Enhancements to the nginx configuration

apache/.htaccess

@@ -80,49 +80,52 @@
 # Proper MIME type for all files
 # ----------------------------------------------------------------------
 
-# JavaScript
-#   Normalize to standard type (it's sniffed in IE anyways)
-#   tools.ietf.org/html/rfc4329#section-7.2
-AddType application/javascript         js jsonp
-AddType application/json               json
-
-# Audio
-AddType audio/mp4                      m4a f4a f4b
-AddType audio/ogg                      oga ogg
-
-# Video
-AddType video/mp4                      mp4 m4v f4v f4p
-AddType video/ogg                      ogv
-AddType video/webm                     webm
-AddType video/x-flv                    flv
-
-# SVG
-#   Required for svg webfonts on iPad
-#   twitter.com/FontSquirrel/status/14855840545
-AddType     image/svg+xml              svg svgz
-AddEncoding gzip                       svgz
-
-# Webfonts
-AddType application/font-woff          woff
-AddType application/vnd.ms-fontobject  eot
-AddType application/x-font-ttf         ttf ttc
-AddType font/opentype                  otf
-
-# Assorted types
-AddType application/octet-stream            safariextz
-AddType application/x-chrome-extension      crx
-AddType application/x-opera-extension       oex
-AddType application/x-shockwave-flash       swf
-AddType application/x-web-app-manifest+json webapp
-AddType application/x-xpinstall             xpi
-AddType application/xml                     rss atom xml rdf
-AddType image/webp                          webp
-AddType image/x-icon                        ico
-AddType text/cache-manifest                 appcache manifest
-AddType text/vtt                            vtt
-AddType text/x-component                    htc
-AddType text/x-vcard                        vcf
+<IfModule mod_mime.c>
+
+  # JavaScript
+  #   Normalize to standard type (it's sniffed in IE anyways)
+  #   tools.ietf.org/html/rfc4329#section-7.2
+  AddType application/javascript                js jsonp
+  AddType application/json                      json
+
+  # Audio
+  AddType audio/mp4                             m4a f4a f4b
+  AddType audio/ogg                             oga ogg
+
+  # Video
+  AddType video/mp4                             mp4 m4v f4v f4p
+  AddType video/ogg                             ogv
+  AddType video/webm                            webm
+  AddType video/x-flv                           flv
+
+  # SVG
+  #   Required for svg webfonts on iPad
+  #   twitter.com/FontSquirrel/status/14855840545
+  AddType     image/svg+xml                     svg svgz
+  AddEncoding gzip                              svgz
+
+  # Webfonts
+  AddType application/font-woff                 woff
+  AddType application/vnd.ms-fontobject         eot
+  AddType application/x-font-ttf                ttf ttc
+  AddType font/opentype                         otf
+
+  # Assorted types
+  AddType application/octet-stream              safariextz
+  AddType application/x-chrome-extension        crx
+  AddType application/x-opera-extension         oex
+  AddType application/x-shockwave-flash         swf
+  AddType application/x-web-app-manifest+json   webapp
+  AddType application/x-xpinstall               xpi
+  AddType application/xml                       rss atom xml rdf
+  AddType image/webp                            webp
+  AddType image/x-icon                          ico
+  AddType text/cache-manifest                   appcache manifest
+  AddType text/vtt                              vtt
+  AddType text/x-component                      htc
+  AddType text/x-vcard                          vcf
 
+</IfModule>
 
 # ----------------------------------------------------------------------
 # Allow concatenation from within specific js and css files
@@ -459,7 +462,9 @@ ErrorDocument 404 /404.html
 AddDefaultCharset utf-8
 
 # Force UTF-8 for a number of file formats
-AddCharset utf-8 .atom .css .js .json .rss .vtt .xml
+<IfModule mod_mime.c>
+    AddCharset utf-8 .atom .css .js .json .rss .vtt .xml
+</IfModule>
 
 
 # ----------------------------------------------------------------------

iis/README.md

@@ -125,7 +125,7 @@ Required for SVG Webfonts on iPad.
 ```xml
 <remove fileExtension=".eot" />
 <mimeMap fileExtension=".eot" mimeType="application/vnd.ms-fontobject" />
-<mimeMap fileExtension=".otf" mimeType="font/otf" />
+<mimeMap fileExtension=".otf" mimeType="font/opentype" />
 <mimeMap fileExtension=".woff" mimeType="application/font-woff" />
 ```
 

iis/dotnet 3/web.config

@@ -136,7 +136,7 @@
             <remove fileExtension=".ttc" />
             <mimeMap fileExtension=".ttc" mimeType="application/x-font-ttf" />
             <remove fileExtension=".otf" />
-            <mimeMap fileExtension=".otf" mimeType="font/otf" />
+            <mimeMap fileExtension=".otf" mimeType="font/opentype" />
             <remove fileExtension=".woff" />
             <mimeMap fileExtension=".woff" mimeType="application/font-woff" />
             <remove fileExtension=".crx" />

iis/dotnet 4/mvc4 & mvc4api/web.config

@@ -116,7 +116,7 @@
             <remove fileExtension=".ttc" />
             <mimeMap fileExtension=".ttc" mimeType="application/x-font-ttf" />
             <remove fileExtension=".otf" />
-            <mimeMap fileExtension=".otf" mimeType="font/otf" />
+            <mimeMap fileExtension=".otf" mimeType="font/opentype" />
             <remove fileExtension=".woff" />
             <mimeMap fileExtension=".woff" mimeType="application/font-woff" />
             <remove fileExtension=".crx" />

iis/dotnet 4/webforms/web.config

@@ -98,7 +98,7 @@
             <remove fileExtension=".ttc" />
             <mimeMap fileExtension=".ttc" mimeType="application/x-font-ttf" />
             <remove fileExtension=".otf" />
-            <mimeMap fileExtension=".otf" mimeType="font/otf" />
+            <mimeMap fileExtension=".otf" mimeType="font/opentype" />
             <remove fileExtension=".woff" />
             <mimeMap fileExtension=".woff" mimeType="application/font-woff" />
             <remove fileExtension=".crx" />

lighttpd/lighttpd.conf

@@ -53,6 +53,9 @@ compress.filetype          = (
 	"application/xml", 
 	"application/xml-rss", 
 	"text/x-component",
+        "application/vnd.ms-fontobject",
+        "application/x-font-ttf",
+        "font/opentype",
 )
 
 # files to check for if .../ is requested
@@ -124,6 +127,11 @@ mimetype.assign             = (
   ".bz2"          =>      "application/x-bzip",
   ".tbz"          =>      "application/x-bzip-compressed-tar",
   ".tar.bz2"      =>      "application/x-bzip-compressed-tar",
+  ".woff"         =>      "application/font-woff",
+  ".eot"          =>      "application/vnd.ms-fontobject",
+  ".ttf"          =>      "application/x-font-ttf",
+  ".ttc"          =>      "application/x-font-ttf",
+  ".otf"          =>      "font/opentype",
 
 
 

nginx/conf/block-bad-guys.conf

@@ -0,0 +1,6 @@
+# Denies access for website scrapers and email harvesters and other bad guys.
+# This rule tells Nginx to drop the connection without even sending any headers.
+# Include it in your server{} block.
+if ($is_bad_guy = 1) {
+    return 444;
+}

nginx/conf/cache-busting.conf

@@ -5,6 +5,6 @@
 # Read also this: github.com/h5bp/html5-boilerplate/wiki/cachebusting
 # This is not included by default, because it'd be better if you use the build
 # script to manage the file names.
-location ~* (.+)\.(\d+)\.(js|css|png|jpg|jpeg|gif)$ {
-   try_files $uri $1.$3;
+location ~* (.+)\.(?:\d+)\.(js|css|png|jpg|jpeg|gif)$ {
+   try_files $uri $1.$2;
 }

nginx/conf/cache-file-descriptors.conf

@@ -0,0 +1,19 @@
+# This tells Nginx to cache open file handles, "not found" errors, metadata about files and their permissions, etc.
+#
+# The upside of this is that Nginx can immediately begin sending data when a popular file is requested,
+# and will also know to immediately send a 404 if a file is missing on disk, and so on.
+#
+# However, it also means that the server won't react immediately to changes on disk, which may be undesirable.
+#
+# In the below configuration, inactive files are released from the cache after 20 seconds, whereas
+# active (recently requested) files are re-validated every 30 seconds.
+#
+# Descriptors will not be cached unless they are used at least 2 times within 20 seconds (the inactive time).
+#
+# A maximum of the 1000 most recently used file descriptors can be cached at any time.
+#
+# Production servers with stable file collections will definitely want to enable the cache.
+open_file_cache          max=1000 inactive=20s;
+open_file_cache_valid    30s;
+open_file_cache_min_uses 2;
+open_file_cache_errors   on;

nginx/conf/cross-domain-fonts.conf

@@ -1,5 +1,5 @@
 # Cross domain webfont access
-location ~* \.(ttf|ttc|otf|eot|woff|font.css)$ {
+location ~* \.(?:ttf|ttc|otf|eot|woff|font.css)$ {
     add_header "Access-Control-Allow-Origin" "*";
 
     # Also, set cache rules for webfonts.

nginx/conf/dont-log-common-404.conf

@@ -0,0 +1,6 @@
+# Avoids filling up the error logs with commonly requested files.
+# Note that if you have a custom 404 page, the request may be logged anyway.
+location = /robots.txt { log_not_found off; }
+location = /favicon.ico { log_not_found off; }
+location = /apple-touch-icon.png { log_not_found off; }
+location = /apple-touch-icon-precomposed.png { log_not_found off; }

nginx/conf/expires.conf

@@ -9,7 +9,7 @@
 # default expire rule with nginx unless your site is completely static
 
 # cache.appcache, your document html and data
-location ~* \.(?:manifest|appcache|html|xml|json)$ {
+location ~* \.(?:manifest|appcache|html|htm|xml|json)$ {
   expires -1;
   access_log logs/static.log;
 }
@@ -20,15 +20,8 @@ location ~* \.(?:rss|atom)$ {
   add_header Cache-Control "public";
 }
 
-# Favicon
-location ~* \.ico$ {
-  expires 1w;
-  access_log off;
-  add_header Cache-Control "public";
-}
-
-# Media: images, video, audio, HTC
-location ~* \.(?:jpg|jpeg|gif|png|ico|gz|svg|svgz|mp4|ogg|ogv|webm)$ {
+# Media: images, icons, video, audio, HTC
+location ~* \.(?:jpg|jpeg|gif|png|ico|gz|svg|svgz|mp4|ogg|ogv|webm|htc)$ {
   expires 1M;
   access_log off;
   add_header Cache-Control "public";
@@ -43,7 +36,7 @@ location ~* \.(?:css|js)$ {
 
 # WebFonts
 # If you are NOT using cross-domain-fonts.conf, uncomment the following directive
-# location ~* \.(ttf|ttc|otf|eot|woff|font.css)$ {
+# location ~* \.(?:ttf|ttc|otf|eot|woff|font.css)$ {
 #  expires 1M;
 #  access_log off;
 #  add_header Cache-Control "public";

nginx/conf/h5bp.conf

@@ -4,3 +4,4 @@ include conf/expires.conf;
 include conf/x-ua-compatible.conf;
 include conf/cross-domain-fonts.conf;
 include conf/protect-system-files.conf;
+include conf/dont-log-common-404.conf;

nginx/conf/http-block-invalid-host.conf

@@ -0,0 +1,19 @@
+# Drops the connection if the client doesn't specify a valid Host header.
+# This disables HTTP/1.0 without Host, and HTTP/1.1 with any invalid Host.
+# The end result is that you cloak your server from random IP probing.
+#
+# Also note that the listen-lines below must match the specificity of the
+# servers. In case your servers bind by explicit IP, you must add matching
+# listen-lines below to explicitly listen to those IP addresses, otherwise
+# this won't catch any requests coming in on that network adapter.
+#
+# And finally, you should never define any other server as the default, since
+# that is what makes a server handle requests for invalid/missing hostnames.
+#
+# Note: It is NOT possible to extend the block to HTTPS (port 443).
+# Attempting to do so would cause all SSL connections to fail.
+server {
+    listen       80 default_server;
+    server_name  "";
+    return       444;
+}

nginx/conf/http-identify-bad-guys.conf

@@ -0,0 +1,29 @@
+# Looks for common abusive programs and sets $is_bad_guy to 1 if found.
+# Used by including the separate "block-bad-guys.conf" in server-blocks.
+#
+# OFFLINE BROWSERS (only the most popular ones because they aren't much to worry about apart from the bandwidth abuse)
+#   HTTrack / WinHTTrack (almost everyone uses this; available for Windows/Mac/Linux)
+#   SurfOffline (caught by the Offline-rule)
+#   BackStreet Browser (often recommended in discussions, caught by the BackStreet-rule)
+#   A1 Website Download (caught by the Website Download-rule)
+#   WebZIP
+#   WebCopier (Windows/Mac/Linux)
+#   SiteSucker (the most popular Mac website downloader)
+#   * Note: we do not block curl or wget, because visitors have legitimate reasons to use them, even though wget can be used to mirror a site
+# SCRIPTING LIBRARIES (these are often used by malware / vulnerability scanners written in scripting languages, especially libwww-perl)
+#   Perl:
+#     libwww-perl (don't block libwww itself because some legitimate browsers use it)
+#     LWP::simple
+#   PHP:
+#     PHP/
+#   Python:
+#     Python
+#     PycURL
+#     urllib
+# GENERIC BADDIES (email harvesters and so on):
+#   email (lots of email harvesters contain this in their user agent)
+#   extract (products such as website extractor and various email extractors)
+map $http_user_agent $is_bad_guy {
+    default 0;
+    ~*(?:HTTrack|Offline|BackStreet|Website\ Download|WebZIP|WebCopier|SiteSucker|libwww-perl|LWP::simple|PHP\/|Python|PycURL|urllib|email|extract) 1;
+}

nginx/conf/protect-system-files.conf

@@ -1,9 +1,10 @@
 # Prevent clients from accessing hidden files (starting with a dot)
-location ~* (^|/)\. {
-    return 403;
+# This is particularly important if you store .htpasswd files in the site hierarchy
+location ~* (?:^|/)\. {
+    deny all;
 }
 
 # Prevent clients from accessing to backup/config/source files
-location ~* (\.(bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$ {
-    return 403;
+location ~* (?:\.(?:bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$ {
+    deny all;
 }

nginx/mime.types

@@ -86,7 +86,7 @@ types {
   application/font-woff                 woff;
   application/vnd.ms-fontobject         eot;
   application/x-font-ttf                ttf ttc;
-  application/x-font-opentype           otf;
+  font/opentype                         otf; # not a valid IANA type but required for Google Chrome
 
   # Microsoft Office
   application/msword                                                         doc;