from any other website.
#
# Instead of using this file, consider using a specific rule such as:
#
# Allow access based on [sub]domain:
# add_header Access-Control-Allow-Origin "subdomain.example.com";
add_header Access-Control-Allow-Origin $cors;
nginx/h5bp/cross-origin/resource_timing.conf 0 → 100644
View file @ a6b73f4f
# ----------------------------------------------------------------------
# | Cross-origin resource timing |
# ----------------------------------------------------------------------
# Allow cross-origin access to the timing information for all resources.
#
# If a resource isn't served with a `Timing-Allow-Origin` header that
# would allow its timing information to be shared with the document,
# some of the attributes of the `PerformanceResourceTiming` object will
# be set to zero.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Timing-Allow-Origin
# https://www.w3.org/TR/resource-timing/
# https://www.stevesouders.com/blog/2014/08/21/resource-timing-practical-tips/
add_header Timing-Allow-Origin "*";
nginx/h5bp/errors/custom_errors.conf 0 → 100644
View file @ a6b73f4f
# ----------------------------------------------------------------------
# | Custom error messages/pages |
# ----------------------------------------------------------------------
# Customize what Nginx returns to the client in case of an error.
#
# https://nginx.org/en/docs/http/ngx_http_core_module.html#error_page
error_page 404 /404.html;
nginx/h5bp/internet_explorer/x-ua-compatible.conf 0 → 100644
View file @ a6b73f4f
# ----------------------------------------------------------------------
# | Document modes |
# ----------------------------------------------------------------------
# Force Internet Explorer 8/9/10 to render pages in the highest mode
# available in the various cases when it may not.
#
# https://hsivonen.fi/doctype/#ie8
#
# (!) Starting with Internet Explorer 11, document modes are deprecated.
# If your business still relies on older web apps and services that were
# designed for older versions of Internet Explorer, you might want to
# consider enabling `Enterprise Mode` throughout your company.
#
# https://msdn.microsoft.com/en-us/library/ie/bg182625.aspx#docmode
# https://blogs.msdn.microsoft.com/ie/2014/04/02/stay-up-to-date-with-enterprise-mode-for-internet-explorer-11/
# https://msdn.microsoft.com/en-us/library/ff955275.aspx
add_header X-UA-Compatible $x_ua_compatible;
nginx/h5bp/location/security_file_access.conf 0 → 100644
View file @ a6b73f4f
# ----------------------------------------------------------------------
# | File access |
# ----------------------------------------------------------------------
# Block access to all hidden files and directories with the exception of
# the visible content from within the `/.well-known/` hidden directory.
#
# These types of files usually contain user preferences or the preserved
# state of an utility, and can include rather private places like, for
# example, the `.git` or `.svn` directories.
#
# The `/.well-known/` directory represents the standard (RFC 5785) path
# prefix for "well-known locations" (e.g.: `/.well-known/manifest.json`,
# `/.well-known/keybase.txt`), and therefore, access to its visible
# content should not be blocked.
#
# https://www.mnot.net/blog/2010/04/07/well-known
# https://tools.ietf.org/html/rfc5785
location ~* /\.(?!well-known\/) {
deny all;
}
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Block access to files that can expose sensitive information.
#
# By default, block access to backup and source files that may be
# left by some text editors and can pose a security risk when anyone
# has access to them.
#
# https://feross.org/cmsploit/
#
# (!) Update the `location` regular expression from below to
# include any files that might end up on your production server and
# can expose sensitive information about your website. These files may
# include: configuration files, files that contain metadata about the
# project (e.g.: project dependencies), build scripts, etc..
location ~* (?:#.*#|\.(?:bak|conf|dist|fla|in[ci]|log|orig|psd|sh|sql|sw[op])|~)$ {
deny all;
}
nginx/h5bp/location/web_performance_cache_expiration.conf 0 → 100644
View file @ a6b73f4f
# ----------------------------------------------------------------------
# | Cache expiration |
# ----------------------------------------------------------------------
# Serve resources with far-future expiration date.
#
# (!) If you don't control versioning with filename-based
# cache busting, you should consider lowering the cache times
# to something like one week.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expires
# https://nginx.org/en/docs/http/ngx_http_headers_module.html#expires
# No default expire rule. This config mirrors that of apache as outlined in the
# html5-boilerplate .htaccess file. However, nginx applies rules by location,
# the apache rules are defined by type. A consequence of this difference is that
# if you use no file extension in the url and serve html, with apache you get an
# expire time of 0s, with nginx you'd get an expire header of one month in the
# future (if the default expire rule is 1 month). Therefore, do not use a
# default expire rule with nginx unless your site is completely static
# Documents
location ~* \.(?:manifest|appcache|html?|xml|json)$ {
expires 0;
}
# Feeds
location ~* \.(?:rss|atom)$ {
expires 1h;
}
# Media files
location ~* \.(?:webp|jpg|jpeg|gif|png|ico|cur|gz|svg|mp4|ogg|ogv|webm|htc)$ {
access_log off;
expires 1M;
}
# Media: svgz files are already compressed.
location ~* \.svgz$ {
access_log off;
gzip off;
expires 1M;
}
# CSS and JavaScript
location ~* \.(?:css|js)$ {
expires 1y;
access_log off;
}
# Web fonts
# If you are NOT using cross-domain-fonts.conf, uncomment the following directive
location ~* \.(?:eot|otf|tt[cf]|woff2?)$ {
expires 1M;
access_log off;
}
nginx/h5bp/location/web_performance_filename-based_cache_busting.conf 0 → 100644
View file @ a6b73f4f
# ----------------------------------------------------------------------
# | Filename-based cache busting |
# ----------------------------------------------------------------------
# If you're not using a build process to manage your filename version
# revving, you might want to consider enabling the following directives
#
# To understand why this is important and even a better solution than
# using something like `*.css?v231`, please see:
# https://www.stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring/
location ~* (.+)\.(?:\w+)\.(bmp|css|cur|gif|ico|jpe?g|m?js|png|svgz?|webp|webmanifest)$ {
try_files $uri $1.$2;
}
nginx/h5bp/media_types/character_encodings.conf 0 → 100644
View file @ a6b73f4f
# ----------------------------------------------------------------------
# | Character encodings |
# ----------------------------------------------------------------------
# Serve all resources labeled as `text/html` or `text/plain`
# with the media type `charset` parameter set to `UTF-8`.
#
# https://nginx.org/en/docs/http/ngx_http_charset_module.html#charset
charset utf-8;
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Update charset_types to match updated mime.types.
# text/html is always included by charset module.
# Default: text/html text/xml text/plain text/vnd.wap.wml application/javascript application/rss+xml
#
# https://nginx.org/en/docs/http/ngx_http_charset_module.html#charset_types
charset_types
text/css
text/plain
text/vnd.wap.wml
text/javascript
text/markdown
text/calendar
text/x-component
text/vcard
text/cache-manifest
text/vtt
application/json
application/manifest+json;
nginx/h5bp/media_types/media_types.conf 0 → 100644
View file @ a6b73f4f
# ----------------------------------------------------------------------
# | Media types |
# ----------------------------------------------------------------------
# Serve resources with the proper media types (f.k.a. MIME types).
#
# https://www.iana.org/assignments/media-types/media-types.xhtml
# https://nginx.org/en/docs/http/ngx_http_core_module.html#types
include mime.types;
# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
# Default: text/plain
#
# https://nginx.org/en/docs/http/ngx_http_core_module.html#default_type
default_type application/octet-stream;
nginx/h5bp/security/content-security-policy.conf 0 → 100644
View file @ a6b73f4f
# ----------------------------------------------------------------------
# | Content Security Policy (CSP) |
# ----------------------------------------------------------------------
# Mitigate the risk of cross-site scripting and other content-injection
# attacks.
#
# This can be done by setting a `Content Security Policy` which
# whitelists trusted sources of content for your website.
#
# The example header below allows ONLY scripts that are loaded from
# the current website's origin (no inline scripts, no CDN, etc).
# That almost certainly won't work as-is for your website!
#
# To make things easier, you can use an online CSP header generator
# such as: https://www.cspisawesome.com/.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
# https://www.w3.org/TR/CSP3/
# https://content-security-policy.com/
# https://www.html5rocks.com/en/tutorials/security/content-security-policy/
add_header Content-Security-Policy $content_security_policy always;
nginx/h5bp/security/referrer-policy.conf 0 → 100644
View file @ a6b73f4f
# ----------------------------------------------------------------------
# | Referrer Policy |
# ----------------------------------------------------------------------
# A web application uses HTTPS and a URL-based session identifier.
# The web application might wish to link to HTTPS resources on other
# web sites without leaking the user's session identifier in the URL.
#
# This can be done by setting a `Referrer Policy` which
# whitelists trusted sources of content for your website.
#
# To check your referrer policy, you can use an online service
# such as: https://securityheaders.io/.
#
# https://scotthelme.co.uk/a-new-security-header-referrer-policy/
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy
add_header Referrer-Policy $referrer_policy always;
nginx/h5bp/security/server_software_information.conf 0 → 100644
View file @ a6b73f4f
# ----------------------------------------------------------------------
# | Server software information |
# ----------------------------------------------------------------------
# Prevent Nginx from sending in the `Server` response header its
# exact version number.
#
# https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens
server_tokens off;
nginx/h5bp/security/strict-transport-security.conf 0 → 100644
View file @ a6b73f4f
# ----------------------------------------------------------------------
# | HTTP Strict Transport Security (HSTS) |
# ----------------------------------------------------------------------
# Force client-side SSL redirection.
#
# If a user types `example.com` in their browser, even if the server
# redirects them to the secure version of the website, that still leaves
# a window of opportunity (the initial HTTP connection) for an attacker
# to downgrade or redirect the request.
#
# The following header ensures that browser will ONLY connect to your
# server via HTTPS, regardless of what the users type in the browser's
# address bar.
#
# (!) Be aware that this, once published, is not revokable and you must ensure
# being able to serve the site via SSL for the duration you've specified
# in max-age. When you don't have a valid SSL connection (anymore) your
# visitors will see a nasty error message even when attempting to connect
# via simple HTTP.
#
# (!) Remove the `includeSubDomains` optional directive if the website's
# subdomains are not using HTTPS.
#
# (1) If you want to submit your site for HSTS preload (2) you must
# * ensure the `includeSubDomains` directive to be present
# * the `preload` directive to be specified
# * the `max-age` to be at least 31536000 seconds (1 year) according to the current status.
#
# It is also advised (3) to only serve the HSTS header via a secure connection.
#
# (2) https://hstspreload.org/
# (3) https://tools.ietf.org/html/rfc6797#section-7.2
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
# https://tools.ietf.org/html/rfc6797#section-6.1
# https://www.html5rocks.com/en/tutorials/security/transport-layer-security/
# https://blogs.msdn.microsoft.com/ieinternals/2014/08/18/strict-transport-security/
add_header Strict-Transport-Security "max-age=16070400; includeSubDomains" always;
# (1) or if HSTS preloading is desired (respect (2) for current requirements):
# add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
nginx/h5bp/security/x-content-type-options.conf 0 → 100644
View file @ a6b73f4f
# ----------------------------------------------------------------------
# | Reducing MIME type security risks |
# ----------------------------------------------------------------------
# Prevent some browsers from MIME-sniffing the response.
#
# This reduces exposure to drive-by download attacks and cross-origin
# data leaks, and should be left uncommented, especially if the server
# is serving user-uploaded content or content that could potentially be
# treated as executable by the browser.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
# https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-v-comprehensive-protection/
# https://mimesniff.spec.whatwg.org/
add_header X-Content-Type-Options nosniff always;
nginx/h5bp/security/x-frame-options.conf 0 → 100644
View file @ a6b73f4f
# ----------------------------------------------------------------------
# | Clickjacking |
# ----------------------------------------------------------------------
# Protect website against clickjacking.
#
# The example below sends the `X-Frame-Options` response header with
# the value `DENY`, informing browsers not to display the content of
# the web page in any frame.
#
# This might not be the best setting for everyone. You should read
# about the other two possible values the `X-Frame-Options` header
# field can have: `SAMEORIGIN` and `ALLOW-FROM`.
# https://tools.ietf.org/html/rfc7034#section-2.1.
#
# Keep in mind that while you could send the `X-Frame-Options` header
# for all of your website’s pages, this has the potential downside that
# it forbids even non-malicious framing of your content (e.g.: when
# users visit your website using a Google Image Search results page).
#
# Nonetheless, you should ensure that you send the `X-Frame-Options`
# header for all pages that allow a user to make a state changing
# operation (e.g: pages that contain one-click purchase links, checkout
# or bank-transfer confirmation pages, pages that make permanent
# configuration changes, etc.).
#
# Sending the `X-Frame-Options` header can also protect your website
# against more than just clickjacking attacks:
# https://cure53.de/xfo-clickjacking.pdf.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
# https://tools.ietf.org/html/rfc7034
# https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/
# https://www.owasp.org/index.php/Clickjacking
add_header X-Frame-Options $x_frame_options always;
nginx/h5bp/security/x-xss-protection.conf 0 → 100644
View file @ a6b73f4f
# ----------------------------------------------------------------------
# | Reflected Cross-Site Scripting (XSS) attacks |
# ----------------------------------------------------------------------
# (1) Try to re-enable the cross-site scripting (XSS) filter built
# into most web browsers.
#
# The filter is usually enabled by default, but in some cases it
# may be disabled by the user. However, in Internet Explorer for
# example, it can be re-enabled just by sending the
# `X-XSS-Protection` header with the value of `1`.
#
# (2) Prevent web browsers from rendering the web page if a potential
# reflected (a.k.a non-persistent) XSS attack is detected by the
# filter.
#
# By default, if the filter is enabled and browsers detect a
# reflected XSS attack, they will attempt to block the attack
# by making the smallest possible modifications to the returned
# web page.
#
# Unfortunately, in some browsers (e.g.: Internet Explorer),
# this default behavior may allow the XSS filter to be exploited,
# thereby, it's better to inform browsers to prevent the rendering
# of the page altogether, instead of attempting to modify it.
#
# https://hackademix.net/2009/11/21/ies-xss-filter-creates-xss-vulnerabilities
#
# (!) Do not rely on the XSS filter to prevent XSS attacks! Ensure that
# you are taking all possible measures to prevent XSS attacks, the
# most obvious being: validating and sanitizing your website's inputs.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
# https://blogs.msdn.microsoft.com/ie/2008/07/02/ie8-security-part-iv-the-xss-filter/
# https://blogs.msdn.microsoft.com/ieinternals/2011/01/31/controlling-the-xss-filter/
# https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
add_header X-XSS-Protection $x_xss_protection always;
nginx/h5bp/ssl/certificate_files.conf 0 → 100644
View file @ a6b73f4f
# ----------------------------------------------------------------------
# | Certificate files |
# ----------------------------------------------------------------------
# This default SSL certificate will be served whenever the client lacks
# support for SNI (Server Name Indication).
# Make it a symlink to the most important certificate you have, so that
# users of IE 8 and below on WinXP can see your main site without SSL errors.
#
# (1) Certificate and key files location
# The certificate file can contain intermediate certificate.
#
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate
#
# (2) Intermediate certificate location if loaded certificate (1) does not
# contain intermediate certificate when enabling OCSP stanpling.
#
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_trusted_certificate
#
# (3) CA certificate file location for client certificate authentication
#
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_client_certificate
# (1)
ssl_certificate /etc/nginx/certs/default.crt;
ssl_certificate_key /etc/nginx/certs/default.key;
# (2)
# ssl_trusted_certificate /path/to/ca.crt;
# (3)
# ssl_client_certificate /etc/nginx/default_ssl.crt;
nginx/h5bp/ssl/ocsp_stapling.conf 0 → 100644
View file @ a6b73f4f
# ----------------------------------------------------------------------
# | Online Certificate Status Protocol stapling |
# ----------------------------------------------------------------------
# OCSP is a lightweight, only one record to help clients verify the
# validity of the server certificate.
# OCSP stapling allow the server to send its cached OCSP record during
# the TLS handshake, whithout the need of 3rd party OCSP responder.
#
# https://wiki.mozilla.org/Security/Server_Side_TLS#OCSP_Stapling
# https://tools.ietf.org/html/rfc6066#section-8
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 216.146.35.35 216.146.36.36 valid=60s;
resolver_timeout 2s;
nginx/h5bp/ssl/policy_deprecated.conf 0 → 100644
View file @ a6b73f4f
# ----------------------------------------------------------------------
# | SSL policy - Deprecated |
# ----------------------------------------------------------------------
# For services that don't need compatibility with legacy clients
# (mostly WinXP), but still need to support a wide range of clients,
# this configuration is recommended.
#
# Protect against the BEAST and POODLE attacks by not using SSLv3 at all.
# If you need to support older browsers (IE6) you may need to add
# SSLv3 to the list of protocols.
#
# Based on intermediate profile recommended by Mozilla.
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
#
# (1) Diffie-Hellman parameter for DHE cipher suites
# A 4096 bits or more DH parameter is recommended.
# (!) A DH parameter generation is required to enable this directive.
# openssl dhparam -out /etc/nginx/dhparam.pem 4096
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
#
# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA;
ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
# (1)
# ssl_dhparam /etc/nginx/dhparam.pem;
nginx/h5bp/ssl/policy_intermediate.conf 0 → 100644
View file @ a6b73f4f
# ----------------------------------------------------------------------
# | SSL policy - Intermediate |
# ----------------------------------------------------------------------
# For services that don't need backward compatibility, the parameters
# below provide a higher level of security.
#
# (!) This policy enfore a strong SSL configuration, which may raise
# errors with old clients.
# If a more compatible profile is required, use intermediate policy.
#
# (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known
# to be weak and potentially vulnerable but are required to support
# Microsoft Edge and Safari.
# https://safecurves.cr.yp.to/
#
# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html
ssl_protocols TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+AES;
# (1)
ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
nginx/h5bp/ssl/policy_modern.conf 0 → 100644
View file @ a6b73f4f
# ----------------------------------------------------------------------
# | SSL policy - Modern |
# ----------------------------------------------------------------------
# For services that want to be on the bleeding edge, the parameters
# below sacrifice compatibility for the highest level of security & performance
#
# (!) TLSv1.3 and it's 0-RTT feature require NGINX >=1.15.4 and OpenSSL >=1.1.1
# to be installed.
#
# (!) Don't enable `ssl_early_data` blindly! Requests sent within early data are
# subject to replay attacks.
#
# (1) The NIST curves (prime256v1, secp384r1, secp521r1) are known to be weak
# and potentially vulnerable.
#
# Add them back to the parameter `ssl_ecdh_curve` below to support
# Microsoft Edge and Safari.
#
# https://safecurves.cr.yp.to/
#
# (2) Enables TLS 1.3 0-RTT, allows for faster resumption of TLS sessions.
#
# (!) Requests sent within early data are subject to replay attacks.
# To protect against such attacks at the application layer, the
# $ssl_early_data variable should be used:
# proxy_set_header Early-Data $ssl_early_data;
#
# The application should return response code 425 for anything that
# could contain user supplied data.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/425
#
# https://github.com/certbot/certbot/issues/6367
# https://github.com/mozilla/server-side-tls/issues/217
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers EECDH+CHACHA20:EECDH+AES;
# (1)
ssl_ecdh_curve X25519;
# (2)
#ssl_early_data on;
nginx/h5bp/ssl/ssl_engine.conf 0 → 100644
View file @ a6b73f4f
# ----------------------------------------------------------------------
# | SSL engine |
# ----------------------------------------------------------------------
# (1) Optimize SSL by caching session parameters for 10 minutes.
# This cuts down on the number of expensive SSL handshakes.
# By enabling a cache, we tell the client to re-use the already
# negotiated state.
# A 1Mb cache can hold about 4000 sessions, so we can hold 40000 sessions.
#
# (2) Use a higher keepalive timeout to reduce the need for repeated handshakes
# (!) Shouldn't be done unless you serve primarily HTTPS.
# Default is 75s
#
# (3) SSL buffer size
# Set 1400 bytes to fit in one MTU
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_buffer_size
#
# (4) Disable session tickets
# Session tickets keys are not auto-rotated. Only a HUP / restart
# will do so and when a restart is performed the previous key is
# lost, which resets all previous sessions.
# Only enable session tickets if you setup a manual rotation mechanism.
# https://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_tickets
#
# (5) Basic security improvements
# (1)
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 24h;
# (2)
keepalive_timeout 300s;
# (3)
# ssl_buffer_size 1400;
# (4)
ssl_session_tickets off;
# (5)
ssl_prefer_server_ciphers on;
nginx/h5bp/web_performance/cache-file-descriptors.conf 0 → 100644
View file @ a6b73f4f
# ----------------------------------------------------------------------
# | Cache file-descriptors |
# ----------------------------------------------------------------------
# This tells nginx to cache open file handles, "not found" errors and
# metadata about files and their permissions.
#
# Based on these cached metadata, nginx can immediately begin sending
# data when a popular file is requested, and will also know to
# immediately send a 404 if a file is missing on disk, and so on.
#
# (!) It also means that the server won't react immediately to changes
# on disk, which may be undesirable.
# As only metadata are cached, edited files may be troncated until
# the cache is refreshed.
# https://github.com/h5bp/server-configs-nginx/issues/203
#
# In the below configuration, inactive files are released from the cache
# after 20 seconds, whereas active (recently requested) files are
# re-validated every 30 seconds.
# Descriptors will not be cached unless they are used at least 2 times
# within 20 seconds (the inactive time).
# A maximum of the 1000 most recently used file descriptors can be
# cached at any time.
#
# Production servers with stable file collections will definitely want
# to enable the cache.
#
# https://nginx.org/en/docs/http/ngx_http_core_module.html#open_file_cache
open_file_cache max=1000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
nginx/h5bp/web_performance/cache_expiration.conf 0 → 100644
View file @ a6b73f4f
# ----------------------------------------------------------------------
# | Cache expiration |
# ----------------------------------------------------------------------
# Serve resources with far-future expiration date.
#
# (!) If you don't control versioning with filename-based
# cache busting, you should consider lowering the cache times
# to something like one week.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expires
# https://nginx.org/en/docs/http/ngx_http_headers_module.html#expires
map $sent_http_content_type $expires {
default 1M;
# CSS
text/css 1y;
# Data interchange
application/atom+xml 1h;
application/rdf+xml 1h;
application/rss+xml 1h;
application/json 0;
application/ld+json 0;
application/schema+json 0;
application/geo+json 0;
application/xml 0;
text/calendar 0;
text/xml 0;
# Favicon (cannot be renamed!) and cursor images
image/vnd.microsoft.icon 1w;
image/x-icon 1w;
# HTML
text/html 0;
# JavaScript
application/javascript 1y;
application/x-javascript 1y;
text/javascript 1y;
# Manifest files
application/manifest+json 1w;
application/x-web-app-manifest+json 0;
text/cache-manifest 0;
# Markdown
text/markdown 0;
# Media files
audio/ogg 1M;
image/bmp 1M;
image/gif 1M;
image/jpeg 1M;
image/png 1M;
image/svg+xml 1M;
image/webp 1M;
video/mp4 1M;
video/ogg 1M;
video/webm 1M;
# WebAssembly
application/wasm 1y;
# Web fonts
font/collection 1M;
application/vnd.ms-fontobject 1M;
font/eot 1M;
font/opentype 1M;
font/otf 1M;
application/x-font-ttf 1M;
font/ttf 1M;
application/font-woff 1M;
application/x-font-woff 1M;
font/woff 1M;
application/font-woff2 1M;
font/woff2 1M;
# Other
text/x-cross-domain-policy 1w;
}
expires $expires;
nginx/h5bp/web_performance/compression-brotli.conf 0 → 100644
View file @ a6b73f4f
# ----------------------------------------------------------------------
# | Compression brotli |
# ----------------------------------------------------------------------
brotli on;
brotli_comp_level 6;
brotli_types application/eot application/x-otf application/font application/x-perl application/font-sfnt application/x-ttf application/javascript
font/eot application/json font/ttf application/opentype font/otf application/otf font/opentype application/pkcs7-mime image/svg+xml
application/truetype text/css application/ttf text/csv application/vnd.ms-fontobject application/xhtml+xml text/javascript
application/xml text/js application/xml+rss text/plain application/x-font-opentype text/richtext application/x-font-truetype
text/tab-separated-values application/x-font-ttf text/xml application/x-httpd-cgi text/x-script application/x-javascript
text/x-component application/x-mpegurl text/x-java-source application/x-opentype
;
nginx/h5bp/web_performance/compression.conf 0 → 100644
View file @ a6b73f4f
# ----------------------------------------------------------------------
# | Compression |
# ----------------------------------------------------------------------
# https://nginx.org/en/docs/http/ngx_http_gzip_module.html
# Enable gzip compression.
# Default: off
gzip on;
# Compression level (1-9).
# 5 is a perfect compromise between size and CPU usage, offering about
# 75% reduction for most ASCII files (almost identical to level 9).
# Default: 1
gzip_comp_level 5;
# Don't compress anything that's already small and unlikely to shrink much
# if at all (the default is 20 bytes, which is bad as that usually leads to
# larger files after gzipping).
# Default: 20
gzip_min_length 256;
# Compress data even for clients that are connecting to us via proxies,
# identified by the "Via" header (required for CloudFront).
# Default: off
gzip_proxied any;
# Tell proxies to cache both the gzipped and regular version of a resource
# whenever the client's Accept-Encoding capabilities header varies;
# Avoids the issue where a non-gzip capable client (which is extremely rare
# today) would display gibberish if their proxy gave them the gzipped version.
# Default: off
gzip_vary on;
# Compress all output labeled with one of the following MIME-types.
# text/html is always compressed by gzip module.
# Default: text/html
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/manifest+json
application/rss+xml
application/geo+json
application/vnd.ms-fontobject
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
application/rdf+xml
font/otf
application/wasm
image/bmp
image/svg+xml
text/cache-manifest
text/css
text/javascript
text/plain
text/markdown
text/vcard
text/calendar
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy;
# This should be turned on if you are going to have pre-compressed copies (.gz) of
# static files available. If not it should be left off as it will cause extra I/O
# for the check. It is best if you enable this in a location{} block for
# a specific directory, or on an individual server{} level.
# gzip_static on;
nginx/h5bp/web_performance/no-transform.conf 0 → 100644
View file @ a6b73f4f
# ----------------------------------------------------------------------
# | Content transformation |
# ----------------------------------------------------------------------
# Prevent intermediate caches or proxies (e.g.: such as the ones
# used by mobile network providers) from modifying the website's
# content.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
# https://tools.ietf.org/html/rfc2616#section-14.9.5
#
# (!) If you are using `ngx_pagespeed`, please note that setting
# the `Cache-Control: no-transform` response header will prevent
# `PageSpeed` from rewriting `HTML` files, and, if the
# `pagespeed DisableRewriteOnNoTransform off` directive isn't used,
# also from rewriting other resources.
#
# https://developers.google.com/speed/pagespeed/module/configuration#notransform
add_header Cache-Control "no-transform";
nginx/mime.types 0 → 100644
View file @ a6b73f4f
types {
# Data interchange
application/atom+xml atom;
application/json json map topojson;
application/ld+json jsonld;
application/rss+xml rss;
# Normalize to standard type.
# https://tools.ietf.org/html/rfc7946#section-12
application/geo+json geojson;
application/xml xml;
# Normalize to standard type.
# https://tools.ietf.org/html/rfc3870#section-2
application/rdf+xml rdf;
# JavaScript
# Servers should use text/javascript for JavaScript resources.
# https://html.spec.whatwg.org/multipage/scripting.html#scriptingLanguages
text/javascript js mjs;
application/wasm wasm;
# Manifest files
application/manifest+json webmanifest;
application/x-web-app-manifest+json webapp;
text/cache-manifest appcache;
# Media files
audio/midi mid midi kar;
audio/mp4 aac f4a f4b m4a;
audio/mpeg mp3;
audio/ogg oga ogg opus;
audio/x-realaudio ra;
audio/x-wav wav;
audio/x-matroska mka;
image/bmp bmp;
image/gif gif;
image/jpeg jpeg jpg;
image/jxr jxr hdp wdp;
image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-jng jng;
video/3gpp 3gp 3gpp;
video/mp4 f4p f4v m4v mp4;
video/mpeg mpeg mpg;
video/ogg ogv;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-mng mng;
video/x-ms-asf asf asx;
video/x-ms-wmv wmv;
video/x-msvideo avi;
video/x-matroska mkv mk3d;
# Serving `.ico` image files with a different media type
# prevents Internet Explorer from displaying then as images:
# https://github.com/h5bp/html5-boilerplate/commit/37b5fec090d00f38de64b591bcddcb205aadf8ee
image/x-icon cur ico;
# Microsoft Office
application/msword doc;
application/vnd.ms-excel xls;
application/vnd.ms-powerpoint ppt;
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;
# Web fonts
font/woff woff;
font/woff2 woff2;
application/vnd.ms-fontobject eot;
font/ttf ttf;
font/collection ttc;
font/otf otf;
# Other
application/java-archive ear jar war;
application/mac-binhex40 hqx;
application/octet-stream bin deb dll dmg exe img iso msi msm msp safariextz;
application/pdf pdf;
application/postscript ai eps ps;
application/rtf rtf;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.wap.wmlc wmlc;
application/x-7z-compressed 7z;
application/x-bb-appworld bbaw;
application/x-bittorrent torrent;
application/x-chrome-extension crx;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-opera-extension oex;
application/x-perl pl pm;
application/x-pilot pdb prc;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert crt der pem;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xslt+xml xsl;
application/zip zip;
text/css css;
text/csv csv;
text/html htm html shtml;
text/markdown md markdown;
text/mathml mml;
text/plain txt;
text/vcard vcard vcf;
text/calendar ics;
text/vnd.rim.location.xloc xloc;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/vtt vtt;
text/x-component htc;
}
nginx/nginx.conf 0 → 100644
View file @ a6b73f4f
# Configuration File - Nginx Server Configs
# https://nginx.org/en/docs/
# Run as a unique, less privileged user for security reasons.
# Default: nobody nobody
# https://nginx.org/en/docs/ngx_core_module.html#user
# https://en.wikipedia.org/wiki/Principle_of_least_privilege
user nginx;
# Sets the worker threads to the number of CPU cores available in the system for best performance.
# Should be > the number of CPU cores.
# Maximum number of connections = worker_processes * worker_connections
# Default: 1
# https://nginx.org/en/docs/ngx_core_module.html#worker_processes
worker_processes auto;
# Maximum number of open files per worker process.
# Should be > worker_connections.
# Default: no limit
# https://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile
worker_rlimit_nofile 8192;
# Provides the configuration file context in which the directives
# that affect connection processing are specified.
# https://nginx.org/en/docs/ngx_core_module.html#events
events {
# If you need more connections than this, you start optimizing your OS.
# That's probably the point at which you hire people who are smarter than you as this is *a lot* of requests.
# Should be < worker_rlimit_nofile.
# Default: 512
# https://nginx.org/en/docs/ngx_core_module.html#worker_connections
worker_connections 8000;
}
# Log errors and warnings to this file
# This is only used when you don't override it on a server{} level
# Default: logs/error.log error
# https://nginx.org/en/docs/ngx_core_module.html#error_log
error_log /var/log/nginx/error.log warn;
# The file storing the process ID of the main process
# Default: logs/nginx.pid
# https://nginx.org/en/docs/ngx_core_module.html#pid
pid /var/run/nginx.pid;
http {
# Hide nginx version information.
include h5bp/security/server_software_information.conf;
# Specify MIME types for files.
include h5bp/media_types/media_types.conf;
# Set character encodings.
include h5bp/media_types/character_encodings.conf;
# Include $http_x_forwarded_for within default format used in log files
# https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
# Log access to this file
# This is only used when you don't override it on a server{} level
# Default: logs/access.log combined
# https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log
access_log /var/log/nginx/access.log main;
# How long to allow each connection to stay idle.
# Longer values are better for each individual client, particularly for SSL,
# but means that worker connections are tied up longer.
# Default: 75s
# https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
# keepalive_timeout 20s;
# Speed up file transfers by using sendfile() to copy directly
# between descriptors rather than using read()/write().
# For performance reasons, on FreeBSD systems w/ ZFS
# this option should be disabled as ZFS's ARC caches
# frequently used files in RAM by default.
# Default: off
# https://nginx.org/en/docs/http/ngx_http_core_module.html#sendfile
sendfile on;
# Don't send out partial frames; this increases throughput
# since TCP frames are filled up before being sent out.
# Default: off
# https://nginx.org/en/docs/http/ngx_http_core_module.html#tcp_nopush
tcp_nopush on;
# Enable gzip compression.
include h5bp/web_performance/compression.conf;
# Enable brotli compression.
include h5bp/web_performance/compression-brotli.conf;
# Specify file cache expiration.
include h5bp/web_performance/cache_expiration.conf;
# Add X-XSS-Protection for HTML documents.
# h5bp/security/x-xss-protection.conf
map $sent_http_content_type $x_xss_protection {
# (1) (2)
text/html "1; mode=block";
}
# Add X-Frame-Options for HTML documents.
# h5bp/security/x-frame-options.conf
map $sent_http_content_type $x_frame_options {
text/html DENY;
}
# Add Content-Security-Policy for HTML documents.
# h5bp/security/content-security-policy.conf
map $sent_http_content_type $content_security_policy {
text/html "script-src 'self'; object-src 'self'";
}
# Add Referrer-Policy for HTML documents.
# h5bp/security/referrer-policy.conf.conf
map $sent_http_content_type $referrer_policy {
text/html "no-referrer-when-downgrade";
}
# Add X-UA-Compatible for HTML documents.
# h5bp/internet_explorer/x-ua-compatible.conf
map $sent_http_content_type $x_ua_compatible {
text/html "IE=edge";
}
# Add Access-Control-Allow-Origin.
# h5bp/cross-origin/requests.conf
map $sent_http_content_type $cors {
# Images
image/bmp "*";
image/gif "*";
image/jpeg "*";
image/png "*";
image/svg+xml "*";
image/webp "*";
image/x-icon "*";
# Web fonts
font/collection "*";
application/vnd.ms-fontobject "*";
font/eot "*";
font/opentype "*";
font/otf "*";
application/x-font-ttf "*";
font/ttf "*";
application/font-woff "*";
application/x-font-woff "*";
font/woff "*";
application/font-woff2 "*";
font/woff2 "*";
}
# Include files in the conf.d folder.
# server{} configuration files should be placed in the conf.d folder.
# The configurations should be disabled by prefixing files with a dot.
include h5bp/ssl/ocsp_stapling.conf;
include h5bp/ssl/policy_modern.conf;
include h5bp/ssl/ssl_engine.conf;
include /etc/nginx/conf.d/dev-biuro.conf;
}
# user nginx;
# worker_processes 1;
# error_log /var/log/nginx/error.log warn;
# pid /var/run/nginx.pid;
# events {
# worker_connections 1024;
# }
# http {
# include /etc/nginx/mime.types;
# default_type application/octet-stream;
# log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
# access_log /var/log/nginx/access.log main;
# sendfile on;
# #tcp_nopush on;
# keepalive_timeout 65;
# gzip on;
# brotli on;
# ################################
# # DO WHATEVER YOU WANT HERE :) #
# ################################
# include /etc/nginx/conf.d/*.conf;
# }
wp-init.sh
View file @ a6b73f4f
......@@ -44,15 +44,13 @@ wp plugin activate cookies-warning --network
wp plugin activate data-controller --network
# wp plugin activate jobs-importer
# Update translations
wp language core update
wp language plugin update --all
# WP themes
wp theme update --all;
wp theme activate biuro
wp theme delete twentynineteen
wp theme delete twentyseventeen
wp theme delete twentysixteen
# Update translations
wp language core update
wp language theme update --all
wp language plugin update --all
echo "WP CLI done. Ready to use."
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment