nginx.conf

# CoreModule
# <http://wiki.nginx.org/CoreModule>
user                    _nginx _nginx;
worker_processes        2;
#worker_cpu_affinity    0001 0010 0100 1000;
pid                     /var/run/nginx.pid;
 
 
# EventsModule
# <http://wiki.nginx.org/EventsModule>
events {
        #use                    epoll;
        worker_connections      1024;
}
 
 
http {
        # HttpCoreModule
        # <http://wiki.nginx.org/HttpCoreModule>
        include                 mime.types;
        default_type            application/octet-stream;
        keepalive_timeout       65 65;
        sendfile                on;
        # cache configuration
        open_file_cache                 off;
        open_file_cache_errors          off;
        open_file_cache_min_uses        1;
        open_file_cache_valid           60;
 
        # HttpCharsetModule
        # <http://wiki.nginx.org/HttpCharsetModule>
        charset                 utf-8;
 
        # LogModule
        # <http://wiki.nginx.org/HttpLogModule>
        # Caution: these are the global nginx logs, *not* the virtual hosts logs.
        # The default format for the access log is "combined".
        access_log              off;
        error_log               /var/log/nginx/error.log crit;  # HttpMainModule
        open_log_file_cache     off;
 
        # GzipModule
        # <http://wiki.nginx.org/HttpGzipModule>
        gzip                    on;
        gzip_buffers            256 4k;
        gzip_comp_level         1;
        gzip_disable            "msie6";
        gzip_http_version       1.1;
        gzip_min_length         0;
        gzip_proxied            off;
        gzip_types              text/plain text/xml
                                text/javascript application/x-javascript
                                text/css
                                application/atom+xml application/rss+xml;
        gzip_vary               off;
 
        # HttpHeadersModule
        # <http://wiki.nginx.org/HttpHeadersModule>
        expires                 4h;
 
        # AutoIndex
        autoindex on;
        autoindex_exact_size on;
        autoindex_localtime on;
 
        include default_vhost;
        include machine.name;
        include sites/virtual_host;
}

virtual_host

    # virtual_host
    # HTTP
    server {
        listen          80;
        server_name     virtual_host;
 
        access_log      /var/log/nginx/directory/virtual_host/access_log     combined;
        error_log       /var/log/nginx/directory/virtual_host/error_log      warn;
 
        ssl             off;
 
        location / {
                root    /var/nginx/directory/virtual_host;
                index   index.php index.html index.htm;
        }
 
        # PHP fastcgi
        # managed by spawn-fcgi on localhost:9003
        location ~ \.php$ {
                fastcgi_pass    127.0.0.1:9003;
                fastcgi_index   index.php;
                fastcgi_param   SCRIPT_FILENAME /var/nginx/directory/virtual_host$fastcgi_script_name;
                #fastcgi_param  HTTPS           on;
                include         fastcgi_params;
        }
 
        # Mailman
        # proxy to CGI managed by thttpd on localhost:8000
        location /listes/ {
                rewrite                 ^/listes/$      /listes/listinfo        last;
                proxy_pass              http://127.0.0.1:8000/;
                proxy_set_header        Host    $host;
                proxy_intercept_errors  on;
        }
        location /admin {
                proxy_pass              http://127.0.0.1:8000/admin;
                proxy_set_header        Host    $host;
                proxy_intercept_errors  on;
        }
        location /listes/images/mailman/ {
                alias   /usr/local/lib/mailman/icons/;
        }
        location /pipermail/ {
                alias   /usr/local/lib/mailman/archives/public/;
        }
 
        # protecting the Dokuwiki internal data directories
        location ~ /wiki/(data|conf|bin|inc)/ {
                deny all;
        }
 
        # protecting the Dokuwiki internal data directories
        location ~ /random/wiki/(data|conf|bin|inc)/ {
                deny all;
        }
 
        # protecting the Dokuwiki internal data directories
        location ~ /load/wiki/(data|conf|bin|inc)/ {
                deny all;
        }
 
        location ~ /\.ht {
                deny    all;
        }
    }
 
    # virtual_host
    # HTTPS
    server {
        listen          443;
        server_name     virtual_host;
 
        access_log      /var/log/nginx/directory/virtual_host/access_log     combined;
        error_log       /var/log/nginx/directory/virtual_host/error_log      warn;
 
        ssl                             on;
        ssl_certificate                 /etc/ssl/virtual_host.crt;
        ssl_certificate_key             /etc/ssl/private/virtual_host.key;
        ssl_session_timeout             5m;
        ssl_protocols                   TLSv1.2 TLSv1.1 TLSv1;
        ssl_ciphers                     HIGH:!ADH:!AECDH:!PSK:!3DES:!MD5;
        ssl_prefer_server_ciphers       on;
        ssl_session_cache               shared:SSLcachevhost:1m;
 
        location / {
                root    /var/nginx/directory/virtual_host;
                index   index.php index.html index.htm;
        }
 
        # PHP fastcgi
        # managed by spawn-fcgi on localhost:9003
        location ~ \.php$ {
                fastcgi_pass    127.0.0.1:9003;
                fastcgi_index   index.php;
                fastcgi_param   SCRIPT_FILENAME /var/nginx/directory/virtual_host$fastcgi_script_name;
                fastcgi_param   HTTPS           on;
                include         fastcgi_params;
        }
 
        # Mailman
        # proxy to CGI managed by thttpd on localhost:8000
        location /listes/ {
                rewrite                 ^/listes/$      /listes/listinfo        last;
                proxy_pass              http://127.0.0.1:8000/;
                proxy_set_header        Host    $host;
                proxy_intercept_errors  on;
        }
        location /admin {
                proxy_pass              http://127.0.0.1:8000/admin;
                proxy_set_header        Host    $host;
                proxy_intercept_errors  on;
        }
        location /listes/images/mailman/ {
                alias   /usr/local/lib/mailman/icons/;
        }
        location /pipermail/ {
                alias   /usr/local/lib/mailman/archives/public/;
        }
 
        # protecting the Dokuwiki internal data directories
        location ~ /wiki/(data|conf|bin|inc)/ {
                deny all;
        }
 
        # protecting the Dokuwiki internal data directories
        location ~ /random/wiki/(data|conf|bin|inc)/ {
                deny all;
        }
 
        location ~ /\.ht {
                deny    all;
        }
    }

blah

• http://wiki.nginx.org/HttpSslModule ;
• http://nginx.org/en/docs/http/configuring_https_servers.html ;
• https://wiki.mozilla.org/Security/Server_Side_TLS ;
• http://www.hybridforge.com/blog/nginx-ssl-ciphers-and-pci-compliance ;
• https://www.ssllabs.com/ssltest/analyze.html?d=www.mouet-mouet.net ;
• https://community.qualys.com/blogs/securitylabs/2013/06/25/ssl-labs-deploying-forward-secrecy ;
• http://www.mare-system.de/guide-to-nginx-ssl-spdy-hsts/ ;
• https://jve.linuxwall.info/blog/index.php?post/2013/10/12/A-grade-SSL/TLS-with-Nginx-and-StartSSL ;
• https://bettercrypto.org/static/applied-crypto-hardening.pdf ;
• http://ibuildings.nl/blog/2013/03/4-http-security-headers-you-should-always-be-using ;
• http://en.wikipedia.org/wiki/Transport_Layer_Security ;
• http://arstechnica.com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/ ;
• https://www.imperialviolet.org/2010/12/04/ecc.html ;
• etc.

Rotation des logs :

grep "/2013:" access_log > access_log_2013 && \
grep "/2014:" access_log > access_log_2014 && \
rm -rf access_log && \
mv access_log_2014 access_log &&\
gzip access_log_2013 && \
grep "^2013/" error_log > error_log_2013 && \
grep "^2014/" error_log > error_log_2014 && \
rm -rf error_log && \
mv error_log_2014 error_log && \
gzip error_log_2013

• site web officiel :
• Wikipedia :
• etc.