Optimizations for Nginx/Apache configs

web-nginx-pgsql/alpine/conf/etc/zabbix/nginx.conf

@@ -41,7 +41,7 @@ server {
         expires 14d;
     }
 
-    location ~ /(app\/|conf[^\.]|include|locale) {
+    location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
         deny all;
         return 404;
     }
@@ -50,11 +50,6 @@ server {
         try_files $uri $uri/ /index.php?$args;
     }
 
-    location ~ /(api\/|conf[^\.]|include|locale|vendor) {
-        deny  all;
-        return  404;
-    }
-
     location ~ .php$ {
         fastcgi_pass   unix:/tmp/php-fpm.sock;
         fastcgi_index  index.php;

web-nginx-pgsql/alpine/conf/etc/zabbix/nginx_ssl.conf

@@ -21,13 +21,18 @@ server {
     ssl_certificate_key /etc/ssl/nginx/ssl.key;
     ssl_dhparam /etc/ssl/nginx/dhparam.pem;
 
-    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
-    ssl_verify_depth 3;
-    ssl_session_cache    shared:SSL:10m;
-    ssl_session_timeout  10m;
-    ssl_prefer_server_ciphers on;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m;
+    ssl_session_tickets off;
+
+    # intermediate configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;
 
-    add_header Strict-Transport-Security "max-age=31536000; preload";
     add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
 
     location =/nginx_status {
@@ -63,7 +68,7 @@ server {
         expires 14d;
     }
 
-    location ~ /(app\/|conf[^\.]|include|locale) {
+    location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
         deny all;
         return 404;
     }
@@ -72,11 +77,6 @@ server {
         try_files $uri $uri/ /index.php?$args;
     }
 
-    location ~ /(api\/|conf[^\.]|include|locale|vendor) {
-        deny  all;
-        return  404;
-    }
-
     location ~ .php$ {
         fastcgi_pass   unix:/tmp/php-fpm.sock;
         fastcgi_index  index.php;

web-nginx-pgsql/centos/conf/etc/zabbix/nginx.conf

@@ -41,7 +41,7 @@ server {
         expires 14d;
     }
 
-    location ~ /(app\/|conf[^\.]|include|locale) {
+    location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
         deny all;
         return 404;
     }
@@ -50,11 +50,6 @@ server {
         try_files $uri $uri/ /index.php?$args;
     }
 
-    location ~ /(api\/|conf[^\.]|include|locale|vendor) {
-        deny  all;
-        return  404;
-    }
-
     location ~ .php$ {
         fastcgi_pass   unix:/tmp/php-fpm.sock;
         fastcgi_index  index.php;

web-nginx-pgsql/centos/conf/etc/zabbix/nginx_ssl.conf

@@ -21,13 +21,18 @@ server {
     ssl_certificate_key /etc/ssl/nginx/ssl.key;
     ssl_dhparam /etc/ssl/nginx/dhparam.pem;
 
-    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
-    ssl_verify_depth 3;
-    ssl_session_cache    shared:SSL:10m;
-    ssl_session_timeout  10m;
-    ssl_prefer_server_ciphers on;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m;
+    ssl_session_tickets off;
+
+    # intermediate configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;
 
-    add_header Strict-Transport-Security "max-age=31536000; preload";
     add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
 
     location =/nginx_status {
@@ -63,7 +68,7 @@ server {
         expires 14d;
     }
 
-    location ~ /(app\/|conf[^\.]|include|locale) {
+    location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
         deny all;
         return 404;
     }
@@ -72,11 +77,6 @@ server {
         try_files $uri $uri/ /index.php?$args;
     }
 
-    location ~ /(api\/|conf[^\.]|include|locale|vendor) {
-        deny  all;
-        return  404;
-    }
-
     location ~ .php$ {
         fastcgi_pass   unix:/tmp/php-fpm.sock;
         fastcgi_index  index.php;

web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx.conf

@@ -41,7 +41,7 @@ server {
         expires 14d;
     }
 
-    location ~ /(app\/|conf[^\.]|include|locale) {
+    location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
         deny all;
         return 404;
     }
@@ -50,11 +50,6 @@ server {
         try_files $uri $uri/ /index.php?$args;
     }
 
-    location ~ /(api\/|conf[^\.]|include|locale|vendor) {
-        deny  all;
-        return  404;
-    }
-
     location ~ .php$ {
         fastcgi_pass   unix:/tmp/php-fpm.sock;
         fastcgi_index  index.php;

web-nginx-pgsql/ubuntu/conf/etc/zabbix/nginx_ssl.conf

@@ -21,13 +21,18 @@ server {
     ssl_certificate_key /etc/ssl/nginx/ssl.key;
     ssl_dhparam /etc/ssl/nginx/dhparam.pem;
 
-    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
-    ssl_verify_depth 3;
-    ssl_session_cache    shared:SSL:10m;
-    ssl_session_timeout  10m;
-    ssl_prefer_server_ciphers on;
+    ssl_session_timeout 1d;
+    ssl_session_cache shared:MozSSL:10m;
+    ssl_session_tickets off;
+
+    # intermediate configuration
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+
+    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+    add_header Strict-Transport-Security "max-age=63072000" always;
 
-    add_header Strict-Transport-Security "max-age=31536000; preload";
     add_header Content-Security-Policy-Report-Only "default-src https:; script-src https: 'unsafe-eval' 'unsafe-inline'; style-src https: 'unsafe-inline'; img-src https: data:; font-src https: data:; report-uri /csp-report";
 
     location =/nginx_status {
@@ -63,7 +68,7 @@ server {
         expires 14d;
     }
 
-    location ~ /(app\/|conf[^\.]|include|locale) {
+    location ~ /(app\/|conf[^\.]|include\/|local\/|locale\/) {
         deny all;
         return 404;
     }
@@ -72,11 +77,6 @@ server {
         try_files $uri $uri/ /index.php?$args;
     }
 
-    location ~ /(api\/|conf[^\.]|include|locale|vendor) {
-        deny  all;
-        return  404;
-    }
-
     location ~ .php$ {
         fastcgi_pass   unix:/tmp/php-fpm.sock;
         fastcgi_index  index.php;