Hello, Debian 9 ISPConfig Version: 3.1.14p2 single Nginx Two reputable tools indicate the following errors to improve on each website. I read many tutorials on Nginx. I did not find anything with ISPconfig. No tutorial tried does a correct work. How to proceed ? 1. Allow compression of the following resources (Gzip) to reduce the amount of data transferred. CSS and JS. Text resources must be compressed (Gzip, Deflate, or Brotli) to reduce the total number of bytes in the network. 2. The following compressible resources, which can be cached, must be associated with a "Vary: Accept-Encoding" header: CSS and JS. 3. To prevent or mitigate the potential damage of an XSS attack, you must configure your server so that the response from the master resource contains the HTTP header "Content-Security-Policy". 4. Use an HTTP header "X-Frame-Options". Configure your server so that the response from the master resource contains the HTTP header "X-Frame-Options". 5. Configure an HTTP header "X-XSS-Protection". 6. Configure an HTTP header "X-Content-Type-Options". CSS, JSS, WOFF2. 7. Only 6% of the site is http/2 compatible.
Some can be configured in nginx default conf and some can be used directly inside domain vhost. For domain vhost, you can copy default ispconfig nginx master conf to conf-custom folder and modify the later accordingly.
Or use the nginx directives field on the options tab of the website in ISPConfig, if you don't want to change the config for all sites.
I initially tried with the idea of making a general setting at the server level for most rules and at each site for particular policies. This did not work. I then wanted to try at the level of each site. Specifically regarding GZIP and the cache I tried unsuccessfully the following NGINX Snippets. Where is the error? Code: #GZIP gzip_static on; gzip on; gzip_comp_level 5; gzip_min_length 256; gzip_proxied any; gzip_vary on; gzip_types application/atom+xml application/geo+json application/javascript application/x-javascript application/json application/ld+json application/manifest+json application/rdf+xml application/rss+xml application/vnd.ms-fontobject application/wasm application/x-web-app-manifest+json application/xhtml+xml application/xml font/otf image/bmp image/svg+xml text/cache-manifest text/calendar text/css text/javascript text/markdown text/plain text/xml text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; Code: #Cache file-descriptors open_file_cache max=1000 inactive=20s; open_file_cache_valid 30s; open_file_cache_min_uses 2; open_file_cache_errors on; # Expires map $sent_http_content_type $expires { default 1M; # No content "" off; # CSS ~*text/css 1y; # Data interchange ~*application/atom\+xml 1h; ~*application/rdf\+xml 1h; ~*application/rss\+xml 1h; ~*application/json 0; ~*application/ld\+json 0; ~*application/schema\+json 0; ~*application/geo\+json 0; ~*application/xml 0; ~*text/calendar 0; ~*text/xml 0; # Favicon (cannot be renamed!) and cursor images ~*image/vnd.microsoft.icon 1w; ~*image/x-icon 1w; # HTML ~*text/html 0; # JavaScript ~*application/javascript 1y; ~*application/x-javascript 1y; ~*text/javascript 1y; # Manifest files ~*application/manifest\+json 1w; ~*application/x-web-app-manifest\+json 0; ~*text/cache-manifest 0; # Markdown ~*text/markdown 0; # Media files ~*audio/ 1M; ~*image/ 1M; ~*video/ 1M; # WebAssembly ~*application/wasm 1y; # Web fonts ~*font/ 1M; ~*application/vnd.ms-fontobject 1M; ~*application/x-font-ttf 1M; ~*application/x-font-woff 1M; ~*application/font-woff 1M; ~*application/font-woff2 1M; # Other ~*text/x-cross-domain-policy 1w; } expires $expires;
Check if the config was saved and that the file has no .err file ending. If you got a website vhost file with .err ending, then you have a typo in your config and nginx rejected the code. Besides that, check the nginx docs to see if all directives that you used in the nginx directives field are allowed to be inserted into the server { .... } part of the config which is the website.
I shared mine later. I am out with my family now. Nginx conf is kinda sensitive. You'll need to get the right one to make it work either at server level or domain level.
My site's vhost top part: Code: server { listen *:443 http2 ssl; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_certificate /var/www/your.domain.tld/ssl/your.domain.tld-le.crt; ssl_certificate_key /var/www/your.domain.tld/ssl/your.domain.tld-le.key; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; location ~* \.(ogg|ogv|svg|svgz|eot|ttf|otf|woff|woff2|mp4|mp3|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|html|xml|txt|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)(\?ver=[0-9.]+)?$ { access_log off; log_not_found off; expires max; add_header Pragma public; add_header Cache-Control "public"; } location ~* \.(pdf)$ { expires 30d; } server_name your.domain.tld ; root /var/www/your.domain.tld/web/; I am not sure that you can simply use my samples in your site's nginx directives especially without modifications. My nginx.conf for server level is as attached. It might not be the best but it works for me.
Thank you, Ahrasis. So, I will try this configuration. I, for my part, found this tutorial on Nginx Boiler Plate Configurations for Various Web Servers I copied all the files and directory into /usr/share/nginx/ I had to miss something because I could not get it to work for everything, including GZIP and caches.
