I would like to know if anyone has any clever snippets that they would like to share and add to the following list: /* Large PHP Uploads */ Code: file_uploads = On post_max_size = 200M upload_max_filesize = 200M /* Display PHP Errors */ Code: display_errors = On Thanks!
Good idea. What I often override is open_short_tags and memory_limit per vhost - but the file upload limit one is very handy
Development & test site Snippet for testing sites Code: max_execution_time = 0; display_errors = On; error_reporting = E_ALL & E_STRICT & E_RECOVERABLE_ERROR & E_DEPRECATED & E_USER_DEPRECATED;
I'm not sure if they're of any use to anyone, but here are the ones that I use. Apache: /* Force SSL */ Code: RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} /* Disable GeioIP2 (when installed) */ Code: GeoIPEnable Off /* Block Certain Countries (with mod_geoip2) */ Code: <IfModule mod_geoip.c> GeoIPEnable On GeoIPDBFile /usr/share/GeoIP/GeoIP.dat SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry SetEnvIf GEOIP_COUNTRY_CODE RU BlockCountry # ... place more countries here Deny from env=BlockCountry </IfModule> /* Allow Only Specific Countries (with mod_geoip2) */ Code: <IfModule mod_geoip.c> GeoIPEnable On GeoIPDBFile /usr/share/GeoIP/GeoIP.dat SetEnvIf GEOIP_COUNTRY_CODE US AllowCountry SetEnvIf GEOIP_COUNTRY_CODE CA AllowCountry SetEnvIf GEOIP_COUNTRY_CODE MX AllowCountry # ... place more countries here Deny from all Allow from env=AllowCountry </IfModule> /* Prevent Static File Caching */ Code: <FilesMatch "\.(html|htm|js|css)$"> FileETag None <ifModule mod_headers.c> Header unset ETag Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate" Header set Pragma "no-cache" Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT" </ifModule> </FilesMatch> /* Disable ModPagespeed (when installed) */ Code: ModPagespeed Off /* ModPagespeed Wordpress Fix (when installed) */ Code: ModPagespeedDisableFilters rewrite_javascript
Nginx redirect http to https Code: #put this at top if ($scheme = http) { return 301 https://$server_name$request_uri;} Nginx reverse proxy Code: location / { proxy_pass http://server-fqdn/; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host $host; proxy_buffering off; }
HSTS security header (apache): Code: <If "%{HTTPS} == 'on'"> <IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" Header always set X-Frame-Options SAMEORIGIN </IfModule> </If>
Only allow TLS 1.2 and ciphers (from Mozilla SSL Configuration Generator modern option - Apache 2.4.10 OpenSSL 1.0.1t) Code: <IfModule mod_ssl.c> SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256 </IfModule>
the site may not wrk on old borwsers if you apply that snippet /** hardening SSL ** / HTML: SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA SSLHonorCipherOrder on
I override all nginx ssl tags in ISPconfig templates, because this gives our sites an A+ rating at Qualys SSL-labs. This is in a file called /etc/nginx/TLS Code: ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; ssl_prefer_server_ciphers on; ssl_dhparam /etc/ssl/dh4096.pem; resolver 208.67.222.222 208.67.220.220 valid=300s; resolver_timeout 18s; ssl_stapling on; ssl_stapling_verify off; ssl_session_cache shared:SSL:10m; ssl_session_timeout 2h; ssl_buffer_size 4k; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Frame-Options SAMEORIGIN; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; and then I use the following in /usr/local/ispconfig/server/conf-custom/nginx_vhost.conf.master : server { listen <tmpl_var name='http_port'>; <tmpl_if name='ipv6_enabled'> listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='http_port'>; </tmpl_if> <tmpl_if name='ssl_enabled'> listen <tmpl_var name='https_port'> ssl{tmpl_if name='enable_http2' op='==' value='y'} http2{/tmpl_if}{tmpl_if name='enable_spdy' op='==' value='y'} spdy{/tmpl_if}; include /etc/nginx/TLS; <tmpl_if name='ipv6_enabled'> listen [<tmpl_var name='ipv6_address'>]:<tmpl_var name='https_port'> ssl{tmpl_if name='enable_http2' op='==' value='y'} http2{/tmpl_if}{tmpl_if name='enable_spdy' op='==' value='y'} spdy{/tmpl_if}; </tmpl_if> ssl_certificate <tmpl_var name='ssl_crt_file'>; ssl_certificate_key <tmpl_var name='ssl_key_file'>; </tmpl_if>etc.
Hello, and where I have to put this code? And how I can save some custom web server configs (like this above) to use it in a Template or in the drop down list? Thank you for the support.
