nginx: source: opts: {} service: enable: True opts: {} server: config: events: worker_connections: 1024 http: sendfile: 'on' aio: 'on' directio: 4m keepalive_timeout: 65 gzip: 'on' gzip_proxied: 'any' gzip_types: '*' gzip_vary: 'on' charset: utf-8 charset_types: text/xml text/plain application/javascript application/rss+xml server_tokens: 'off' etag: 'on' ssi: 'on' include: - /etc/nginx/mime.types - /etc/nginx/conf.d/*.conf - /etc/nginx/sites-enabled/* snippets: security_headers: # https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security - add_header: Strict-Transport-Security "max-age=31536000" # Tell browsers not to render the page inside a frame, and avoid clickjacking. - add_header: X-Frame-Options SAMEORIGIN # Tell browsers to not try to auto-detect the Content-Type. - add_header: X-Content-Type-Options nosniff # Enable the Cross-site scripting filter in most recent browsers. # Normally enabled by default, but enable it anyway if user has disabled it. - add_header: X-XSS-Protection "1; mode=block" - add_header: Referrer-Policy same-origin - add_header: Feature-Policy "geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'none'; fullscreen 'none'; payment 'none'" servers: managed_opts: require_in: - file: nginx_server_available_dir symlink_opts: require_in: - file: nginx_server_enabled_dir dir_opts: clean: 'on' # vim: ft=yaml et ts=2 sts=2 sw=2: