misp-docker/server/files/etc/nginx/misp-secure

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    root /var/www/MISP/app/webroot;
    index index.php;

    client_max_body_size 50M;

    # Disable access logs
    access_log off;
    log_not_found off;
    error_log  /dev/stderr error;

    ssl_certificate /etc/ssl/certs/cert.pem;
    ssl_certificate_key /etc/ssl/certs/key.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    # modern configuration
    ssl_protocols TLSv1.3;
    ssl_prefer_server_ciphers off;

    # enable HSTS
    add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";
    add_header X-Frame-Options SAMEORIGIN;

    # Aded headers for hardening browser security
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    location / {
        try_files $uri $uri/ /index.php;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;
        fastcgi_read_timeout 300;
    }
}
Default to modern nginx security - resolves #50 2020-05-29 01:38:33 +02:00			`server {`
			`listen 443 ssl http2;`
			`listen [::]:443 ssl http2;`
			`root /var/www/MISP/app/webroot;`
			`index index.php;`

			`client_max_body_size 50M;`

			`# Disable access logs`
			`access_log off;`
			`log_not_found off;`
			`error_log /dev/stderr error;`

			`ssl_certificate /etc/ssl/certs/cert.pem;`
			`ssl_certificate_key /etc/ssl/certs/key.pem;`
			`ssl_session_timeout 1d;`
			`ssl_session_cache shared:MozSSL:10m; # about 40000 sessions`
			`ssl_session_tickets off;`

			`# modern configuration`
			`ssl_protocols TLSv1.3;`
			`ssl_prefer_server_ciphers off;`

			`# enable HSTS`
			`add_header Strict-Transport-Security "max-age=15768000; includeSubdomains";`
			`add_header X-Frame-Options SAMEORIGIN;`

			`# Aded headers for hardening browser security`
			`add_header Referrer-Policy "no-referrer" always;`
			`add_header X-Content-Type-Options "nosniff" always;`
			`add_header X-Download-Options "noopen" always;`
			`add_header X-Frame-Options "SAMEORIGIN" always;`
			`add_header X-Permitted-Cross-Domain-Policies "none" always;`
			`add_header X-Robots-Tag "none" always;`
			`add_header X-XSS-Protection "1; mode=block" always;`

			`# Remove X-Powered-By, which is an information leak`
			`fastcgi_hide_header X-Powered-By;`

			`location / {`
			`try_files $uri $uri/ /index.php;`
			`}`

			`location ~ \.php$ {`
			`include snippets/fastcgi-php.conf;`
			`fastcgi_pass unix:/var/run/php/php7.3-fpm.sock;`
			`fastcgi_read_timeout 300;`
			`}`
			`}`