mirror of
https://github.com/zabbix/zabbix-docker.git
synced 2025-06-14 05:47:38 +02:00
Optimizations for Nginx/Apache configs
This commit is contained in:
Alexey Pustovalov
commit
432436c7f1
@ -43,6 +43,14 @@
|
|||||||
</files>
|
</files>
|
||||||
</Directory>
|
</Directory>
|
||||||
|
|
||||||
|
<Directory "/usr/share/zabbix/locale">
|
||||||
|
Require all denied
|
||||||
|
<files *.php>
|
||||||
|
Order deny,allow
|
||||||
|
Deny from all
|
||||||
|
</files>
|
||||||
|
</Directory>
|
||||||
|
|
||||||
<Directory "/usr/share/zabbix/vendor">
|
<Directory "/usr/share/zabbix/vendor">
|
||||||
Require all denied
|
Require all denied
|
||||||
<files *.php>
|
<files *.php>
|
||||||
|
|||||||
@ -5,8 +5,6 @@ Listen 8443
|
|||||||
|
|
||||||
<IfModule mod_ssl.c>
|
<IfModule mod_ssl.c>
|
||||||
<VirtualHost *:8443>
|
<VirtualHost *:8443>
|
||||||
SSLEngine on
|
|
||||||
|
|
||||||
DocumentRoot /usr/share/zabbix/
|
DocumentRoot /usr/share/zabbix/
|
||||||
ServerName zabbix
|
ServerName zabbix
|
||||||
DirectoryIndex index.php
|
DirectoryIndex index.php
|
||||||
@ -17,16 +15,21 @@ Listen 8443
|
|||||||
# Enable/Disable SSL for this virtual host.
|
# Enable/Disable SSL for this virtual host.
|
||||||
SSLEngine on
|
SSLEngine on
|
||||||
|
|
||||||
SSLProtocol all -SSLv2 -SSLv3
|
# intermediate configuration
|
||||||
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
|
||||||
SSLHonorCipherOrder on
|
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||||
|
SSLHonorCipherOrder off
|
||||||
|
SSLSessionTickets off
|
||||||
|
|
||||||
SSLCertificateFile /etc/ssl/apache2/ssl.crt
|
SSLCertificateFile /etc/ssl/apache2/ssl.crt
|
||||||
SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
|
SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
|
||||||
# SSLCACertificatePath /etc/ssl/apache2/chain/
|
# SSLCACertificatePath /etc/ssl/apache2/chain/
|
||||||
|
|
||||||
# HSTS (mod_headers is required) (15768000 seconds = 6 months)
|
# enable HTTP/2, if available
|
||||||
Header always set Strict-Transport-Security "max-age=15768000"
|
Protocols h2 http/1.1
|
||||||
|
|
||||||
|
# HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
|
||||||
|
Header always set Strict-Transport-Security "max-age=63072000"
|
||||||
|
|
||||||
<Directory "/usr/share/zabbix">
|
<Directory "/usr/share/zabbix">
|
||||||
Options FollowSymLinks
|
Options FollowSymLinks
|
||||||
@ -66,6 +69,14 @@ Listen 8443
|
|||||||
</files>
|
</files>
|
||||||
</Directory>
|
</Directory>
|
||||||
|
|
||||||
|
<Directory "/usr/share/zabbix/locale">
|
||||||
|
Require all denied
|
||||||
|
<files *.php>
|
||||||
|
Order deny,allow
|
||||||
|
Deny from all
|
||||||
|
</files>
|
||||||
|
</Directory>
|
||||||
|
|
||||||
<Directory "/usr/share/zabbix/vendor">
|
<Directory "/usr/share/zabbix/vendor">
|
||||||
Require all denied
|
Require all denied
|
||||||
<files *.php>
|
<files *.php>
|
||||||
|
|||||||
@ -47,6 +47,14 @@
|
|||||||
</files>
|
</files>
|
||||||
</Directory>
|
</Directory>
|
||||||
|
|
||||||
|
<Directory "/usr/share/zabbix/locale">
|
||||||
|
Require all denied
|
||||||
|
<files *.php>
|
||||||
|
Order deny,allow
|
||||||
|
Deny from all
|
||||||
|
</files>
|
||||||
|
</Directory>
|
||||||
|
|
||||||
<Directory "/usr/share/zabbix/vendor">
|
<Directory "/usr/share/zabbix/vendor">
|
||||||
Require all denied
|
Require all denied
|
||||||
<files *.php>
|
<files *.php>
|
||||||
|
|||||||
@ -4,8 +4,6 @@ LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
|
|||||||
Listen 8443
|
Listen 8443
|
||||||
|
|
||||||
<VirtualHost *:8443>
|
<VirtualHost *:8443>
|
||||||
SSLEngine on
|
|
||||||
|
|
||||||
DocumentRoot /usr/share/zabbix/
|
DocumentRoot /usr/share/zabbix/
|
||||||
ServerName zabbix
|
ServerName zabbix
|
||||||
DirectoryIndex index.php
|
DirectoryIndex index.php
|
||||||
@ -16,16 +14,21 @@ Listen 8443
|
|||||||
# Enable/Disable SSL for this virtual host.
|
# Enable/Disable SSL for this virtual host.
|
||||||
SSLEngine on
|
SSLEngine on
|
||||||
|
|
||||||
SSLProtocol all -SSLv2 -SSLv3
|
# intermediate configuration
|
||||||
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
|
||||||
SSLHonorCipherOrder on
|
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||||
|
SSLHonorCipherOrder off
|
||||||
|
SSLSessionTickets off
|
||||||
|
|
||||||
SSLCertificateFile /etc/ssl/apache2/ssl.crt
|
SSLCertificateFile /etc/ssl/apache2/ssl.crt
|
||||||
SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
|
SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
|
||||||
# SSLCACertificatePath /etc/ssl/apache2/chain/
|
# SSLCACertificatePath /etc/ssl/apache2/chain/
|
||||||
|
|
||||||
# HSTS (mod_headers is required) (15768000 seconds = 6 months)
|
# enable HTTP/2, if available
|
||||||
Header always set Strict-Transport-Security "max-age=15768000"
|
Protocols h2 http/1.1
|
||||||
|
|
||||||
|
# HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
|
||||||
|
Header always set Strict-Transport-Security "max-age=63072000"
|
||||||
|
|
||||||
<Directory "/usr/share/zabbix">
|
<Directory "/usr/share/zabbix">
|
||||||
Options FollowSymLinks
|
Options FollowSymLinks
|
||||||
@ -69,6 +72,14 @@ Listen 8443
|
|||||||
</files>
|
</files>
|
||||||
</Directory>
|
</Directory>
|
||||||
|
|
||||||
|
<Directory "/usr/share/zabbix/locale">
|
||||||
|
Require all denied
|
||||||
|
<files *.php>
|
||||||
|
Order deny,allow
|
||||||
|
Deny from all
|
||||||
|
</files>
|
||||||
|
</Directory>
|
||||||
|
|
||||||
<Directory "/usr/share/zabbix/vendor">
|
<Directory "/usr/share/zabbix/vendor">
|
||||||
Require all denied
|
Require all denied
|
||||||
<files *.php>
|
<files *.php>
|
||||||
|
|||||||
@ -43,6 +43,14 @@
|
|||||||
</files>
|
</files>
|
||||||
</Directory>
|
</Directory>
|
||||||
|
|
||||||
|
<Directory "/usr/share/zabbix/locale">
|
||||||
|
Require all denied
|
||||||
|
<files *.php>
|
||||||
|
Order deny,allow
|
||||||
|
Deny from all
|
||||||
|
</files>
|
||||||
|
</Directory>
|
||||||
|
|
||||||
<Directory "/usr/share/zabbix/vendor">
|
<Directory "/usr/share/zabbix/vendor">
|
||||||
Require all denied
|
Require all denied
|
||||||
<files *.php>
|
<files *.php>
|
||||||
|
|||||||
@ -4,8 +4,6 @@ LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
|
|||||||
|
|
||||||
<IfModule mod_ssl.c>
|
<IfModule mod_ssl.c>
|
||||||
<VirtualHost *:8443>
|
<VirtualHost *:8443>
|
||||||
SSLEngine on
|
|
||||||
|
|
||||||
DocumentRoot /usr/share/zabbix/
|
DocumentRoot /usr/share/zabbix/
|
||||||
ServerName zabbix
|
ServerName zabbix
|
||||||
DirectoryIndex index.php
|
DirectoryIndex index.php
|
||||||
@ -16,16 +14,21 @@ LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
|
|||||||
# Enable/Disable SSL for this virtual host.
|
# Enable/Disable SSL for this virtual host.
|
||||||
SSLEngine on
|
SSLEngine on
|
||||||
|
|
||||||
SSLProtocol all -SSLv2 -SSLv3
|
# intermediate configuration
|
||||||
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
|
||||||
SSLHonorCipherOrder on
|
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||||
|
SSLHonorCipherOrder off
|
||||||
|
SSLSessionTickets off
|
||||||
|
|
||||||
SSLCertificateFile /etc/ssl/apache2/ssl.crt
|
SSLCertificateFile /etc/ssl/apache2/ssl.crt
|
||||||
SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
|
SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
|
||||||
# SSLCACertificatePath /etc/ssl/apache2/chain/
|
# SSLCACertificatePath /etc/ssl/apache2/chain/
|
||||||
|
|
||||||
# HSTS (mod_headers is required) (15768000 seconds = 6 months)
|
# enable HTTP/2, if available
|
||||||
Header always set Strict-Transport-Security "max-age=15768000"
|
Protocols h2 http/1.1
|
||||||
|
|
||||||
|
# HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
|
||||||
|
Header always set Strict-Transport-Security "max-age=63072000"
|
||||||
|
|
||||||
<Directory "/usr/share/zabbix">
|
<Directory "/usr/share/zabbix">
|
||||||
Options FollowSymLinks
|
Options FollowSymLinks
|
||||||
@ -65,6 +68,14 @@ LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
|
|||||||
</files>
|
</files>
|
||||||
</Directory>
|
</Directory>
|
||||||
|
|
||||||
|
<Directory "/usr/share/zabbix/locale">
|
||||||
|
Require all denied
|
||||||
|
<files *.php>
|
||||||
|
Order deny,allow
|
||||||
|
Deny from all
|
||||||
|
</files>
|
||||||
|
</Directory>
|
||||||
|
|
||||||
<Directory "/usr/share/zabbix/vendor">
|
<Directory "/usr/share/zabbix/vendor">
|
||||||
Require all denied
|
Require all denied
|
||||||
<files *.php>
|
<files *.php>
|
||||||
|
|||||||
@ -43,6 +43,14 @@
|
|||||||
</files>
|
</files>
|
||||||
</Directory>
|
</Directory>
|
||||||
|
|
||||||
|
<Directory "/usr/share/zabbix/locale">
|
||||||
|
Require all denied
|
||||||
|
<files *.php>
|
||||||
|
Order deny,allow
|
||||||
|
Deny from all
|
||||||
|
</files>
|
||||||
|
</Directory>
|
||||||
|
|
||||||
<Directory "/usr/share/zabbix/vendor">
|
<Directory "/usr/share/zabbix/vendor">
|
||||||
Require all denied
|
Require all denied
|
||||||
<files *.php>
|
<files *.php>
|
||||||
|
|||||||
@ -5,8 +5,6 @@ Listen 8443
|
|||||||
|
|
||||||
<IfModule mod_ssl.c>
|
<IfModule mod_ssl.c>
|
||||||
<VirtualHost *:8443>
|
<VirtualHost *:8443>
|
||||||
SSLEngine on
|
|
||||||
|
|
||||||
DocumentRoot /usr/share/zabbix/
|
DocumentRoot /usr/share/zabbix/
|
||||||
ServerName zabbix
|
ServerName zabbix
|
||||||
DirectoryIndex index.php
|
DirectoryIndex index.php
|
||||||
@ -17,16 +15,21 @@ Listen 8443
|
|||||||
# Enable/Disable SSL for this virtual host.
|
# Enable/Disable SSL for this virtual host.
|
||||||
SSLEngine on
|
SSLEngine on
|
||||||
|
|
||||||
SSLProtocol all -SSLv2 -SSLv3
|
# intermediate configuration
|
||||||
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
|
||||||
SSLHonorCipherOrder on
|
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||||
|
SSLHonorCipherOrder off
|
||||||
|
SSLSessionTickets off
|
||||||
|
|
||||||
SSLCertificateFile /etc/ssl/apache2/ssl.crt
|
SSLCertificateFile /etc/ssl/apache2/ssl.crt
|
||||||
SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
|
SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
|
||||||
# SSLCACertificatePath /etc/ssl/apache2/chain/
|
# SSLCACertificatePath /etc/ssl/apache2/chain/
|
||||||
|
|
||||||
# HSTS (mod_headers is required) (15768000 seconds = 6 months)
|
# enable HTTP/2, if available
|
||||||
Header always set Strict-Transport-Security "max-age=15768000"
|
Protocols h2 http/1.1
|
||||||
|
|
||||||
|
# HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
|
||||||
|
Header always set Strict-Transport-Security "max-age=63072000"
|
||||||
|
|
||||||
<Directory "/usr/share/zabbix">
|
<Directory "/usr/share/zabbix">
|
||||||
Options FollowSymLinks
|
Options FollowSymLinks
|
||||||
@ -66,6 +69,14 @@ Listen 8443
|
|||||||
</files>
|
</files>
|
||||||
</Directory>
|
</Directory>
|
||||||
|
|
||||||
|
<Directory "/usr/share/zabbix/locale">
|
||||||
|
Require all denied
|
||||||
|
<files *.php>
|
||||||
|
Order deny,allow
|
||||||
|
Deny from all
|
||||||
|
</files>
|
||||||
|
</Directory>
|
||||||
|
|
||||||
<Directory "/usr/share/zabbix/vendor">
|
<Directory "/usr/share/zabbix/vendor">
|
||||||
Require all denied
|
Require all denied
|
||||||
<files *.php>
|
<files *.php>
|
||||||
|
|||||||
@ -47,6 +47,14 @@
|
|||||||
</files>
|
</files>
|
||||||
</Directory>
|
</Directory>
|
||||||
|
|
||||||
|
<Directory "/usr/share/zabbix/locale">
|
||||||
|
Require all denied
|
||||||
|
<files *.php>
|
||||||
|
Order deny,allow
|
||||||
|
Deny from all
|
||||||
|
</files>
|
||||||
|
</Directory>
|
||||||
|
|
||||||
<Directory "/usr/share/zabbix/vendor">
|
<Directory "/usr/share/zabbix/vendor">
|
||||||
Require all denied
|
Require all denied
|
||||||
<files *.php>
|
<files *.php>
|
||||||
|
|||||||
@ -4,8 +4,6 @@ LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
|
|||||||
Listen 8443
|
Listen 8443
|
||||||
|
|
||||||
<VirtualHost *:8443>
|
<VirtualHost *:8443>
|
||||||
SSLEngine on
|
|
||||||
|
|
||||||
DocumentRoot /usr/share/zabbix/
|
DocumentRoot /usr/share/zabbix/
|
||||||
ServerName zabbix
|
ServerName zabbix
|
||||||
DirectoryIndex index.php
|
DirectoryIndex index.php
|
||||||
@ -16,16 +14,21 @@ Listen 8443
|
|||||||
# Enable/Disable SSL for this virtual host.
|
# Enable/Disable SSL for this virtual host.
|
||||||
SSLEngine on
|
SSLEngine on
|
||||||
|
|
||||||
SSLProtocol all -SSLv2 -SSLv3
|
# intermediate configuration
|
||||||
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
|
||||||
SSLHonorCipherOrder on
|
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||||
|
SSLHonorCipherOrder off
|
||||||
|
SSLSessionTickets off
|
||||||
|
|
||||||
SSLCertificateFile /etc/ssl/apache2/ssl.crt
|
SSLCertificateFile /etc/ssl/apache2/ssl.crt
|
||||||
SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
|
SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
|
||||||
# SSLCACertificatePath /etc/ssl/apache2/chain/
|
# SSLCACertificatePath /etc/ssl/apache2/chain/
|
||||||
|
|
||||||
# HSTS (mod_headers is required) (15768000 seconds = 6 months)
|
# enable HTTP/2, if available
|
||||||
Header always set Strict-Transport-Security "max-age=15768000"
|
Protocols h2 http/1.1
|
||||||
|
|
||||||
|
# HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
|
||||||
|
Header always set Strict-Transport-Security "max-age=63072000"
|
||||||
|
|
||||||
<Directory "/usr/share/zabbix">
|
<Directory "/usr/share/zabbix">
|
||||||
Options FollowSymLinks
|
Options FollowSymLinks
|
||||||
@ -69,6 +72,14 @@ Listen 8443
|
|||||||
</files>
|
</files>
|
||||||
</Directory>
|
</Directory>
|
||||||
|
|
||||||
|
<Directory "/usr/share/zabbix/locale">
|
||||||
|
Require all denied
|
||||||
|
<files *.php>
|
||||||
|
Order deny,allow
|
||||||
|
Deny from all
|
||||||
|
</files>
|
||||||
|
</Directory>
|
||||||
|
|
||||||
<Directory "/usr/share/zabbix/vendor">
|
<Directory "/usr/share/zabbix/vendor">
|
||||||
Require all denied
|
Require all denied
|
||||||
<files *.php>
|
<files *.php>
|
||||||
|
|||||||
@ -43,6 +43,14 @@
|
|||||||
</files>
|
</files>
|
||||||
</Directory>
|
</Directory>
|
||||||
|
|
||||||
|
<Directory "/usr/share/zabbix/locale">
|
||||||
|
Require all denied
|
||||||
|
<files *.php>
|
||||||
|
Order deny,allow
|
||||||
|
Deny from all
|
||||||
|
</files>
|
||||||
|
</Directory>
|
||||||
|
|
||||||
<Directory "/usr/share/zabbix/vendor">
|
<Directory "/usr/share/zabbix/vendor">
|
||||||
Require all denied
|
Require all denied
|
||||||
<files *.php>
|
<files *.php>
|
||||||
|
|||||||
@ -4,8 +4,6 @@ LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
|
|||||||
|
|
||||||
<IfModule mod_ssl.c>
|
<IfModule mod_ssl.c>
|
||||||
<VirtualHost *:8443>
|
<VirtualHost *:8443>
|
||||||
SSLEngine on
|
|
||||||
|
|
||||||
DocumentRoot /usr/share/zabbix/
|
DocumentRoot /usr/share/zabbix/
|
||||||
ServerName zabbix
|
ServerName zabbix
|
||||||
DirectoryIndex index.php
|
DirectoryIndex index.php
|
||||||
@ -16,16 +14,21 @@ LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
|
|||||||
# Enable/Disable SSL for this virtual host.
|
# Enable/Disable SSL for this virtual host.
|
||||||
SSLEngine on
|
SSLEngine on
|
||||||
|
|
||||||
SSLProtocol all -SSLv2 -SSLv3
|
# intermediate configuration
|
||||||
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
|
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
|
||||||
SSLHonorCipherOrder on
|
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
|
||||||
|
SSLHonorCipherOrder off
|
||||||
|
SSLSessionTickets off
|
||||||
|
|
||||||
SSLCertificateFile /etc/ssl/apache2/ssl.crt
|
SSLCertificateFile /etc/ssl/apache2/ssl.crt
|
||||||
SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
|
SSLCertificateKeyFile /etc/ssl/apache2/ssl.key
|
||||||
# SSLCACertificatePath /etc/ssl/apache2/chain/
|
# SSLCACertificatePath /etc/ssl/apache2/chain/
|
||||||
|
|
||||||
# HSTS (mod_headers is required) (15768000 seconds = 6 months)
|
# enable HTTP/2, if available
|
||||||
Header always set Strict-Transport-Security "max-age=15768000"
|
Protocols h2 http/1.1
|
||||||
|
|
||||||
|
# HTTP Strict Transport Security (mod_headers is required) (63072000 seconds)
|
||||||
|
Header always set Strict-Transport-Security "max-age=63072000"
|
||||||
|
|
||||||
<Directory "/usr/share/zabbix">
|
<Directory "/usr/share/zabbix">
|
||||||
Options FollowSymLinks
|
Options FollowSymLinks
|
||||||
@ -65,6 +68,14 @@ LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
|
|||||||
</files>
|
</files>
|
||||||
</Directory>
|
</Directory>
|
||||||
|
|
||||||
|
<Directory "/usr/share/zabbix/locale">
|
||||||
|
Require all denied
|
||||||
|
<files *.php>
|
||||||
|
Order deny,allow
|
||||||
|
Deny from all
|
||||||
|
</files>
|
||||||
|
</Directory>
|
||||||
|
|
||||||
<Directory "/usr/share/zabbix/vendor">
|
<Directory "/usr/share/zabbix/vendor">
|
||||||
Require all denied
|
Require all denied
|
||||||
<files *.php>
|
<files *.php>
|
||||||
|
|||||||
@ -41,7 +41,7 @@ server {
|
|||||||
expires 14d;
|
expires 14d;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /(app\/|conf[^\.]|include|locale) {
|
location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
|
||||||
deny all;
|
deny all;
|
||||||
return 404;
|
return 404;
|
||||||
}
|
}
|
||||||
@ -50,11 +50,6 @@ server {
|
|||||||
try_files $uri $uri/ /index.php?$args;
|
try_files $uri $uri/ /index.php?$args;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /(api\/|conf[^\.]|include|locale|vendor) {
|
|
||||||
deny all;
|
|
||||||
return 404;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ .php$ {
|
location ~ .php$ {
|
||||||
fastcgi_pass unix:/tmp/php-fpm.sock;
|
fastcgi_pass unix:/tmp/php-fpm.sock;
|
||||||
fastcgi_index index.php;
|
fastcgi_index index.php;
|
||||||
|
|||||||
@ -21,13 +21,18 @@ server {
|
|||||||
ssl_certificate_key /etc/ssl/nginx/ssl.key;
|
ssl_certificate_key /etc/ssl/nginx/ssl.key;
|
||||||
ssl_dhparam /etc/ssl/nginx/dhparam.pem;
|
ssl_dhparam /etc/ssl/nginx/dhparam.pem;
|
||||||
|
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
ssl_session_timeout 1d;
|
||||||
ssl_verify_depth 3;
|
ssl_session_cache shared:MozSSL:10m;
|
||||||
ssl_session_cache shared:SSL:10m;
|
ssl_session_tickets off;
|
||||||
ssl_session_timeout 10m;
|
|
||||||
ssl_prefer_server_ciphers on;
|
# intermediate configuration
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||||
|
ssl_prefer_server_ciphers off;
|
||||||
|
|
||||||
|
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
||||||
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||||
|
|
||||||
add_header Strict-Transport-Security "max-age=31536000; preload";
|
|
||||||
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
|
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
|
||||||
|
|
||||||
location =/nginx_status {
|
location =/nginx_status {
|
||||||
@ -63,7 +68,7 @@ server {
|
|||||||
expires 14d;
|
expires 14d;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /(app\/|conf[^\.]|include|locale) {
|
location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
|
||||||
deny all;
|
deny all;
|
||||||
return 404;
|
return 404;
|
||||||
}
|
}
|
||||||
@ -72,11 +77,6 @@ server {
|
|||||||
try_files $uri $uri/ /index.php?$args;
|
try_files $uri $uri/ /index.php?$args;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /(api\/|conf[^\.]|include|locale|vendor) {
|
|
||||||
deny all;
|
|
||||||
return 404;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ .php$ {
|
location ~ .php$ {
|
||||||
fastcgi_pass unix:/tmp/php-fpm.sock;
|
fastcgi_pass unix:/tmp/php-fpm.sock;
|
||||||
fastcgi_index index.php;
|
fastcgi_index index.php;
|
||||||
|
|||||||
@ -41,7 +41,7 @@ server {
|
|||||||
expires 14d;
|
expires 14d;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /(app\/|conf[^\.]|include|locale) {
|
location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
|
||||||
deny all;
|
deny all;
|
||||||
return 404;
|
return 404;
|
||||||
}
|
}
|
||||||
@ -50,11 +50,6 @@ server {
|
|||||||
try_files $uri $uri/ /index.php?$args;
|
try_files $uri $uri/ /index.php?$args;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /(api\/|conf[^\.]|include|locale|vendor) {
|
|
||||||
deny all;
|
|
||||||
return 404;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ .php$ {
|
location ~ .php$ {
|
||||||
fastcgi_pass unix:/tmp/php-fpm.sock;
|
fastcgi_pass unix:/tmp/php-fpm.sock;
|
||||||
fastcgi_index index.php;
|
fastcgi_index index.php;
|
||||||
|
|||||||
@ -21,13 +21,18 @@ server {
|
|||||||
ssl_certificate_key /etc/ssl/nginx/ssl.key;
|
ssl_certificate_key /etc/ssl/nginx/ssl.key;
|
||||||
ssl_dhparam /etc/ssl/nginx/dhparam.pem;
|
ssl_dhparam /etc/ssl/nginx/dhparam.pem;
|
||||||
|
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
ssl_session_timeout 1d;
|
||||||
ssl_verify_depth 3;
|
ssl_session_cache shared:MozSSL:10m;
|
||||||
ssl_session_cache shared:SSL:10m;
|
ssl_session_tickets off;
|
||||||
ssl_session_timeout 10m;
|
|
||||||
ssl_prefer_server_ciphers on;
|
# intermediate configuration
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||||
|
ssl_prefer_server_ciphers off;
|
||||||
|
|
||||||
|
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
||||||
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||||
|
|
||||||
add_header Strict-Transport-Security "max-age=31536000; preload";
|
|
||||||
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
|
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
|
||||||
|
|
||||||
location =/nginx_status {
|
location =/nginx_status {
|
||||||
@ -63,7 +68,7 @@ server {
|
|||||||
expires 14d;
|
expires 14d;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /(app\/|conf[^\.]|include|locale) {
|
location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
|
||||||
deny all;
|
deny all;
|
||||||
return 404;
|
return 404;
|
||||||
}
|
}
|
||||||
@ -72,11 +77,6 @@ server {
|
|||||||
try_files $uri $uri/ /index.php?$args;
|
try_files $uri $uri/ /index.php?$args;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /(api\/|conf[^\.]|include|locale|vendor) {
|
|
||||||
deny all;
|
|
||||||
return 404;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ .php$ {
|
location ~ .php$ {
|
||||||
fastcgi_pass unix:/tmp/php-fpm.sock;
|
fastcgi_pass unix:/tmp/php-fpm.sock;
|
||||||
fastcgi_index index.php;
|
fastcgi_index index.php;
|
||||||
|
|||||||
@ -41,7 +41,7 @@ server {
|
|||||||
expires 14d;
|
expires 14d;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /(app\/|conf[^\.]|include|locale) {
|
location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
|
||||||
deny all;
|
deny all;
|
||||||
return 404;
|
return 404;
|
||||||
}
|
}
|
||||||
@ -50,11 +50,6 @@ server {
|
|||||||
try_files $uri $uri/ /index.php?$args;
|
try_files $uri $uri/ /index.php?$args;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /(api\/|conf[^\.]|include|locale|vendor) {
|
|
||||||
deny all;
|
|
||||||
return 404;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ .php$ {
|
location ~ .php$ {
|
||||||
fastcgi_pass unix:/tmp/php-fpm.sock;
|
fastcgi_pass unix:/tmp/php-fpm.sock;
|
||||||
fastcgi_index index.php;
|
fastcgi_index index.php;
|
||||||
|
|||||||
@ -21,13 +21,18 @@ server {
|
|||||||
ssl_certificate_key /etc/ssl/nginx/ssl.key;
|
ssl_certificate_key /etc/ssl/nginx/ssl.key;
|
||||||
ssl_dhparam /etc/ssl/nginx/dhparam.pem;
|
ssl_dhparam /etc/ssl/nginx/dhparam.pem;
|
||||||
|
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
ssl_session_timeout 1d;
|
||||||
ssl_verify_depth 3;
|
ssl_session_cache shared:MozSSL:10m;
|
||||||
ssl_session_cache shared:SSL:10m;
|
ssl_session_tickets off;
|
||||||
ssl_session_timeout 10m;
|
|
||||||
ssl_prefer_server_ciphers on;
|
# intermediate configuration
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||||
|
ssl_prefer_server_ciphers off;
|
||||||
|
|
||||||
|
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
||||||
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||||
|
|
||||||
add_header Strict-Transport-Security "max-age=31536000; preload";
|
|
||||||
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
|
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
|
||||||
|
|
||||||
location =/nginx_status {
|
location =/nginx_status {
|
||||||
@ -63,7 +68,7 @@ server {
|
|||||||
expires 14d;
|
expires 14d;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /(app\/|conf[^\.]|include|locale) {
|
location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
|
||||||
deny all;
|
deny all;
|
||||||
return 404;
|
return 404;
|
||||||
}
|
}
|
||||||
@ -72,11 +77,6 @@ server {
|
|||||||
try_files $uri $uri/ /index.php?$args;
|
try_files $uri $uri/ /index.php?$args;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /(api\/|conf[^\.]|include|locale|vendor) {
|
|
||||||
deny all;
|
|
||||||
return 404;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ .php$ {
|
location ~ .php$ {
|
||||||
fastcgi_pass unix:/tmp/php-fpm.sock;
|
fastcgi_pass unix:/tmp/php-fpm.sock;
|
||||||
fastcgi_index index.php;
|
fastcgi_index index.php;
|
||||||
|
|||||||
@ -41,7 +41,7 @@ server {
|
|||||||
expires 14d;
|
expires 14d;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /(app\/|conf[^\.]|include|locale) {
|
location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
|
||||||
deny all;
|
deny all;
|
||||||
return 404;
|
return 404;
|
||||||
}
|
}
|
||||||
@ -50,11 +50,6 @@ server {
|
|||||||
try_files $uri $uri/ /index.php?$args;
|
try_files $uri $uri/ /index.php?$args;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /(api\/|conf[^\.]|include|locale|vendor) {
|
|
||||||
deny all;
|
|
||||||
return 404;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ .php$ {
|
location ~ .php$ {
|
||||||
fastcgi_pass unix:/tmp/php-fpm.sock;
|
fastcgi_pass unix:/tmp/php-fpm.sock;
|
||||||
fastcgi_index index.php;
|
fastcgi_index index.php;
|
||||||
|
|||||||
@ -21,13 +21,18 @@ server {
|
|||||||
ssl_certificate_key /etc/ssl/nginx/ssl.key;
|
ssl_certificate_key /etc/ssl/nginx/ssl.key;
|
||||||
ssl_dhparam /etc/ssl/nginx/dhparam.pem;
|
ssl_dhparam /etc/ssl/nginx/dhparam.pem;
|
||||||
|
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
ssl_session_timeout 1d;
|
||||||
ssl_verify_depth 3;
|
ssl_session_cache shared:MozSSL:10m;
|
||||||
ssl_session_cache shared:SSL:10m;
|
ssl_session_tickets off;
|
||||||
ssl_session_timeout 10m;
|
|
||||||
ssl_prefer_server_ciphers on;
|
# intermediate configuration
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||||
|
ssl_prefer_server_ciphers off;
|
||||||
|
|
||||||
|
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
||||||
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||||
|
|
||||||
add_header Strict-Transport-Security "max-age=31536000; preload";
|
|
||||||
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
|
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
|
||||||
|
|
||||||
location =/nginx_status {
|
location =/nginx_status {
|
||||||
@ -63,7 +68,7 @@ server {
|
|||||||
expires 14d;
|
expires 14d;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /(app\/|conf[^\.]|include|locale) {
|
location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
|
||||||
deny all;
|
deny all;
|
||||||
return 404;
|
return 404;
|
||||||
}
|
}
|
||||||
@ -72,11 +77,6 @@ server {
|
|||||||
try_files $uri $uri/ /index.php?$args;
|
try_files $uri $uri/ /index.php?$args;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /(api\/|conf[^\.]|include|locale|vendor) {
|
|
||||||
deny all;
|
|
||||||
return 404;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ .php$ {
|
location ~ .php$ {
|
||||||
fastcgi_pass unix:/tmp/php-fpm.sock;
|
fastcgi_pass unix:/tmp/php-fpm.sock;
|
||||||
fastcgi_index index.php;
|
fastcgi_index index.php;
|
||||||
|
|||||||
@ -41,7 +41,7 @@ server {
|
|||||||
expires 14d;
|
expires 14d;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /(app\/|conf[^\.]|include|locale) {
|
location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
|
||||||
deny all;
|
deny all;
|
||||||
return 404;
|
return 404;
|
||||||
}
|
}
|
||||||
@ -50,11 +50,6 @@ server {
|
|||||||
try_files $uri $uri/ /index.php?$args;
|
try_files $uri $uri/ /index.php?$args;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /(api\/|conf[^\.]|include|locale|vendor) {
|
|
||||||
deny all;
|
|
||||||
return 404;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ .php$ {
|
location ~ .php$ {
|
||||||
fastcgi_pass unix:/tmp/php-fpm.sock;
|
fastcgi_pass unix:/tmp/php-fpm.sock;
|
||||||
fastcgi_index index.php;
|
fastcgi_index index.php;
|
||||||
|
|||||||
@ -21,13 +21,18 @@ server {
|
|||||||
ssl_certificate_key /etc/ssl/nginx/ssl.key;
|
ssl_certificate_key /etc/ssl/nginx/ssl.key;
|
||||||
ssl_dhparam /etc/ssl/nginx/dhparam.pem;
|
ssl_dhparam /etc/ssl/nginx/dhparam.pem;
|
||||||
|
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
ssl_session_timeout 1d;
|
||||||
ssl_verify_depth 3;
|
ssl_session_cache shared:MozSSL:10m;
|
||||||
ssl_session_cache shared:SSL:10m;
|
ssl_session_tickets off;
|
||||||
ssl_session_timeout 10m;
|
|
||||||
ssl_prefer_server_ciphers on;
|
# intermediate configuration
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||||
|
ssl_prefer_server_ciphers off;
|
||||||
|
|
||||||
|
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
||||||
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||||
|
|
||||||
add_header Strict-Transport-Security "max-age=31536000; preload";
|
|
||||||
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
|
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
|
||||||
|
|
||||||
location =/nginx_status {
|
location =/nginx_status {
|
||||||
@ -63,7 +68,7 @@ server {
|
|||||||
expires 14d;
|
expires 14d;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /(app\/|conf[^\.]|include|locale) {
|
location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
|
||||||
deny all;
|
deny all;
|
||||||
return 404;
|
return 404;
|
||||||
}
|
}
|
||||||
@ -72,11 +77,6 @@ server {
|
|||||||
try_files $uri $uri/ /index.php?$args;
|
try_files $uri $uri/ /index.php?$args;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /(api\/|conf[^\.]|include|locale|vendor) {
|
|
||||||
deny all;
|
|
||||||
return 404;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ .php$ {
|
location ~ .php$ {
|
||||||
fastcgi_pass unix:/tmp/php-fpm.sock;
|
fastcgi_pass unix:/tmp/php-fpm.sock;
|
||||||
fastcgi_index index.php;
|
fastcgi_index index.php;
|
||||||
|
|||||||
@ -41,7 +41,7 @@ server {
|
|||||||
expires 14d;
|
expires 14d;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /(app\/|conf[^\.]|include|locale) {
|
location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
|
||||||
deny all;
|
deny all;
|
||||||
return 404;
|
return 404;
|
||||||
}
|
}
|
||||||
@ -50,11 +50,6 @@ server {
|
|||||||
try_files $uri $uri/ /index.php?$args;
|
try_files $uri $uri/ /index.php?$args;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /(api\/|conf[^\.]|include|locale|vendor) {
|
|
||||||
deny all;
|
|
||||||
return 404;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ .php$ {
|
location ~ .php$ {
|
||||||
fastcgi_pass unix:/tmp/php-fpm.sock;
|
fastcgi_pass unix:/tmp/php-fpm.sock;
|
||||||
fastcgi_index index.php;
|
fastcgi_index index.php;
|
||||||
|
|||||||
@ -21,13 +21,18 @@ server {
|
|||||||
ssl_certificate_key /etc/ssl/nginx/ssl.key;
|
ssl_certificate_key /etc/ssl/nginx/ssl.key;
|
||||||
ssl_dhparam /etc/ssl/nginx/dhparam.pem;
|
ssl_dhparam /etc/ssl/nginx/dhparam.pem;
|
||||||
|
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
ssl_session_timeout 1d;
|
||||||
ssl_verify_depth 3;
|
ssl_session_cache shared:MozSSL:10m;
|
||||||
ssl_session_cache shared:SSL:10m;
|
ssl_session_tickets off;
|
||||||
ssl_session_timeout 10m;
|
|
||||||
ssl_prefer_server_ciphers on;
|
# intermediate configuration
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||||
|
ssl_prefer_server_ciphers off;
|
||||||
|
|
||||||
|
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
||||||
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||||
|
|
||||||
add_header Strict-Transport-Security "max-age=31536000; preload";
|
|
||||||
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
|
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
|
||||||
|
|
||||||
location =/nginx_status {
|
location =/nginx_status {
|
||||||
@ -63,7 +68,7 @@ server {
|
|||||||
expires 14d;
|
expires 14d;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /(app\/|conf[^\.]|include|locale) {
|
location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
|
||||||
deny all;
|
deny all;
|
||||||
return 404;
|
return 404;
|
||||||
}
|
}
|
||||||
@ -72,11 +77,6 @@ server {
|
|||||||
try_files $uri $uri/ /index.php?$args;
|
try_files $uri $uri/ /index.php?$args;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /(api\/|conf[^\.]|include|locale|vendor) {
|
|
||||||
deny all;
|
|
||||||
return 404;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ .php$ {
|
location ~ .php$ {
|
||||||
fastcgi_pass unix:/tmp/php-fpm.sock;
|
fastcgi_pass unix:/tmp/php-fpm.sock;
|
||||||
fastcgi_index index.php;
|
fastcgi_index index.php;
|
||||||
|
|||||||
@ -41,7 +41,7 @@ server {
|
|||||||
expires 14d;
|
expires 14d;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /(app\/|conf[^\.]|include|locale) {
|
location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
|
||||||
deny all;
|
deny all;
|
||||||
return 404;
|
return 404;
|
||||||
}
|
}
|
||||||
@ -50,11 +50,6 @@ server {
|
|||||||
try_files $uri $uri/ /index.php?$args;
|
try_files $uri $uri/ /index.php?$args;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /(api\/|conf[^\.]|include|locale|vendor) {
|
|
||||||
deny all;
|
|
||||||
return 404;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ .php$ {
|
location ~ .php$ {
|
||||||
fastcgi_pass unix:/tmp/php-fpm.sock;
|
fastcgi_pass unix:/tmp/php-fpm.sock;
|
||||||
fastcgi_index index.php;
|
fastcgi_index index.php;
|
||||||
|
|||||||
@ -21,13 +21,18 @@ server {
|
|||||||
ssl_certificate_key /etc/ssl/nginx/ssl.key;
|
ssl_certificate_key /etc/ssl/nginx/ssl.key;
|
||||||
ssl_dhparam /etc/ssl/nginx/dhparam.pem;
|
ssl_dhparam /etc/ssl/nginx/dhparam.pem;
|
||||||
|
|
||||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
ssl_session_timeout 1d;
|
||||||
ssl_verify_depth 3;
|
ssl_session_cache shared:MozSSL:10m;
|
||||||
ssl_session_cache shared:SSL:10m;
|
ssl_session_tickets off;
|
||||||
ssl_session_timeout 10m;
|
|
||||||
ssl_prefer_server_ciphers on;
|
# intermediate configuration
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||||
|
ssl_prefer_server_ciphers off;
|
||||||
|
|
||||||
|
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
|
||||||
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
||||||
|
|
||||||
add_header Strict-Transport-Security "max-age=31536000; preload";
|
|
||||||
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
|
add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
|
||||||
|
|
||||||
location =/nginx_status {
|
location =/nginx_status {
|
||||||
@ -63,7 +68,7 @@ server {
|
|||||||
expires 14d;
|
expires 14d;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /(app\/|conf[^\.]|include|locale) {
|
location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
|
||||||
deny all;
|
deny all;
|
||||||
return 404;
|
return 404;
|
||||||
}
|
}
|
||||||
@ -72,11 +77,6 @@ server {
|
|||||||
try_files $uri $uri/ /index.php?$args;
|
try_files $uri $uri/ /index.php?$args;
|
||||||
}
|
}
|
||||||
|
|
||||||
location ~ /(api\/|conf[^\.]|include|locale|vendor) {
|
|
||||||
deny all;
|
|
||||||
return 404;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ .php$ {
|
location ~ .php$ {
|
||||||
fastcgi_pass unix:/tmp/php-fpm.sock;
|
fastcgi_pass unix:/tmp/php-fpm.sock;
|
||||||
fastcgi_index index.php;
|
fastcgi_index index.php;
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user