angie-conv-image/angie/j2cfg.dist/00-defaults.yml.j2

cache_bypass:
- '$http_authorization'
- '$http_pragma'
- '$http_upgrade'

compress_types:
- application/atom+xml
- application/javascript
- application/json
- application/vnd.api+json
- application/rss+xml
- application/x-javascript
- application/xhtml+xml
- application/xml
- image/svg+xml
- image/x-icon
- text/css
- text/javascript
- text/plain
- text/xml

request_headers:
{% if env.NGX_HTTP_TRANSPARENT_PROXY == '0' %}
  Host: '$proxy_host'
  X-Real-IP: '$remote_addr'
  ## '$proxy_add_forwarded' is defined in /angie/autoconf.dist/http-request-headers-forwarded.conf
  Forwarded: '$proxy_add_forwarded'
{% elif env.NGX_HTTP_TRANSPARENT_PROXY == '1' %}
  Host: '$host'
  X-Real-IP: ''
  Forwarded: ''
{% endif %}

request_headers:
  ## do not pass Accept-Encoding to backend
  Accept-Encoding: ""
  ## '$req_accept' is defined in /angie/autoconf.dist/http-request-headers-basic.conf.j2
  Accept: '$req_accept'
  ## '$req_connection' is defined in /angie/autoconf.dist/http-request-headers-basic.conf.j2
  Connection: '$req_connection'
  Upgrade: '$http_upgrade'
  Early-Data: '$ssl_early_data'
  ## '$req_user_agent' is defined in /angie/autoconf.dist/http-request-headers-basic.conf.j2
  User-Agent: '$req_user_agent'
{% if env.NGX_HTTP_X_FORWARDED == 'pass' %}
  X-Forwarded-Proto: '$scheme'
  X-Forwarded-Host: '$host'
  X-Forwarded-Port: '$server_port'
  X-Forwarded-For: '$proxy_add_x_forwarded_for'
{% elif env.NGX_HTTP_X_FORWARDED == 'remove' %}
  X-Forwarded-Proto: ''
  X-Forwarded-Host: ''
  X-Forwarded-Port: ''
  X-Forwarded-For: ''
{% endif %}

response_headers:
{% if env.NGX_HTTP_TRANSPARENT_PROXY == '0' %}
  Permissions-Policy: "accelerometer=(), autoplay=(), browsing-topics=(), camera=(), clipboard-read=(), clipboard-write=(), geolocation=(), gyroscope=(), hid=(), interest-cohort=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), sync-xhr=(), usb=()"
  Referrer-Policy: "no-referrer-when-downgrade"
  Strict-Transport-Security: "max-age=15724800; includeSubDomains; preload"
  X-Content-Type-Options: "nosniff"
  X-Frame-Options: "SAMEORIGIN"
  X-XSS-Protection: "1; mode=block"
{% endif %}

tls:
  ## https://docs.openssl.org/3.0/man3/SSL_CONF_cmd/#supported-configuration-file-commands
  conf_cmd:
    Options: PrioritizeChaCha
  stapling:
    enable: false
    verify: true
  profiles:
    modern:
      protocols: TLSv1.3
     #prefer_server_ciphers: off
      session_tickets: off
      session_timeout: 1d
    intermediate:
      protocols: TLSv1.2 TLSv1.3
     #prefer_server_ciphers: off
      ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
      dhparam: tls.d/ffdhe2048.pem
      session_tickets: off
      session_timeout: 1d
    old:
      protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
      prefer_server_ciphers: on
      ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
      dhparam: tls.d/dh1024.pem
      session_tickets: off
      session_timeout: 1d
initial commit 2024-09-17 14:11:00 +03:00			`cache_bypass:`
			`- '$http_authorization'`
			`- '$http_pragma'`
			`- '$http_upgrade'`

			`compress_types:`
			`- application/atom+xml`
			`- application/javascript`
			`- application/json`
			`- application/vnd.api+json`
			`- application/rss+xml`
			`- application/x-javascript`
			`- application/xhtml+xml`
			`- application/xml`
			`- image/svg+xml`
			`- image/x-icon`
			`- text/css`
			`- text/javascript`
			`- text/plain`
			`- text/xml`

			`request_headers:`
			`{% if env.NGX_HTTP_TRANSPARENT_PROXY == '0' %}`
			`Host: '$proxy_host'`
			`X-Real-IP: '$remote_addr'`
			`## '$proxy_add_forwarded' is defined in /angie/autoconf.dist/http-request-headers-forwarded.conf`
			`Forwarded: '$proxy_add_forwarded'`
			`{% elif env.NGX_HTTP_TRANSPARENT_PROXY == '1' %}`
			`Host: '$host'`
			`X-Real-IP: ''`
			`Forwarded: ''`
			`{% endif %}`

			`request_headers:`
			`## do not pass Accept-Encoding to backend`
			`Accept-Encoding: ""`
			`## '$req_accept' is defined in /angie/autoconf.dist/http-request-headers-basic.conf.j2`
			`Accept: '$req_accept'`
			`## '$req_connection' is defined in /angie/autoconf.dist/http-request-headers-basic.conf.j2`
			`Connection: '$req_connection'`
			`Upgrade: '$http_upgrade'`
			`Early-Data: '$ssl_early_data'`
			`## '$req_user_agent' is defined in /angie/autoconf.dist/http-request-headers-basic.conf.j2`
			`User-Agent: '$req_user_agent'`
			`{% if env.NGX_HTTP_X_FORWARDED == 'pass' %}`
			`X-Forwarded-Proto: '$scheme'`
			`X-Forwarded-Host: '$host'`
			`X-Forwarded-Port: '$server_port'`
			`X-Forwarded-For: '$proxy_add_x_forwarded_for'`
			`{% elif env.NGX_HTTP_X_FORWARDED == 'remove' %}`
			`X-Forwarded-Proto: ''`
			`X-Forwarded-Host: ''`
			`X-Forwarded-Port: ''`
			`X-Forwarded-For: ''`
			`{% endif %}`

			`response_headers:`
			`{% if env.NGX_HTTP_TRANSPARENT_PROXY == '0' %}`
			`Permissions-Policy: "accelerometer=(), autoplay=(), browsing-topics=(), camera=(), clipboard-read=(), clipboard-write=(), geolocation=(), gyroscope=(), hid=(), interest-cohort=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), sync-xhr=(), usb=()"`
			`Referrer-Policy: "no-referrer-when-downgrade"`
			`Strict-Transport-Security: "max-age=15724800; includeSubDomains; preload"`
			`X-Content-Type-Options: "nosniff"`
			`X-Frame-Options: "SAMEORIGIN"`
			`X-XSS-Protection: "1; mode=block"`
			`{% endif %}`

			`tls:`
			`## https://docs.openssl.org/3.0/man3/SSL_CONF_cmd/#supported-configuration-file-commands`
			`conf_cmd:`
			`Options: PrioritizeChaCha`
			`stapling:`
			`enable: false`
			`verify: true`
			`profiles:`
			`modern:`
			`protocols: TLSv1.3`
angie: adjust SSL configuration 2024-09-20 22:51:30 +03:00			`#prefer_server_ciphers: off`
			`session_tickets: off`
initial commit 2024-09-17 14:11:00 +03:00			`session_timeout: 1d`
			`intermediate:`
			`protocols: TLSv1.2 TLSv1.3`
angie: adjust SSL configuration 2024-09-20 22:51:30 +03:00			`#prefer_server_ciphers: off`
initial commit 2024-09-17 14:11:00 +03:00			`ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305`
angie: adjust SSL configuration 2024-09-20 22:51:30 +03:00			`dhparam: tls.d/ffdhe2048.pem`
			`session_tickets: off`
initial commit 2024-09-17 14:11:00 +03:00			`session_timeout: 1d`
			`old:`
			`protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3`
angie: adjust SSL configuration 2024-09-20 22:51:30 +03:00			`prefer_server_ciphers: on`
initial commit 2024-09-17 14:11:00 +03:00			ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
angie: adjust SSL configuration 2024-09-20 22:51:30 +03:00			`dhparam: tls.d/dh1024.pem`
			`session_tickets: off`
initial commit 2024-09-17 14:11:00 +03:00			`session_timeout: 1d`