Split directives to enforce atomic structure

* Enforce H5BP style
* Improve inline documentation to simplify maintenance
* Prepare v3

h5bp/basic.conf

@@ -1,6 +1,7 @@
-# Basic h5bp rules
+# Nginx Server Configs | MIT License
+# https://github.com/h5bp/server-configs-nginx
 
-include h5bp/directive-only/x-ua-compatible.conf;
-include h5bp/location/expires.conf;
-include h5bp/location/cross-domain-fonts.conf;
-include h5bp/location/protect-system-files.conf;
+include h5bp/internet_explorer/x-ua-compatible.conf;
+include h5bp/location/security_file_access.conf;
+include h5bp/location/cross-origin_web_fonts.conf;
+include h5bp/location/security_file_access.conf;

h5bp/cross-origin/requests.conf

@@ -0,0 +1,19 @@
+# ----------------------------------------------------------------------
+# | Cross-origin requests                                              |
+# ----------------------------------------------------------------------
+
+# Allow cross-origin requests.
+#
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
+# https://enable-cors.org/
+# https://www.w3.org/TR/cors/
+
+# (!) Do not use this without understanding the consequences.
+#     This will permit access from any other website.
+#
+# Instead of using this file, consider using a specific rule such as:
+#
+# Allow access based on [sub]domain:
+#    add_header Access-Control-Allow-Origin "subdomain.example.com";
+
+add_header Access-Control-Allow-Origin "*";

h5bp/cross-origin/resource_timing.conf

@@ -0,0 +1,16 @@
+# ----------------------------------------------------------------------
+# | Cross-origin resource timing                                       |
+# ----------------------------------------------------------------------
+
+# Allow cross-origin access to the timing information for all resources.
+#
+# If a resource isn't served with a `Timing-Allow-Origin` header that
+# would allow its timing information to be shared with the document,
+# some of the attributes of the `PerformanceResourceTiming` object will
+# be set to zero.
+#
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Timing-Allow-Origin
+# https://www.w3.org/TR/resource-timing/
+# https://www.stevesouders.com/blog/2014/08/21/resource-timing-practical-tips/
+
+add_header Timing-Allow-Origin "*";

h5bp/errors/custom_errors.conf

@@ -0,0 +1,9 @@
+# ----------------------------------------------------------------------
+# | Custom error messages/pages                                        |
+# ----------------------------------------------------------------------
+
+# Customize what Nginx returns to the client in case of an error.
+#
+# https://nginx.org/en/docs/http/ngx_http_core_module.html#error_page
+
+error_page 404 /404.html;

h5bp/internet_explorer/x-ua-compatible.conf

@@ -0,0 +1,19 @@
+# ----------------------------------------------------------------------
+# | Document modes                                                     |
+# ----------------------------------------------------------------------
+
+# Force Internet Explorer 8/9/10 to render pages in the highest mode
+# available in the various cases when it may not.
+#
+# https://hsivonen.fi/doctype/#ie8
+#
+# (!) Starting with Internet Explorer 11, document modes are deprecated.
+# If your business still relies on older web apps and services that were
+# designed for older versions of Internet Explorer, you might want to
+# consider enabling `Enterprise Mode` throughout your company.
+#
+# https://msdn.microsoft.com/en-us/library/ie/bg182625.aspx#docmode
+# https://blogs.msdn.microsoft.com/ie/2014/04/02/stay-up-to-date-with-enterprise-mode-for-internet-explorer-11/
+# https://msdn.microsoft.com/en-us/library/ff955275.aspx
+
+add_header X-UA-Compatible "IE=Edge";

h5bp/location/cross-origin_images.conf

@@ -0,0 +1,18 @@
+# ----------------------------------------------------------------------
+# | Cross-origin images                                                |
+# ----------------------------------------------------------------------
+
+# Send the CORS header for images when browsers request it.
+#
+# https://developer.mozilla.org/en-US/docs/Web/HTML/CORS_enabled_image
+# https://blog.chromium.org/2011/07/using-cross-domain-images-in-webgl-and.html
+
+location ~* \.(?:bmp|cur|gif|ico|jpe?g|png|svgz?|webp?)$ {
+  include h5bp/cross-origin/requests.conf;
+
+  # Also, set cache rules for images.
+  #
+  # https://nginx.org/en/docs/http/ngx_http_core_module.html#location
+  access_log off;
+  expires 1M;
+}

h5bp/location/cross-origin_web_fonts.conf

@@ -0,0 +1,19 @@
+# ----------------------------------------------------------------------
+# | Cross-origin web fonts                                             |
+# ----------------------------------------------------------------------
+
+# Allow cross-origin access to web fonts.
+#
+# https://developers.google.com/fonts/docs/troubleshooting
+
+location ~* \.(?:eot|otf|tt[cf]|woff2?)$ {
+  include h5bp/cross-origin/requests.conf;
+
+  # Also, set cache rules for web fonts.
+  #
+  # https://nginx.org/en/docs/http/ngx_http_core_module.html#location
+  # https://github.com/h5bp/server-configs/issues/85
+  # https://github.com/h5bp/server-configs/issues/86
+  access_log off;
+  expires 1M;
+}

h5bp/location/security_file_access.conf

@@ -0,0 +1,42 @@
+# ----------------------------------------------------------------------
+# | File access                                                        |
+# ----------------------------------------------------------------------
+
+# Block access to all hidden files and directories with the exception of
+# the visible content from within the `/.well-known/` hidden directory.
+#
+# These types of files usually contain user preferences or the preserved
+# state of an utility, and can include rather private places like, for
+# example, the `.git` or `.svn` directories.
+#
+# The `/.well-known/` directory represents the standard (RFC 5785) path
+# prefix for "well-known locations" (e.g.: `/.well-known/manifest.json`,
+# `/.well-known/keybase.txt`), and therefore, access to its visible
+# content should not be blocked.
+#
+# https://www.mnot.net/blog/2010/04/07/well-known
+# https://tools.ietf.org/html/rfc5785
+
+location ~* /\.(?!well-known\/) {
+  deny all;
+}
+
+# - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+# Block access to files that can expose sensitive information.
+#
+# By default, block access to backup and source files that may be
+# left by some text editors and can pose a security risk when anyone
+# has access to them.
+#
+# https://feross.org/cmsploit/
+#
+# (!) Update the `location` regular expression from below to
+# include any files that might end up on your production server and
+# can expose sensitive information about your website. These files may
+# include: configuration files, files that contain metadata about the
+# project (e.g.: project dependencies), build scripts, etc..
+
+location ~* (?:\.(?:bak|conf|dist|fla|in[ci]|log|orig|psd|sh|sql|sw[op])|~)$ {
+  deny all;
+}

h5bp/location/expires.conf → h5bp/location/web_performance_cache_expiration.conf

@@ -1,4 +1,16 @@
-# Expire rules for static content
+# ----------------------------------------------------------------------
+# | Cache expiration                                                   |
+# ----------------------------------------------------------------------
+
+# Serve resources with far-future expiration date.
+#
+# (!) If you don't control versioning with filename-based
+# cache busting, you should consider lowering the cache times
+# to something like one week.
+#
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expires
+# https://nginx.org/en/docs/http/ngx_http_headers_module.html#expires
 
 # No default expire rule. This config mirrors that of apache as outlined in the
 # html5-boilerplate .htaccess file. However, nginx applies rules by location,
@@ -8,17 +20,17 @@
 # future (if the default expire rule is 1 month). Therefore, do not use a
 # default expire rule with nginx unless your site is completely static
 
-# cache.appcache, your document html and data
+# Documents
 location ~* \.(?:manifest|appcache|html?|xml|json)$ {
   expires 0;
 }
 
-# Feed
+# Feeds
 location ~* \.(?:rss|atom)$ {
   expires 1h;
 }
 
-# Media: images, icons, video, audio, HTC
+# Media files
 location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|mp4|ogg|ogv|webm|htc)$ {
   access_log off;
   expires 1M;
@@ -31,15 +43,15 @@ location ~* \.svgz$ {
   expires 1M;
 }
 
-# CSS and Javascript
+# CSS and JavaScript
 location ~* \.(?:css|js)$ {
   expires 1y;
   access_log off;
 }
 
-# WebFonts
+# Web fonts
 # If you are NOT using cross-domain-fonts.conf, uncomment the following directive
-# location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ {
-#  expires 1M;
-#  access_log off;
+# location ~* \.(?:eot|otf|tt[cf]|woff2?)$ {
+#   expires 1M;
+#   access_log off;
 # }

h5bp/location/web_performance_filename-based_cache_busting.conf

@@ -0,0 +1,14 @@
+# ----------------------------------------------------------------------
+# | Filename-based cache busting                                       |
+# ----------------------------------------------------------------------
+
+# If you're not using a build process to manage your filename version
+# revving, you might want to consider enabling the following directives
+#
+# To understand why this is important and even a better solution than
+# using something like `*.css?v231`, please see:
+# https://www.stevesouders.com/blog/2008/08/23/revving-filenames-dont-use-querystring/
+
+location ~* (.+)\.(?:\d+)\.(bmp|css|cur|gif|ico|jpe?g|m?js|png|svgz?|webp|webmanifest)$ {
+  try_files $uri $1.$2;
+}