server { listen 80 default_server; listen [::]:80 default_server; # Disable access logs access_log off; log_not_found off; error_log /var/log/nginx/error.log error; return 301 https://$host$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; root /var/www/MISP/app/webroot; index index.php; # Disable access logs access_log off; log_not_found off; error_log /var/log/nginx/error.log error; ssl_certificate /etc/ssl/cert.pem; ssl_certificate_key /etc/ssl/key.pem; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; # modern configuration ssl_protocols TLSv1.3; ssl_prefer_server_ciphers off; # enable HSTS add_header Strict-Transport-Security "max-age=15768000; includeSubdomains"; add_header X-Frame-Options SAMEORIGIN; # Aded headers for hardening browser security add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options "noopen" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "none" always; add_header X-XSS-Protection "1; mode=block" always; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; location / { try_files $uri $uri/ /index.php; } location ~ \.php$ { include snippets/fastcgi-php.conf; fastcgi_pass unix:/var/run/php/php7.3-fpm.sock; } }