Nginx config.

[alexdatur]

Hi! Using service behind CF and Nginx. van somebody gives best practice nginx config?
Thanx.
My config:

server {
listen 80;
server_name ip.***.xyz;

# Редирект с HTTP на HTTPS
return 301 https://$host$request_uri;

}

server {
listen 443 ssl;
server_name ip.***.xyz;

# Параметры SSL
ssl_certificate /var/docker/cloudflare_tls/origin.pem;
ssl_certificate_key /var/docker/cloudflare_tls/key.pem;

# Дополнительные параметры SSL (рекомендуется)
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'HIGH:!aNULL:!MD5';
ssl_prefer_server_ciphers on;

# Настройки для вашего приложения
location / {
    proxy_pass http://localhost:18966;  # Прокси на ваш сервис
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;

    # Установка заголовков для безопасности
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Referrer-Policy no-referrer-when-downgrade;
}

# Логи (опционально)
access_log /var/log/nginx/ip.***.xyz.access.log;
error_log /var/log/nginx/ip.***.xyz.error.log;

}

[ismaildasci]

Hey! 👋

Your Nginx config looks mostly good, but here are a few best practices and tweaks you might consider, especially for using Nginx behind Cloudflare (CF) with a focus on performance and security.

Suggested Nginx Configuration for Cloudflare

Here’s an optimized version of your config with additional improvements:

server {
    listen 80;
    server_name ip.***.xyz;

    # Redirect HTTP to HTTPS
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name ip.***.xyz;

    # SSL Parameters (using Cloudflare's Origin CA certificate)
    ssl_certificate /var/docker/cloudflare_tls/origin.pem;
    ssl_certificate_key /var/docker/cloudflare_tls/key.pem;

    # SSL Protocols and Ciphers
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'HIGH:!aNULL:!MD5';
    ssl_prefer_server_ciphers on;

    # Cloudflare IP Headers
    set_real_ip_from 173.245.48.0/20;
    set_real_ip_from 103.21.244.0/22;
    set_real_ip_from 103.22.200.0/22;
    set_real_ip_from 103.31.4.0/22;
    set_real_ip_from 141.101.64.0/18;
    set_real_ip_from 108.162.192.0/18;
    set_real_ip_from 190.93.240.0/20;
    set_real_ip_from 188.114.96.0/20;
    set_real_ip_from 197.234.240.0/22;
    set_real_ip_from 198.41.128.0/17;
    set_real_ip_from 162.158.0.0/15;
    set_real_ip_from 104.16.0.0/12;
    set_real_ip_from 172.64.0.0/13;
    set_real_ip_from 131.0.72.0/22;
    real_ip_header CF-Connecting-IP;

    # Security Headers
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Referrer-Policy no-referrer-when-downgrade;
    add_header Content-Security-Policy "default-src 'self';";

    # Proxy Settings
    location / {
        proxy_pass http://localhost:18966;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
        
        # Pass through original IP
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
    }

    # Logging (optional)
    access_log /var/log/nginx/ip.***.xyz.access.log;
    error_log /var/log/nginx/ip.***.xyz.error.log;
}

Key Changes & Additions

1. Cloudflare Real IP: Use Cloudflare’s CF-Connecting-IP header to correctly capture the visitor’s real IP. This is especially important for logging and security.

2. HTTP/2 Support: Enable http2 for improved performance, especially if you’re using Cloudflare which supports HTTP/2.

3. Content Security Policy (CSP): Adding a Content-Security-Policy header can help prevent XSS attacks by restricting resource loading. Adjust this based on your application needs.

4. Optimized Proxy Headers: Pass through the real IP and protocol using X-Real-IP, X-Forwarded-For, and X-Forwarded-Proto headers for better tracking of client requests.

Let me know if this helps! 😊