Added ubi9 and ubi9-micro nginx image

Dockerfile.alpine

@@ -1,18 +1,26 @@
+# 1.22.1 Alpine 3.17
+# 1.24.0 Alpine 3.19
+# 1.26.2 Alpine 3.21
 ARG REGISTRY_URL=git.winteraccess.id/docker
-ARG ALPINE_VERSION=3.20
+ARG ALPINE_VERSION=3.21
 
 FROM ${REGISTRY_URL}/alpine:${ALPINE_VERSION}
 LABEL maintainer="<Muhamad Aditya Prima> aprimediet@gmail.com"
 
+USER root
+
 WORKDIR /app
 
+# Add nginx user and group
+RUN addgroup -g 10001 nginx && adduser -D -u 10001 -G nginx -s /sbin/nologin -h /app nginx
+
 # INSTALL WGET AND REQUIRED BUILD TOOLS
 RUN --mount=type=cache,target=/var/cache/apk \
     apk update && apk upgrade && apk add \
     nginx nginx-mod-http-naxsi
 
 # COPY CONFIGURATION FILES
-ADD ./etc/nginx/nginx.conf /etc/nginx/
+ADD ./etc/nginx/nginx-rootless.conf /etc/nginx/nginx.conf
 ADD ./etc/nginx/naxsi_core.rules /etc/nginx/
 ADD ./etc/nginx/proxy_params /etc/nginx/
 ADD ./etc/nginx/ssl_params /etc/nginx/
@@ -20,10 +28,15 @@ ADD ./etc/nginx/conf.d /etc/nginx/conf.d
 
 ADD ./app .
 
+RUN chown -R nginx:nginx /app && \
+    chown -R nginx:nginx /var/lib/nginx
+
 # CLEAR CACHE
 RUN apk del curl && \
     rm -rf /var/cache/apk/*
 
+USER nginx
+
 CMD ["nginx"]
 
 EXPOSE 80

Dockerfile.alpine-rootless

@@ -1,37 +0,0 @@
-ARG REGISTRY_URL=git.winteraccess.id/docker
-ARG ALPINE_VERSION=3.20
-
-FROM ${REGISTRY_URL}/alpine:${ALPINE_VERSION}
-LABEL maintainer="<Muhamad Aditya Prima> aprimediet@gmail.com"
-
-WORKDIR /app
-
-# ADD USER
-RUN addgroup -g 10001 nginx && adduser -D -u 10001 -G nginx -s /sbin/nologin -h /app nginx
-
-# INSTALL WGET AND REQUIRED BUILD TOOLS
-RUN --mount=type=cache,target=/var/cache/apk \
-    apk update && apk upgrade && apk add \
-    nginx nginx-mod-http-naxsi
-
-# COPY CONFIGURATION FILES
-ADD ./etc/nginx/nginx-rootless.conf /etc/nginx/nginx.conf
-ADD ./etc/nginx/naxsi_core.rules /etc/nginx/
-ADD ./etc/nginx/proxy_params /etc/nginx/
-ADD ./etc/nginx/ssl_params /etc/nginx/
-ADD ./etc/nginx/conf.d /etc/nginx/conf.d
-
-ADD ./app .
-
-RUN chown -R nginx:nginx /app && \
-    chown -R nginx:nginx /var/lib/nginx
-
-# CLEAR CACHE
-RUN apk del curl && \
-    rm -rf /var/cache/apk/*
-
-USER nginx
-
-CMD ["nginx"]
-
-EXPOSE 80

Dockerfile.ubi9

@@ -0,0 +1,37 @@
+ARG REGISTRY_URL=docker.io/aprimediet
+ARG UBI_VERSION=9.5
+
+FROM ${REGISTRY_URL}/ubi9:${UBI_VERSION} AS builder
+LABEL maintainer="<Muhamad Aditya Prima> aprimediet@gmail.com"
+
+ARG NGINX_VERSION=1.24
+
+USER root
+
+# Add group and user nginx
+RUN groupadd -g 10001 nginx && \
+    useradd -u 10001 -g 10001 -m -d /app -s /sbin/nologin nginx && \
+    mkdir -p /var/run/nginx && \
+    chown nginx:nginx /var/run/nginx
+
+# Update packages, configure nginx version
+# and install nginx
+RUN dnf -y update && \
+    dnf -y module reset nginx && \
+    dnf -y module enable nginx:${NGINX_VERSION} && \
+    dnf -y install nginx && \
+    dnf -y autoremove && \
+    dnf -y clean all
+
+# Copy Nginx default config files
+ADD ./etc/ubi9 /etc/nginx
+ADD ./app /app
+RUN chown -R nginx:nginx /app
+
+USER nginx
+
+WORKDIR /app
+
+EXPOSE 80
+
+CMD ["nginx"]

Dockerfile.ubi9-micro

@@ -0,0 +1,44 @@
+ARG REGISTRY_URL=docker.io/aprimediet
+ARG UBI_VERSION=9.5
+ARG NGINX_VERSION=1.24
+
+FROM ${REGISTRY_URL}/nginx:${NGINX_VERSION}-ubi9 AS builder
+LABEL maintainer="<Muhamad Aditya Prima> aprimediet@gmail.com"
+
+FROM ${REGISTRY_URL}/ubi9:${UBI_VERSION}-micro AS runtime
+LABEL maintainer="<Muhamad Aditya Prima> aprimediet@gmail.com"
+
+USER root
+
+# Create nginx run and logs directory
+RUN mkdir -p /var/run/nginx && \
+    mkdir -p /var/log/nginx && \
+    chown 10001:10001 /var/run/nginx && \
+    chown 10001:10001 /var/log/nginx
+
+# Copy required libs
+COPY --from=builder /usr/lib64/libcrypt* /usr/lib64
+COPY --from=builder /usr/lib64/libssl* /usr/lib64
+COPY --from=builder /usr/lib64/libz* /usr/lib64
+
+# Copy nginx required files
+COPY --from=builder /etc/nginx /etc/nginx
+COPY --from=builder /usr/lib64/nginx /usr/lib64/nginx
+COPY --from=builder /usr/libexec/nginx* /usr/libexec/
+COPY --from=builder /usr/sbin/nginx /usr/sbin
+COPY --from=builder /usr/share/nginx /usr/share/nginx
+COPY --from=builder /var/lib/nginx /var/lib/nginx
+
+# Copy Nginx default config files
+ADD ./etc/ubi9 /etc/nginx
+ADD ./app /app
+
+RUN chown -R 10001:10001 /app
+
+USER 10001
+
+WORKDIR /app
+
+EXPOSE 80
+
+CMD ["nginx"]

etc/alpine/fastcgi_params

@@ -0,0 +1,24 @@
+fastcgi_param  QUERY_STRING       $query_string;
+fastcgi_param  REQUEST_METHOD     $request_method;
+fastcgi_param  CONTENT_TYPE       $content_type;
+fastcgi_param  CONTENT_LENGTH     $content_length;
+
+fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+fastcgi_param  REQUEST_URI        $request_uri;
+fastcgi_param  DOCUMENT_URI       $document_uri;
+fastcgi_param  DOCUMENT_ROOT      $document_root;
+fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+fastcgi_param  REQUEST_SCHEME     $scheme;
+fastcgi_param  HTTPS              $https if_not_empty;
+
+fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+fastcgi_param  REMOTE_ADDR        $remote_addr;
+fastcgi_param  REMOTE_PORT        $remote_port;
+fastcgi_param  SERVER_ADDR        $server_addr;
+fastcgi_param  SERVER_PORT        $server_port;
+fastcgi_param  SERVER_NAME        $server_name;
+
+# PHP only, required if PHP was built with --enable-force-cgi-redirect
+fastcgi_param  REDIRECT_STATUS    200;

etc/alpine/nginx.conf

@@ -1,7 +1,5 @@
 # /etc/nginx/nginx.conf
 
-user root;
-
 # Do not start as daemon
 daemon off;
 
@@ -10,7 +8,7 @@ worker_rlimit_nofile 100000;
 
 # Set log to stderr
 error_log stderr warn;
-pid       /var/run/nginx.pid;
+pid       /var/run/nginx/nginx.pid;
 
 include /etc/nginx/modules/*.conf;
 
@@ -20,7 +18,6 @@ events {
 
 http {
   include /etc/nginx/mime.types;
-  include /etc/nginx/naxsi_core.rules;
   default_type application/octet-stream;
   server_tokens off;
   keepalive_timeout 15;
@@ -29,9 +26,9 @@ http {
 
   log_format custom_log '[$time_local] [NGINX] - $remote_addr - $remote_user - '
                         '"$request" $status $body_bytes_sent '
-                        '"$http_referer" "$http_user_agent" "$gzip_ratio"';
+                        '"$http_referer" "$http_user_agent" "$http_x_forwarded_for" "$gzip_ratio"';
 
-  # Do not log access
+  # Log access to stdout
   access_log /dev/stdout custom_log;
 
   # SSL

etc/nginx/naxsi_core.rules

@@ -1,91 +0,0 @@
-##################################
-## INTERNAL RULES IDS:1-999     ##
-##################################
-#@MainRule "msg:weird request, unable to parse" id:1;
-#@MainRule "msg:request too big, stored on disk and not parsed" id:2;
-#@MainRule "msg:invalid hex encoding, null bytes" id:10;
-#@MainRule "msg:unknown content-type" id:11;
-#@MainRule "msg:invalid formatted url" id:12;
-#@MainRule "msg:invalid POST format" id:13;
-#@MainRule "msg:invalid POST boundary" id:14;
-#@MainRule "msg:invalid JSON" id:15;
-#@MainRule "msg:empty POST" id:16;
-#@MainRule "msg:libinjection_sql" id:17;
-#@MainRule "msg:libinjection_xss" id:18;
-#@MainRule "msg:no generic rules" id:19;
-#@MainRule "msg:bad utf8" id:20;
-
-
-
-##################################
-## SQL Injections IDs:1000-1099 ##
-##################################
-MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop|load_file|substr|group_concat|dumpfile" "msg:sql keywords" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000;
-MainRule "str:\"" "msg:double quote" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001;
-MainRule "str:0x" "msg:0x, possible hex encoding" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:2" id:1002;
-## Hardcore rules
-MainRule "str:/*" "msg:mysql comment (/*)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1003;
-MainRule "str:*/" "msg:mysql comment (*/)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1004;
-MainRule "str:|" "msg:mysql keyword (|)"  "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1005;
-MainRule "str:&&" "msg:mysql keyword (&&)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1006;
-## end of hardcore rules
-MainRule "str:--" "msg:mysql comment (--)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1007;
-MainRule "str:;" "msg:semicolon" "mz:BODY|URL|ARGS" "s:$SQL:4,$XSS:8" id:1008;
-MainRule "str:=" "msg:equal sign in var, probable sql/xss" "mz:ARGS|BODY" "s:$SQL:2" id:1009;
-MainRule "str:(" "msg:open parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1010;
-MainRule "str:)" "msg:close parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1011;
-MainRule "str:'" "msg:simple quote" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1013;
-MainRule "str:," "msg:comma" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1015;
-MainRule "str:#" "msg:mysql comment (#)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1016;
-MainRule "str:@@" "msg:double arobase (@@)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1017;
-
-###############################
-## OBVIOUS RFI IDs:1100-1199 ##
-###############################
-MainRule "str:http://" "msg:http:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1100;
-MainRule "str:https://" "msg:https:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1101;
-MainRule "str:ftp://" "msg:ftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1102;
-MainRule "str:php://" "msg:php:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1103;
-MainRule "str:sftp://" "msg:sftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1104;
-MainRule "str:zlib://" "msg:zlib:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1105;
-MainRule "str:data://" "msg:data:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1106;
-MainRule "str:glob://" "msg:glob:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1107;
-MainRule "str:phar://" "msg:phar:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1108;
-MainRule "str:file://" "msg:file:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1109;
-MainRule "str:gopher://" "msg:gopher:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1110;
-MainRule "str:zip://" "msg:zip:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1111;
-MainRule "str:expect://" "msg:expect:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1112;
-MainRule "str:input://" "msg:input:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1113;
-
-#######################################
-## Directory traversal IDs:1200-1299 ##
-#######################################                                          
-MainRule "str:.." "msg:double dot" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1200;
-MainRule "str:/etc/passwd" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1202;
-MainRule "str:c:\\" "msg:obvious windows path" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1203;
-MainRule "str:cmd.exe" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1204;
-MainRule "str:\\" "msg:backslash" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1205;
-#MainRule "str:/" "msg:slash in args" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1206;
-MainRule "str:/..;/" "msg:dir traversal bypass" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1207;
-
-########################################
-## Cross Site Scripting IDs:1300-1399 ##
-########################################
-MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1302;
-MainRule "str:>" "msg:html close tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1303;
-MainRule "str:[" "msg:open square backet ([), possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1310;
-MainRule "str:]" "msg:close square bracket (]), possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1311;
-MainRule "str:~" "msg:tilde (~) character" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1312;
-MainRule "str:`"  "msg:grave accent (`)" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1314;
-MainRule "rx:%[23]."  "msg:double encoding" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1315;
-
-####################################
-## Evading tricks IDs: 1400-1500 ##
-####################################
-MainRule "str:&#" "msg:utf7/8 encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1400;
-MainRule "str:%U" "msg:M$ encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1401;
-
-#############################
-## File uploads: 1500-1600 ##
-#############################
-MainRule "rx:\.ph|\.asp|\.ht|\.jsp" "msg:asp/php/jsp file upload" "mz:FILE_EXT" "s:$UPLOAD:8" id:1500;

etc/nginx/nginx-rootless.conf

@@ -1,71 +0,0 @@
-# /etc/nginx/nginx.conf
-
-user nginx nginx;
-
-# Do not start as daemon
-daemon off;
-
-worker_processes auto;
-worker_rlimit_nofile 100000;
-
-# Set log to stderr
-error_log stderr warn;
-pid       /tmp/nginx.pid;
-
-include /etc/nginx/modules/*.conf;
-
-events {
-  worker_connections 1024;
-}
-
-http {
-  include /etc/nginx/mime.types;
-  include /etc/nginx/naxsi_core.rules;
-  default_type application/octet-stream;
-  server_tokens off;
-  keepalive_timeout 15;
-  sendfile on;
-  tcp_nodelay on;
-
-  log_format custom_log '[$time_local] [NGINX] - $remote_addr - $remote_user - '
-                        '"$request" $status $body_bytes_sent '
-                        '"$http_referer" "$http_user_agent" "$gzip_ratio"';
-
-  # Do not log access
-  access_log /dev/stdout custom_log;
-
-  # SSL
-  ssl_prefer_server_ciphers on;
-  ssl_session_cache shared:SSL:2m;
-
-  # buffering causes issues, disable it
-  # increase buffer size. still useful even when buffering is off
-  proxy_buffering off;
-  proxy_buffer_size 4k;
-
-  # Buffer size
-  client_body_buffer_size 10k;
-  client_header_buffer_size 1k;
-  client_max_body_size 8m;
-  large_client_header_buffers 2 1k;
-
-  # Timeouts
-  client_body_timeout 12;
-  client_header_timeout 12;
-  send_timeout 10;
-
-  # GZip Compression
-  gzip on;
-  gzip_http_version 1.0;
-  gzip_vary on;
-  gzip_comp_level 4;
-  gzip_min_length 1280;
-  gzip_buffers 128 4k;
-  # gzip_proxied expired no-cache no-store private auth;
-  gzip_proxied any;
-  gzip_disable "msie6";
-  # gzip_types text/plain application/x-javascript text/xml text/css application/xml;
-  gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon image/bmp;
-  
-  include /etc/nginx/conf.d/*.conf;
-}

etc/ubi9/conf.d/default.conf

@@ -0,0 +1,23 @@
+server {
+  listen 80 default_server;
+  listen [::]:80 default_server;
+
+  server_name _;
+  root /app;
+  index index.html;
+
+  error_log stderr warn;
+
+  location / {
+    try_files $uri $uri/ index.html;
+  }
+
+  location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
+    expires 30d;
+  }
+
+  location /nginx-status {
+    stub_status on;
+    allow all;
+  }
+}

etc/ubi9/nginx.conf

@@ -0,0 +1,70 @@
+# For more information on configuration, see:
+#   * Official English Documentation: http://nginx.org/en/docs/
+#   * Official Russian Documentation: http://nginx.org/ru/docs/
+
+# Do not start as daemon
+daemon off;
+worker_rlimit_nofile 100000;
+
+worker_processes auto;
+error_log stderr warn;
+pid /var/run/nginx/nginx.pid;
+
+# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
+include /usr/share/nginx/modules/*.conf;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    include             /etc/nginx/mime.types;
+    default_type        application/octet-stream;
+    server_tokens off;
+    keepalive_timeout 15;
+    sendfile on;
+    tcp_nodelay on;
+    
+    log_format custom_log '[$time_local] [NGINX] - $remote_addr - $remote_user - '
+                        '"$request" $status $body_bytes_sent '
+                        '"$http_referer" "$http_user_agent" "$http_x_forwarded_for" "$gzip_ratio"';
+
+    # Log access to stdout
+    access_log /dev/stdout custom_log;
+
+    # SSL
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:2m;
+
+
+    # buffering causes issues, disable it
+    # increase buffer size. still useful even when buffering is off
+    proxy_buffering off;
+    proxy_buffer_size 4k;
+
+    # Buffer size
+    client_body_buffer_size 10k;
+    client_header_buffer_size 1k;
+    client_max_body_size 8m;
+    large_client_header_buffers 2 1k;
+
+    # Timeouts
+    client_body_timeout 12;
+    client_header_timeout 12;
+    send_timeout 10;
+
+    # GZip Compression
+    gzip on;
+    gzip_http_version 1.0;
+    gzip_vary on;
+    gzip_comp_level 4;
+    gzip_min_length 1280;
+    gzip_buffers 128 4k;
+    # gzip_proxied expired no-cache no-store private auth;
+    gzip_proxied any;
+    gzip_disable "msie6";
+    # gzip_types text/plain application/x-javascript text/xml text/css application/xml;
+    gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon image/bmp;
+    
+    include /etc/nginx/conf.d/*.conf;
+}

etc/ubi9/proxy_params

@@ -0,0 +1,4 @@
+proxy_set_header Host $http_host;
+proxy_set_header X-Real-IP $remote_addr;
+proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+proxy_set_header X-Forwarded-Proto $scheme;

etc/ubi9/ssl_params

@@ -0,0 +1,22 @@
+# secure nginx, see https://cipherli.st/
+
+ssl_protocols TLSv1.3
+ssl_prefer_server_ciphers off;
+ssl_session_timeout 1d;
+ssl_session_cache shared:SSL:10m;
+ssl_session_tickets off; # Requires nginx >= 1.5.9
+ssl_stapling on; # Requires nginx >= 1.3.7
+ssl_stapling_verify on; # Requires nginx => 1.3.7
+resolver 8.8.8.8 8.8.4.4 valid=300s;
+resolver_timeout 5s;
+
+# https://hstspreload.org
+add_header Strict-Transport-Security "max-age=63072000" always; 
+# By default, HSTS header is not added to subdomain requests. If you have subdomains and want
+# HSTS to apply to all of them, you should add the includeSubDomains variable like this:
+#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
+
+add_header X-Frame-Options DENY;
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";
+add_header X-Robots-Tag none;