NGinx¶
Einleitung¶
Unser Hosting System wird um folgende Dienste erweitert.
- NGinx 1.22.1 (HTTP/2, mod_brotli)
Voraussetzungen¶
Zu den Voraussetzungen für dieses HowTo siehe bitte: Hosting System
Installation¶
Important
Der Rest des HowTo ist derzeit nicht auf das Zusammenspiel mit NGinx abgestimmt, daher ist die Verwendung von Apache aktuell zu bevorzugen. NGinx bietet zudem auch keinen wirklichen Mehrwert gegenüber Apache, so dass Apache generell bevorzugt werden sollte. Die hier gezeigte Konfiguration ist nicht ausreichend getestet, enthält möglicherweise sicherheitsrelevante Fehler und ist daher vollkommen unsupportet. Die Verwendung von NGinx erfolgt daher ausschliesslich auf eigenes Risiko und ohne weitere Unterstützung durch dieses HowTo.
Wir installieren www/nginx und dessen Abhängigkeiten.
Bash
mkdir -p /var/db/ports/www_nginx
cat << "EOF" > /var/db/ports/www_nginx/options
_OPTIONS_READ=nginx-1.22.1
_FILE_COMPLETE_OPTIONS_LIST=DEBUG DEBUGLOG DSO FILE_AIO IPV6 NJS THREADS WWW PCRE_ONE PCRE_TWO MAIL MAIL_IMAP MAIL_POP3 MAIL_SMTP MAIL_SSL GOOGLE_PERFTOOLS HTTP HTTP_ADDITION HTTP_AUTH_REQ HTTP_CACHE HTTP_DAV HTTP_FLV HTTP_GUNZIP_FILTER HTTP_GZIP_STATIC HTTP_IMAGE_FILTER HTTP_MP4 HTTP_PERL HTTP_RANDOM_INDEX HTTP_REALIP HTTP_SECURE_LINK HTTP_SLICE HTTP_SLICE_AHEAD HTTP_SSL HTTP_STATUS HTTP_SUB HTTP_XSLT HTTPV2 HTTPV2_AUTOTUNE AJP AWS_AUTH BROTLI CACHE_PURGE CLOJURE CT DEVEL_KIT ARRAYVAR DRIZZLE DYNAMIC_TLS DYNAMIC_HC DYNAMIC_UPSTREAM ECHO ENCRYPTSESSION FORMINPUT GRIDFS HEADERS_MORE HTTP_ACCEPT_LANGUAGE HTTP_AUTH_DIGEST HTTP_AUTH_JWT HTTP_AUTH_KRB5 HTTP_AUTH_LDAP HTTP_AUTH_PAM HTTP_DAV_EXT HTTP_EVAL HTTP_FANCYINDEX HTTP_FOOTER HTTP_GEOIP2 HTTP_IP2LOCATION HTTP_IP2PROXY HTTP_JSON_STATUS HTTP_MOGILEFS HTTP_MP4_H264 HTTP_NOTICE HTTP_PUSH HTTP_PUSH_STREAM HTTP_REDIS HTTP_RESPONSE HTTP_SUBS_FILTER HTTP_TARANTOOL HTTP_UPLOAD HTTP_UPLOAD_PROGRESS HTTP_UPSTREAM_CHECK HTTP_UPSTREAM_FAIR HTTP_UPSTREAM_STICKY HTTP_VIDEO_THUMBEXTRACTOR HTTP_ZIP ICONV LET LINK LUA MEMC MODSECURITY3 NAXSI OPENTRACING PASSENGER POSTGRES RDS_CSV RDS_JSON REDIS2 RTMP SET_MISC SFLOW SHIBBOLETH SLOWFS_CACHE SMALL_LIGHT SRCACHE VOD VTS XSS WEBSOCKIFY STREAM STREAM_REALIP STREAM_SSL STREAM_SSL_PREREAD
OPTIONS_FILE_UNSET+=DEBUG
OPTIONS_FILE_UNSET+=DEBUGLOG
OPTIONS_FILE_SET+=DSO
OPTIONS_FILE_SET+=FILE_AIO
OPTIONS_FILE_SET+=IPV6
OPTIONS_FILE_UNSET+=NJS
OPTIONS_FILE_SET+=THREADS
OPTIONS_FILE_UNSET+=WWW
OPTIONS_FILE_UNSET+=PCRE_ONE
OPTIONS_FILE_SET+=PCRE_TWO
OPTIONS_FILE_UNSET+=MAIL
OPTIONS_FILE_UNSET+=MAIL_IMAP
OPTIONS_FILE_UNSET+=MAIL_POP3
OPTIONS_FILE_UNSET+=MAIL_SMTP
OPTIONS_FILE_UNSET+=MAIL_SSL
OPTIONS_FILE_UNSET+=GOOGLE_PERFTOOLS
OPTIONS_FILE_SET+=HTTP
OPTIONS_FILE_SET+=HTTP_ADDITION
OPTIONS_FILE_SET+=HTTP_AUTH_REQ
OPTIONS_FILE_SET+=HTTP_CACHE
OPTIONS_FILE_SET+=HTTP_DAV
OPTIONS_FILE_SET+=HTTP_FLV
OPTIONS_FILE_SET+=HTTP_GUNZIP_FILTER
OPTIONS_FILE_SET+=HTTP_GZIP_STATIC
OPTIONS_FILE_UNSET+=HTTP_IMAGE_FILTER
OPTIONS_FILE_SET+=HTTP_MP4
OPTIONS_FILE_UNSET+=HTTP_PERL
OPTIONS_FILE_SET+=HTTP_RANDOM_INDEX
OPTIONS_FILE_SET+=HTTP_REALIP
OPTIONS_FILE_SET+=HTTP_SECURE_LINK
OPTIONS_FILE_SET+=HTTP_SLICE
OPTIONS_FILE_UNSET+=HTTP_SLICE_AHEAD
OPTIONS_FILE_SET+=HTTP_SSL
OPTIONS_FILE_SET+=HTTP_STATUS
OPTIONS_FILE_SET+=HTTP_SUB
OPTIONS_FILE_UNSET+=HTTP_XSLT
OPTIONS_FILE_SET+=HTTPV2
OPTIONS_FILE_UNSET+=HTTPV2_AUTOTUNE
OPTIONS_FILE_UNSET+=AJP
OPTIONS_FILE_UNSET+=AWS_AUTH
OPTIONS_FILE_SET+=BROTLI
OPTIONS_FILE_UNSET+=CACHE_PURGE
OPTIONS_FILE_UNSET+=CLOJURE
OPTIONS_FILE_SET+=CT
OPTIONS_FILE_UNSET+=DEVEL_KIT
OPTIONS_FILE_UNSET+=ARRAYVAR
OPTIONS_FILE_UNSET+=DRIZZLE
OPTIONS_FILE_UNSET+=DYNAMIC_TLS
OPTIONS_FILE_UNSET+=DYNAMIC_HC
OPTIONS_FILE_UNSET+=DYNAMIC_UPSTREAM
OPTIONS_FILE_UNSET+=ECHO
OPTIONS_FILE_UNSET+=ENCRYPTSESSION
OPTIONS_FILE_UNSET+=FORMINPUT
OPTIONS_FILE_UNSET+=GRIDFS
OPTIONS_FILE_UNSET+=HEADERS_MORE
OPTIONS_FILE_UNSET+=HTTP_ACCEPT_LANGUAGE
OPTIONS_FILE_SET+=HTTP_AUTH_DIGEST
OPTIONS_FILE_UNSET+=HTTP_AUTH_JWT
OPTIONS_FILE_UNSET+=HTTP_AUTH_KRB5
OPTIONS_FILE_UNSET+=HTTP_AUTH_LDAP
OPTIONS_FILE_UNSET+=HTTP_AUTH_PAM
OPTIONS_FILE_UNSET+=HTTP_DAV_EXT
OPTIONS_FILE_UNSET+=HTTP_EVAL
OPTIONS_FILE_UNSET+=HTTP_FANCYINDEX
OPTIONS_FILE_UNSET+=HTTP_FOOTER
OPTIONS_FILE_UNSET+=HTTP_GEOIP2
OPTIONS_FILE_UNSET+=HTTP_IP2LOCATION
OPTIONS_FILE_UNSET+=HTTP_IP2PROXY
OPTIONS_FILE_UNSET+=HTTP_JSON_STATUS
OPTIONS_FILE_UNSET+=HTTP_MOGILEFS
OPTIONS_FILE_UNSET+=HTTP_MP4_H264
OPTIONS_FILE_UNSET+=HTTP_NOTICE
OPTIONS_FILE_UNSET+=HTTP_PUSH
OPTIONS_FILE_UNSET+=HTTP_PUSH_STREAM
OPTIONS_FILE_UNSET+=HTTP_REDIS
OPTIONS_FILE_UNSET+=HTTP_RESPONSE
OPTIONS_FILE_UNSET+=HTTP_SUBS_FILTER
OPTIONS_FILE_UNSET+=HTTP_TARANTOOL
OPTIONS_FILE_UNSET+=HTTP_UPLOAD
OPTIONS_FILE_UNSET+=HTTP_UPLOAD_PROGRESS
OPTIONS_FILE_UNSET+=HTTP_UPSTREAM_CHECK
OPTIONS_FILE_UNSET+=HTTP_UPSTREAM_FAIR
OPTIONS_FILE_UNSET+=HTTP_UPSTREAM_STICKY
OPTIONS_FILE_UNSET+=HTTP_VIDEO_THUMBEXTRACTOR
OPTIONS_FILE_UNSET+=HTTP_ZIP
OPTIONS_FILE_UNSET+=ICONV
OPTIONS_FILE_UNSET+=LET
OPTIONS_FILE_UNSET+=LINK
OPTIONS_FILE_UNSET+=LUA
OPTIONS_FILE_UNSET+=MEMC
OPTIONS_FILE_UNSET+=MODSECURITY3
OPTIONS_FILE_UNSET+=NAXSI
OPTIONS_FILE_UNSET+=OPENTRACING
OPTIONS_FILE_UNSET+=PASSENGER
OPTIONS_FILE_UNSET+=POSTGRES
OPTIONS_FILE_UNSET+=RDS_CSV
OPTIONS_FILE_UNSET+=RDS_JSON
OPTIONS_FILE_UNSET+=REDIS2
OPTIONS_FILE_UNSET+=RTMP
OPTIONS_FILE_UNSET+=SET_MISC
OPTIONS_FILE_UNSET+=SFLOW
OPTIONS_FILE_UNSET+=SHIBBOLETH
OPTIONS_FILE_UNSET+=SLOWFS_CACHE
OPTIONS_FILE_UNSET+=SMALL_LIGHT
OPTIONS_FILE_UNSET+=SRCACHE
OPTIONS_FILE_UNSET+=VOD
OPTIONS_FILE_UNSET+=VTS
OPTIONS_FILE_UNSET+=XSS
OPTIONS_FILE_UNSET+=WEBSOCKIFY
OPTIONS_FILE_SET+=STREAM
OPTIONS_FILE_SET+=STREAM_REALIP
OPTIONS_FILE_SET+=STREAM_SSL
OPTIONS_FILE_SET+=STREAM_SSL_PREREAD
"EOF"
cd /usr/ports/www/nginx
make all install clean-depends clean
sysrc nginx_enable=YES
sysrc nginxlimits_enable=YES
mkdir -p /usr/local/etc/newsyslog.conf.d
cat << "EOF" >> /usr/local/etc/newsyslog.conf.d/nginx
/var/log/nginx/*.log 644 13 * $W6D0 JCG /var/run/nginx.pid
/data/www/vhosts/*/logs/nginx_*_log 644 24 * $M1D0 JCG /var/run/nginx.pid
"EOF"
Konfiguration¶
Verzeichnisse für die ersten VirtualHosts erstellen.
Bash
mkdir -p /data/www/{cache,tmp}
chmod 1777 /data/www/{cache,tmp}
chown www:www /data/www/{cache,tmp}
mkdir -p /data/www/acme/.well-known
mkdir -p /data/www/vhosts/_{default,localhost}_/logs
mkdir -p /data/www/vhosts/_{default,localhost}_/data/.well-known
chmod 0750 /data/www/vhosts/_{default,localhost}_/data
chown www:www /data/www/vhosts/_{default,localhost}_/data
mkdir -p /data/www/vhosts/mail.example.com/logs
mkdir -p /data/www/vhosts/mail.example.com/data/.well-known
chmod 0750 /data/www/vhosts/mail.example.com/data
chown www:www /data/www/vhosts/mail.example.com/data
mkdir -p /data/www/vhosts/www.example.com/logs
mkdir -p /data/www/vhosts/www.example.com/data/.well-known
chmod 0750 /data/www/vhosts/www.example.com/data
chown www:www /data/www/vhosts/www.example.com/data
Die folgende Konfiguration verwendet für den localhost den Pfad /data/www/vhosts/_localhost_, für den Default-Host den Pfad /data/www/vhosts/_default_ und für die regulären Virtual-Hosts den Pfad /data/www/vhosts/sub.domain.tld.
nginx.conf einrichten.
Bash
cat << "EOF" > /usr/local/etc/nginx/nginx.conf
user www www;
load_module /usr/local/libexec/nginx/ngx_http_brotli_filter_module.so;
load_module /usr/local/libexec/nginx/ngx_http_brotli_static_module.so;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
resolver 127.0.0.1;
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
aio on;
deny all;
etag off;
charset utf-8;
charset_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rdf+xml application/rss+xml application/schema+json application/vnd.geo+json application/x-javascript application/x-web-app-manifest+json application/xhtml+xml application/xml image/svg+xml text/cache-manifest text/css text/javascript text/markdown text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy text/xml;
gzip on;
gzip_vary on;
gzip_comp_level 6;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rdf+xml application/rss+xml application/schema+json application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-javascript application/x-web-app-manifest+json application/xhtml+xml application/xml font/eot font/opentype image/bmp image/svg+xml image/vnd.microsoft.icon image/x-icon text/cache-manifest text/css text/javascript text/markdown text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy text/xml;
brotli on;
brotli_comp_level 6;
brotli_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rdf+xml application/rss+xml application/schema+json application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-javascript application/x-web-app-manifest+json application/xhtml+xml application/xml font/eot font/opentype image/bmp image/svg+xml image/vnd.microsoft.icon image/x-icon text/cache-manifest text/css text/javascript text/markdown text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy text/xml;
map $sent_http_content_type $expires {
default 30d;
text/css 7d;
application/atom+xml 1h;
application/rdf+xml 1h;
application/rss+xml 1h;
application/xhtml+xml 0;
application/json 0;
application/ld+json 0;
application/schema+json 0;
application/vnd.geo+json 0;
application/xml 0;
text/xml 0;
image/vnd.microsoft.icon 7d;
text/html 0;
text/markdown 0;
application/javascript 7d;
text/javascript 7d;
application/manifest+json 7d;
}
expires $expires;
include vhosts.conf;
ssl_stapling on;
ssl_session_tickets off;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.2;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256";
ssl_prefer_server_ciphers on;
include vhosts-ssl.conf;
}
"EOF"
vhosts.conf einrichten.
Bash
cat << "EOF" > /usr/local/etc/nginx/vhosts.conf
server {
listen 8080;
server_name localhost "";
error_log /data/www/vhosts/_localhost_/logs/nginx_error_log;
access_log /data/www/vhosts/_localhost_/logs/nginx_access_log combined;
root /data/www/vhosts/_localhost_/data;
index index.html index.htm index.php;
include headers.conf;
location / {
allow all;
}
include defaults.conf;
location ~ ^(.+\.phps?)(/.*)?$ {
fastcgi_pass unix:/var/run/fpm_www.sock;
fastcgi_index index.php;
fastcgi_split_path_info ^(.+\.phps?)(/.*)?$;
fastcgi_param SCRIPT_FILENAME /data/www/vhosts/_localhost_/data$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
include fastcgi_params;
allow all;
}
}
server {
listen 8080 default_server;
server_name devnull.example.com;
error_log /data/www/vhosts/_default_/logs/nginx_error_log;
access_log /data/www/vhosts/_default_/logs/nginx_access_log combined;
root /data/www/vhosts/_default_/data;
index index.html index.htm index.php;
include headers.conf;
location / {
allow all;
}
include defaults.conf;
location ~ ^(.+\.phps?)(/.*)?$ {
fastcgi_pass unix:/var/run/fpm_www.sock;
fastcgi_index index.php;
fastcgi_split_path_info ^(.+\.phps?)(/.*)?$;
fastcgi_param SCRIPT_FILENAME /data/www/vhosts/_default_/data$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
include fastcgi_params;
allow all;
}
}
server {
listen 8080;
server_name mail.example.com;
error_log /data/www/vhosts/mail.example.com/logs/nginx_error_log;
access_log /data/www/vhosts/mail.example.com/logs/nginx_access_log combined;
root /data/www/vhosts/mail.example.com/data;
index index.html index.htm index.php;
include headers.conf;
location / {
allow all;
}
include defaults.conf;
location ~ ^(.+\.phps?)(/.*)?$ {
fastcgi_pass unix:/var/run/fpm_www.sock;
fastcgi_index index.php;
fastcgi_split_path_info ^(.+\.phps?)(/.*)?$;
fastcgi_param SCRIPT_FILENAME /data/www/vhosts/mail.example.com/data$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
include fastcgi_params;
allow all;
}
}
server {
listen 8080;
server_name www.example.com;
error_log /data/www/vhosts/www.example.com/logs/nginx_error_log;
access_log /data/www/vhosts/www.example.com/logs/nginx_access_log combined;
root /data/www/vhosts/www.example.com/data;
index index.html index.htm index.php;
include headers.conf;
location / {
allow all;
}
include defaults.conf;
location ~ ^(.+\.phps?)(/.*)?$ {
fastcgi_pass unix:/var/run/fpm_www.sock;
fastcgi_index index.php;
fastcgi_split_path_info ^(.+\.phps?)(/.*)?$;
fastcgi_param SCRIPT_FILENAME /data/www/vhosts/www.example.com/data$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
include fastcgi_params;
allow all;
}
}
"EOF"
vhosts-ssl.conf einrichten.
Bash
cat << "EOF" > /usr/local/etc/nginx/vhosts-ssl.conf
server {
listen 8443 default_server ssl http2;
server_name devnull.example.com;
error_log /data/www/vhosts/_default_/logs/nginx_ssl_error_log;
access_log /data/www/vhosts/_default_/logs/nginx_ssl_access_log combined;
ssl_certificate /usr/local/etc/letsencrypt/live/devnull.example.com/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/devnull.example.com/privkey.pem;
root /data/www/vhosts/_default_/data;
index index.html index.htm index.php;
include headers.conf;
add_header Public-Key-Pins "max-age=0; includeSubdomains"
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload"
add_header Expect-CT "max-age=0"
location / {
allow all;
}
include defaults.conf;
location ~ ^(.+\.phps?)(/.*)?$ {
fastcgi_pass unix:/var/run/fpm_www.sock;
fastcgi_index index.php;
fastcgi_split_path_info ^(.+\.phps?)(/.*)?$;
fastcgi_param SCRIPT_FILENAME /data/www/vhosts/_default_/data$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
include fastcgi_params;
allow all;
}
}
server {
listen 8443 ssl http2;
server_name mail.example.com;
error_log /data/www/vhosts/mail.example.com/logs/nginx_ssl_error_log;
access_log /data/www/vhosts/mail.example.com/logs/nginx_ssl_access_log combined;
ssl_certificate /usr/local/etc/letsencrypt/live/mail.example.com/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/mail.example.com/privkey.pem;
root /data/www/vhosts/www.example.com/data;
index index.html index.htm index.php;
include headers.conf;
add_header Public-Key-Pins "max-age=0; includeSubdomains"
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload"
add_header Expect-CT "max-age=0"
location / {
allow all;
}
include defaults.conf;
location ~ ^(.+\.phps?)(/.*)?$ {
fastcgi_pass unix:/var/run/fpm_www.sock;
fastcgi_index index.php;
fastcgi_split_path_info ^(.+\.phps?)(/.*)?$;
fastcgi_param SCRIPT_FILENAME /data/www/vhosts/mail.example.com/data$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
include fastcgi_params;
allow all;
}
}
server {
listen 8443 ssl http2;
server_name www.example.com;
error_log /data/www/vhosts/www.example.com/logs/nginx_ssl_error_log;
access_log /data/www/vhosts/www.example.com/logs/nginx_ssl_access_log combined;
ssl_certificate /usr/local/etc/letsencrypt/live/www.example.com/fullchain.pem;
ssl_certificate_key /usr/local/etc/letsencrypt/live/www.example.com/privkey.pem;
root /data/www/vhosts/www.example.com/data;
index index.html index.htm index.php;
include headers.conf;
add_header Public-Key-Pins "max-age=0; includeSubdomains"
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload"
add_header Expect-CT "max-age=0"
location / {
allow all;
}
include defaults.conf;
location ~ ^(.+\.phps?)(/.*)?$ {
fastcgi_pass unix:/var/run/fpm_www.sock;
fastcgi_index index.php;
fastcgi_split_path_info ^(.+\.phps?)(/.*)?$;
fastcgi_param SCRIPT_FILENAME /data/www/vhosts/www.example.com/data$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
include fastcgi_params;
allow all;
}
}
"EOF"
defaults.conf und headers.conf einrichten.
Bash
cat << "EOF" > /usr/local/etc/nginx/defaults.conf
location ~* /?(.+/)*[\._] { return 403; }
location ~* /?\.well-known { allow all; }
"EOF"
cat << "EOF" > /usr/local/etc/nginx/headers.conf
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
# add_header Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Accept-Encoding"
add_header Access-Control-Allow-Origin "*";
add_header Access-Control-Max-Age "600";
add_header Content-Security-Policy "\
block-all-mixed-content; \
upgrade-insecure-requests; \
default-src 'self' 'unsafe-inline' https: data: blob: mediastream:; \
script-src 'self' 'unsafe-inline' 'unsafe-eval' https: blob: mediastream:; \
form-action 'self' https:; \
frame-ancestors 'self'; \
sandbox allow-forms allow-modals allow-pointer-lock allow-popups allow-popups-to-escape-sandbox allow-same-origin allow-scripts allow-top-navigation"
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Timing-Allow-Origin "*";
add_header Upgrade-Insecure-Requests "1";
add_header X-Content-Type-Options "nosniff";
add_header X-DNS-Prefetch-Control "on";
add_header X-Download-Options "noopen";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Permitted-Cross-Domain-Policies "none";
add_header X-XSS-Protection "1; mode=block";
"EOF"
Abschluss¶
NGinx kann nun gestartet werden.
Bash
service nginx start