update readme, gzip, includes, security CSP and fix typos:

Friz-zy · Friz-zy · commit 1cb6df3f6f46 · 2020-07-29T15:32:51.000+03:00
add another projects into readme
set default gzip level to 1
change includes to relative path
disable CSP in security
fix typos and missed semicolons
time spent: 3.25h
diff --git a/README.md b/README.md
@@ -15,15 +15,26 @@ At the same time there are a lot good documentation and best practices:
 [nginx docs](https://nginx.org/en/docs/),
 [digitalocean config generator](https://www.digitalocean.com/community/tools/nginx),
 [mozilla ssl best practices](https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&guideline=5.4),
-etc... And here I'm trying to put together all good patterns and knowledges so anyone will be able to copy this configs and get good nginx setup out of the box :)
-
-There is also interesting [openbridge nginx](https://github.com/openbridge/nginx) docker image,
-but I haven't checked it properly yet, their configs require addition nginx modules and setup
+etc...
+
+And there are also some more interesting projects and examples:
+- [nginx-admins-handbook](https://github.com/trimstray/nginx-admins-handbook)  
+Huge total guide, must read for any nginx admin.
+- [html5-boilerplate nginx configs](https://github.com/h5bp/server-configs-nginx)  
+Most popular collection of configuration snippets.
+- [nginx-boilerplate](https://github.com/nginx-boilerplate/nginx-boilerplate)  
+Another one common boilerplate.
+- [elasticweb/nginx-configs](https://github.com/elasticweb/nginx-configs)  
+Collection of Nginx configs for most popular CMS/CMF/Frameworks based on PHP.
+- [openbridge/nginx](https://github.com/openbridge/nginx)  
+Docker image, but I haven't checked it properly yet, their configs require addition nginx modules and setup
 and it can't be just copied to usual nginx. However, you can use it with docker.
 Also I don't agree with nginx microcache for every site, see known traps.
 
+So here I'm trying to put together all (my) good patterns and knowledges, and organize it as simple as possible in compare with complex examples above. So anyone will be able to copy this configs and get good nginx setup out of the box :)
+
 Time track:
-- [Filipp Frizzy](https://github.com/Friz-zy/) 35.84h
+- [Filipp Frizzy](https://github.com/Friz-zy/) 39.09h
 
 ### Support
 
diff --git a/conf.d/basic.conf b/conf.d/basic.conf
@@ -5,7 +5,7 @@ sendfile on; # default is off
 tcp_nopush on; # default is off
 tcp_nodelay on;
 
-include /etc/nginx/mime.types;
+include mime.types;
 default_type application/octet-stream; # default is text/plain
 
 charset utf-8; # default is off
diff --git a/conf.d/gzip.conf b/conf.d/gzip.conf
@@ -1,11 +1,16 @@
 # https://nginx.org/en/docs/http/ngx_http_gzip_module.html
 # https://nginx.org/en/docs/http/ngx_http_gzip_static_module.html
 
+# default ubuntu setup is 6 level
+# but best speed\cpu\compression ratio is levels from 1 to 5.
+# for best compression you should put prepared gz files near main one,
+# see gzip_static module.
+gzip_comp_level 1;
+
 gzip on;
 gzip_min_length 512;
 gzip_vary on;
 gzip_proxied any;
-gzip_comp_level 6;
 gzip_buffers 16 8k;
 gzip_http_version 1.0;
 gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
diff --git a/conf.d/security.conf b/conf.d/security.conf
@@ -12,7 +12,15 @@ add_header X-Content-Type-Options    "nosniff" always;
 
 add_header Referrer-Policy           "no-referrer-when-downgrade" always;
 
-add_header Content-Security-Policy   "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
+# CSP reduce the risk and impact of XSS attacks in modern browsers.
+# Whitelisting known-good resource origins,
+# refusing to execute potentially dangerous inline scripts,
+# and banning the use of eval are all effective mechanisms
+# for mitigating cross-site scripting attacks.
+# WARNING
+# Enabling this defaults will break all subdomains, CDNs and javascript eval
+# https://content-security-policy.com/
+# add_header Content-Security-Policy   "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
 
 # disable if some of your pages should work through http also
 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
diff --git a/nginx.conf b/nginx.conf
@@ -6,7 +6,7 @@ worker_processes auto;
 
 error_log  /var/log/nginx/error.log warn;
 
-include /etc/nginx/modules-enabled/*.conf;
+include modules-enabled/*.conf;
 
 # ulimit -n 100000
 worker_rlimit_nofile 100000;
@@ -24,7 +24,7 @@ http {
     # basic.conf  cache.conf  gzip.conf  log_format.conf
     # real_ip.conf  request_id.conf  ssl.conf
 
-    include /etc/nginx/conf.d/*.conf;
-    include /etc/nginx/sites-enabled/*.conf;
+    include conf.d/*.conf;
+    include sites-enabled/*.conf;
 
 }
diff --git a/snippets/corps.conf.j2 b/snippets/corps.conf.j2
@@ -5,4 +5,4 @@ if ($http_origin ~* "^https?://(?:.+\.)?{{ item.domain }}(?::\d{1,5})?$") {
 add_header "Access-Control-Allow-Origin" "$corps_origin";
 
 # add_header will override all previous directives from parent sections
-include /etc/nginx/snippets/headers.conf
+include snippets/headers.conf;
diff --git a/snippets/headers.conf b/snippets/headers.conf
@@ -17,7 +17,15 @@ add_header X-Content-Type-Options    "nosniff" always;
 
 add_header Referrer-Policy           "no-referrer-when-downgrade" always;
 
-add_header Content-Security-Policy   "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
+# CSP reduce the risk and impact of XSS attacks in modern browsers.
+# Whitelisting known-good resource origins,
+# refusing to execute potentially dangerous inline scripts,
+# and banning the use of eval are all effective mechanisms
+# for mitigating cross-site scripting attacks.
+# WARNING
+# Enabling this defaults will break all subdomains, CDNs and javascript eval
+# https://content-security-policy.com/
+# add_header Content-Security-Policy   "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
 
 # disable if some of your pages should work through http also
 add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
diff --git a/snippets/site.conf.j2 b/snippets/site.conf.j2
@@ -39,17 +39,17 @@ server {
     # ssl_certificate_key     /etc/ssl/private/{{ item.domain }}.key;
 
     # corps hack
-    # include /etc/nginx/snippets/corps.conf
+    # include snippets/corps.conf;
 
     # referer protection
-    # include /etc/nginx/snippets/referer.conf
+    # include snippets/referer.conf;
 
     # location ~* \.(js|css|png|jpg|jpeg|gif|ico|swf|eot|ttf|otf|woff|woff2)$
-    include /etc/nginx/snippets/static_location.conf
+    include snippets/static_location.conf;
 
     location /backend {
-        proxy_pass http://127.0.0.1:8080
-        include /etc/nginx/snippets/proxy.conf
+        proxy_pass http://127.0.0.1:8080;
+        include snippets/proxy.conf;
     }
 
     location / {
@@ -58,10 +58,10 @@ server {
 
     location ~ \.php$ {
         fastcgi_pass 127.0.0.1:9000;
-        include /etc/nginx/snippets/fastcgi.conf
+        include snippets/fastcgi.conf;
     }
 
     # location ~ (/\.|^/protected)
-    include /etc/nginx/snippets/protected_locations.conf
+    include snippets/protected_locations.conf;
 
 }
diff --git a/snippets/static_location.conf b/snippets/static_location.conf
@@ -7,5 +7,5 @@ location ~* \.(js|css|png|jpg|jpeg|gif|ico|swf|eot|ttf|otf|woff|woff2)$ {
     expires 30d;
 
     # add_header will override all previous directives from parent sections
-    include /etc/nginx/snippets/headers.conf
+    include snippets/headers.conf;
 }

Original file line number	Diff line number	Diff line change
`@@ -7,5 +7,5 @@ location ~* \.(js\|css\|png\|jpg\|jpeg\|gif\|ico\|swf\|eot\|ttf\|otf\|woff\|woff2)$ {`
`7`	`7`	`expires 30d;`
`8`	`8`
`9`	`9`	`# add_header will override all previous directives from parent sections`
`10`		`- include /etc/nginx/snippets/headers.conf`
	`10`	`+ include snippets/headers.conf;`
`11`	`11`	`}`