Optimize Nginx configuration (especially add_header options)

IssueFindings asked:

I want to optimize Nginx configuration of the code below. Especially, I would like to know if it’s possible to reduce the number of add_header arguments (I rewrite them for each block “location”). So how to write add_header arguments only one time ? If you see other optimisation, felle you free to tell me.

Have a nice day.

server {
listen 443;
ssl on;

ssl_protocols TLSv1.2;

ssl_certificate      /certificate/mywebsite/fullchain.pem;
ssl_certificate_key  /certificate/mywebsite/privkey.pem;

ssl_session_cache none;
ssl_session_tickets off;

ssl_stapling on;
resolver 80.67.169.12 valid=30s;
resolver_timeout 5s;
ssl_stapling_verify on;
ssl_trusted_certificate /certificate/mywebsite/chain.pem;

ssl_dhparam /etc/nginx/dhparam.pem;

ssl_prefer_server_ciphers on;
ssl_ciphers '!kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 !kEECDH+AES128 kEECDH+AES256 !kEDH+AES128 kEDH+AES256 +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !RC4 !EXP !PSK !SRP !CAMELLIA !SEED';

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header Content-Security-Policy "default-src https://mywebsite:443"; 
add_header X-Frame-Options "DENY"; 
add_header X-Xss-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
add_header 'Referrer-Policy' 'no-referrer';

server_name mywebsite;
server_tokens off;
root /usr/share/nginx/html/restyaboard;
index  index.html index.php;
client_max_body_size 300M;

rewrite ^/oauth/authorize$ /server/php/authorize.php last;
rewrite ^/oauth_callback/([a-zA-Z0-9_\.]*)/([a-zA-Z0-9_\.]*)$ /server/php/oauth_callback.php?plugin=$1&code=$2 last;
rewrite ^/download/([0-9]*)/([a-zA-Z0-9_\.]*)$ /server/php/download.php?id=$1&hash=$2 last;
rewrite ^/ical/([0-9]*)/([0-9]*)/([a-z0-9]*).ics$ /server/php/ical.php?board_id=$1&user_id=$2&hash=$3 last;
rewrite ^/api/(.*)$ /server/php/R/r.php?_url=$1&$args last;
rewrite ^/api_explorer/api-docs/$ /client/api_explorer/api-docs/index.php last;

location / {
        root /usr/share/nginx/html/restyaboard/client;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; #Activation de HSTS
add_header Content-Security-Policy "default-src https://mywebsite:443"; 
add_header X-Frame-Options "DENY"; 
add_header X-Xss-Protection "1; mode=block"; 
add_header X-Content-Type-Options "nosniff"; 
add_header 'Referrer-Policy' 'no-referrer'; 
}

location ~ \.php$ {
        try_files $uri =404;
        include fastcgi_params;
        fastcgi_pass    unix:/run/php/php7.0-fpm.sock;
        fastcgi_index   index.php;
        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PHP_VALUE "upload_max_filesize=9G \n post_max_size=9G \n max_execution_time=200 \n max_input_time=200 \n memory_limit=256M";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; 
add_header Content-Security-Policy "default-src https://mywebsite:443"; 
add_header X-Frame-Options "DENY"; 
add_header X-Xss-Protection "1; mode=block"; 
add_header X-Content-Type-Options "nosniff"; 
add_header 'Referrer-Policy' 'no-referrer'; 
}

location ~* \.(css|js|less|html|ttf|woff|jpg|jpeg|gif|png|bmp|ico) {
        root /usr/share/nginx/html/restyaboard/client;
        if (-f $request_filename) {
                break;
        }
        rewrite ^/img/([a-zA-Z_]*)/([a-zA-Z_]*)/([a-zA-Z0-9_\.]*)$ /server/php/image.php?size=$1&model=$2&filename=$3 last;
        add_header        Cache-Control public;
        add_header        Cache-Control must-revalidate;
        expires           7d;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; 
add_header Content-Security-Policy "default-src https://mywebsite:443"; 
add_header X-Frame-Options "DENY"; 
add_header X-Xss-Protection "1; mode=block"; 
add_header X-Content-Type-Options "nosniff"; 
add_header 'Referrer-Policy' 'no-referrer'; 
}

My answer:


The problem with add_header is that if you use one in a block (such as a location) then it overrides all of the higher-level add_header statements. Therefore you have to repeat them all if you need to change even one of them.

To get around this, you can make use of includes, and put the headers which don’t need to change at a lower level in an included file, then include it in each location.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.