Update nginx config for Trixie

JedMeister · JedMeister · commit 84dca4121777 · 2025-10-13T10:16:07.000+11:00
diff --git a/overlays/nginx/etc/nginx/sites-available/tkl-default b/overlays/nginx/etc/nginx/sites-available/tkl-default
@@ -11,7 +11,7 @@
 #
 # This file will automatically load configuration files provided by other
 # applications, such as Drupal or Wordpress. These applications will be made
-# available underneath a path with that package name, such as /drupal8.
+# available underneath a path with that package name, such as /drupal12.
 #
 # Please see /usr/share/doc/nginx-doc/examples/ (from Debian nginx-doc
 # package) for more detailed examples.
@@ -23,6 +23,9 @@ server {
     listen 80 default_server;
     listen [::]:80 default_server;
 
+    # temporary redirect to https - update to permanent (308) for production
+    return 307 https://$host$request_uri;
+
     # SSL configuration
     listen 443 ssl default_server;
     listen [::]:443 ssl default_server;
@@ -44,8 +47,17 @@ server {
     # Uncomment to enable PHP-FPM
     #include snippets/php-fpm.conf;
 
-    # deny access to .htaccess files
-    location ~ /\.ht {
+    # Deny access to all dot files
+    location ~ /\. {
         deny all;
+        access_log off;
+        log_not_found off;
+        return 404;
     }
+    # above also disables access to .well-known
+    # TKL default Let's Encrypt works fine, but other third party tools may
+    # require this section to be uncommented
+    #location ^~ /.well-known {
+    #    allow all;
+    #}
 }
diff --git a/overlays/nginx/etc/nginx/snippets/ssl.conf b/overlays/nginx/etc/nginx/snippets/ssl.conf
@@ -1,16 +1,42 @@
-ssl_certificate      /etc/ssl/private/cert.pem;
-ssl_certificate_key  /etc/ssl/private/cert.key;
-ssl_session_timeout  5m;
-ssl_session_cache shared:SSL:50m;
+ssl_certificate     /etc/ssl/private/cert.pem;
+ssl_certificate_key /etc/ssl/private/cert.key;
 
-ssl_protocols TLSv1.2 TLSv1.3;
+http2 on;
 
-# ciphers added by conf/turnkey.d/zz-ssl-ciphers script
-ssl_ciphers '';
 
-ssl_prefer_server_ciphers   on;
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_ecdh_curve X25519:prime256v1:secp384r1;
+# ciphers added by conf/turnkey.d/zz-ssl-ciphers script
+ssl_ciphers 'ZZ_SSL_CIPHERS';
+ssl_prefer_server_ciphers off;
 
 ssl_dhparam /etc/ssl/private/dhparams.pem;
+
 add_header X-Content-Type-Options nosniff;
 
+# HSTS
+add_header Strict-Transport-Security "max-age=63072000" always;
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    return 301 https://$host$request_uri;
+}
+
+# see also ssl_session_ticket_key alternative to stateful session cache
+ssl_session_timeout 1d;
+ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+
+# OCSP stapling (disabled by default)
+#ssl_stapling on;
+#ssl_stapling_verify on;
+# verify chain of trust of OCSP response using Root CA and Intermediate certs
+#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
+
+# replace with the IP address of your resolver;
+# async 'resolver' is important for proper operation of OCSP stapling
+#resolver 127.0.0.1;
+# If certificates are marked OCSP Must-Staple, consider managing the
+# OCSP stapling cache with an external script, e.g. certbot-ocsp-fetcher
+
 server_tokens off;
diff --git a/plans/turnkey/nginx-php-fpm-mysql b/plans/turnkey/nginx-php-fpm-mysql
@@ -1,6 +1,7 @@
 #include <turnkey/mysql>
 
 nginx
+libnginx-mod-http-modsecurity
 
 php-fpm
 php-gd

-Original file line number
+Diff line change
@@ @@ -1,6 +1,7 @@ @@
 #include <turnkey/mysql>
 nginx
 +libnginx-mod-http-modsecurity
 php-fpm
 php-gd