1
0
angie-conv-image/angie/j2cfg.dist/00-defaults.yml.j2

92 lines
3.6 KiB
Django/Jinja

cache_bypass:
- '$http_authorization'
- '$http_pragma'
- '$http_upgrade'
compress_types:
- application/atom+xml
- application/javascript
- application/json
- application/vnd.api+json
- application/rss+xml
- application/x-javascript
- application/xhtml+xml
- application/xml
- image/svg+xml
- image/x-icon
- text/css
- text/javascript
- text/plain
- text/xml
request_headers:
## '$req_connection' is defined in /angie/autoconf.dist/http-request-headers-basic.conf.j2
Connection: '$req_connection'
Upgrade: '$http_upgrade'
Early-Data: '$ssl_early_data'
{% if env.NGX_HTTP_TRANSPARENT_PROXY == '0' %}
Host: '$proxy_host'
X-Real-IP: '$remote_addr'
## '$proxy_add_forwarded' is defined in /angie/autoconf.dist/http-request-headers-forwarded.conf
Forwarded: '$proxy_add_forwarded'
## do not pass Accept-Encoding to backend
Accept-Encoding: ""
## '$req_accept' is defined in /angie/autoconf.dist/http-request-headers-basic.conf.j2
Accept: '$req_accept'
## '$req_user_agent' is defined in /angie/autoconf.dist/http-request-headers-basic.conf.j2
User-Agent: '$req_user_agent'
{% elif env.NGX_HTTP_TRANSPARENT_PROXY == '1' %}
Host: '$host'
X-Real-IP: ''
Forwarded: ''
{% endif %}
{% if env.NGX_HTTP_X_FORWARDED == 'pass' %}
X-Forwarded-Proto: '$scheme'
X-Forwarded-Host: '$host'
X-Forwarded-Port: '$server_port'
X-Forwarded-For: '$proxy_add_x_forwarded_for'
{% elif env.NGX_HTTP_X_FORWARDED == 'remove' %}
X-Forwarded-Proto: ''
X-Forwarded-Host: ''
X-Forwarded-Port: ''
X-Forwarded-For: ''
{% endif %}
response_headers:
{% if env.NGX_HTTP_TRANSPARENT_PROXY == '0' %}
Permissions-Policy: "accelerometer=(), autoplay=(), browsing-topics=(), camera=(), clipboard-read=(), clipboard-write=(), geolocation=(), gyroscope=(), hid=(), interest-cohort=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), sync-xhr=(), usb=()"
Referrer-Policy: "no-referrer-when-downgrade"
Strict-Transport-Security: "max-age=15724800; includeSubDomains; preload"
X-Content-Type-Options: "nosniff"
X-Frame-Options: "SAMEORIGIN"
X-XSS-Protection: "1; mode=block"
{% endif %}
tls:
## https://docs.openssl.org/3.0/man3/SSL_CONF_cmd/#supported-configuration-file-commands
conf_cmd:
Options: PrioritizeChaCha
stapling:
enable: false
verify: true
profiles:
modern:
protocols: TLSv1.3
#prefer_server_ciphers: off
session_tickets: off
session_timeout: 1d
intermediate:
protocols: TLSv1.2 TLSv1.3
#prefer_server_ciphers: off
ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
dhparam: tls.d/ffdhe2048.pem
session_tickets: off
session_timeout: 1d
old:
protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
prefer_server_ciphers: on
ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
dhparam: tls.d/dh1024.pem
session_tickets: off
session_timeout: 1d