cache_bypass: - '$http_authorization' - '$http_pragma' - '$http_upgrade' compress_types: - application/atom+xml - application/javascript - application/json - application/vnd.api+json - application/rss+xml - application/x-javascript - application/xhtml+xml - application/xml - image/svg+xml - image/x-icon - text/css - text/javascript - text/plain - text/xml request_headers: {% if env.NGX_HTTP_TRANSPARENT_PROXY == '0' %} Host: '$proxy_host' X-Real-IP: '$remote_addr' ## '$proxy_add_forwarded' is defined in /angie/autoconf.dist/http-request-headers-forwarded.conf Forwarded: '$proxy_add_forwarded' {% elif env.NGX_HTTP_TRANSPARENT_PROXY == '1' %} Host: '$host' X-Real-IP: '' Forwarded: '' {% endif %} request_headers: ## do not pass Accept-Encoding to backend Accept-Encoding: "" ## '$req_accept' is defined in /angie/autoconf.dist/http-request-headers-basic.conf.j2 Accept: '$req_accept' ## '$req_connection' is defined in /angie/autoconf.dist/http-request-headers-basic.conf.j2 Connection: '$req_connection' Upgrade: '$http_upgrade' Early-Data: '$ssl_early_data' ## '$req_user_agent' is defined in /angie/autoconf.dist/http-request-headers-basic.conf.j2 User-Agent: '$req_user_agent' {% if env.NGX_HTTP_X_FORWARDED == 'pass' %} X-Forwarded-Proto: '$scheme' X-Forwarded-Host: '$host' X-Forwarded-Port: '$server_port' X-Forwarded-For: '$proxy_add_x_forwarded_for' {% elif env.NGX_HTTP_X_FORWARDED == 'remove' %} X-Forwarded-Proto: '' X-Forwarded-Host: '' X-Forwarded-Port: '' X-Forwarded-For: '' {% endif %} response_headers: {% if env.NGX_HTTP_TRANSPARENT_PROXY == '0' %} Permissions-Policy: "accelerometer=(), autoplay=(), browsing-topics=(), camera=(), clipboard-read=(), clipboard-write=(), geolocation=(), gyroscope=(), hid=(), interest-cohort=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), sync-xhr=(), usb=()" Referrer-Policy: "no-referrer-when-downgrade" Strict-Transport-Security: "max-age=15724800; includeSubDomains; preload" X-Content-Type-Options: "nosniff" X-Frame-Options: "SAMEORIGIN" X-XSS-Protection: "1; mode=block" {% endif %} tls: ## https://docs.openssl.org/3.0/man3/SSL_CONF_cmd/#supported-configuration-file-commands conf_cmd: Options: PrioritizeChaCha stapling: enable: false verify: true profiles: modern: protocols: TLSv1.3 #prefer_server_ciphers: false session_tickets: false session_timeout: 1d intermediate: protocols: TLSv1.2 TLSv1.3 #prefer_server_ciphers: false ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305 dhparam: /etc/angie/tls.d/ffdhe2048.pem session_tickets: false session_timeout: 1d old: protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 prefer_server_ciphers: true ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA dhparam: /etc/angie/tls.d/dh1024.pem session_tickets: false session_timeout: 1d