-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnginx.conf
180 lines (138 loc) · 6.22 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
user www-data;
worker_processes 1;
error_log /var/log/nginx/error.log;
error_log /var/log/nginx/error.log notice;
error_log /var/log/nginx/error.log info;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
types_hash_max_size 2048;
server_names_hash_bucket_size 128;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
charset utf-8; # adds the line "Content-Type" into response-header, same as "source_charset"
ignore_invalid_headers on;
## Use sendfile() syscall to speed up I/O operations and speed up
## static file serving.
sendfile on;
## TCP options.
tcp_nodelay on;
## Optimization of socket handling when using sendfile.
tcp_nopush on;
keepalive_disable none; # allow all browsers to use keepalive connections
max_ranges 1; # allow a single range header for resumed downloads and to stop large range header DoS attacks
msie_padding off;
open_file_cache max=1000 inactive=2h;
open_file_cache_errors on;
open_file_cache_min_uses 1;
open_file_cache_valid 1h;
output_buffers 1 512;
postpone_output 1440; # postpone sends to match our machine's MSS
read_ahead 512K; # kernel read head set to the output_buffers
recursive_error_pages on;
## Request limits
limit_req_zone $binary_remote_addr zone=gulag:1m rate=60r/m;
proxy_cache_path /var/nginx/cache/proxy levels=1:2 keys_zone=shrikeh:10m inactive=24h max_size=32m;
## Handling of IPs in proxied and load balancing situations.
set_real_ip_from 0.0.0.0/32; # all addresses get a real IP.
real_ip_header X-Forwarded-For; # the ip is forwarded from the load balancer/proxy
## Define a zone for limiting the number of simultaneous
## connections nginx accepts. 1m means 32000 simultaneous
## sessions. We need to define for each server the limit_conn
## value refering to this or other zones.
## ** This syntax requires nginx version >=
## ** 1.1.8. Cf. http://nginx.org/en/CHANGES. If using an older
## ** version then use the limit_zone directive below
## ** instead. Comment out this
## ** one if not using nginx version >= 1.1.8.
limit_conn_zone $binary_remote_addr zone=arbeit:10m;
pagespeed on;
pagespeed FileCachePath /var/nginx/cache/pagespeed; # Use tmpfs for best results.
pagespeed LowercaseHtmlNames on;
## Timeouts.
client_body_timeout 12;
client_header_timeout 12;
keepalive_timeout 10 10;
send_timeout 10;
## Reset lingering timed out connections. Deflect DDoS.
reset_timedout_connection on;
## Body size.
client_body_buffer_size 10K;
client_header_buffer_size 1k;
client_max_body_size 8m;
large_client_header_buffers 2 1k;
## Compression.
gzip on;
gzip_static on;
gzip_buffers 16 8k;
gzip_comp_level 2;
gzip_http_version 1.1;
gzip_min_length 10;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/x-icon application/vnd.ms-fontobject font/opentype application/x-font-ttf;
gzip_vary on;
gzip_proxied any; # Compression for all requests.
## No need for regexps. See
## http://wiki.nginx.org/NginxHttpGzipModule#gzip_disable
gzip_disable msie6;
## Hide the Nginx version number.
server_tokens off;
## The server dictates the choice of cipher suites.
ssl_prefer_server_ciphers on;
## Use a SSL/TLS cache for SSL session resume. This needs to be
## here (in this context, for session resumption to work. See this
## thread on the Nginx mailing list:
## http://nginx.org/pipermail/nginx/2010-November/023736.html.
ssl_session_cache shared:SSL:30m;
ssl_session_timeout 1d;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
## No SSLn or TLSv1 support. Let's keep it current, people.
ssl_protocols TLSv1.1 TLSv1.2;
## Pregenerated Diffie-Hellman parameters.
ssl_dhparam /usr/local/nginx/dh_param.pem;
## Curve to use for ECDH.
ssl_ecdh_curve secp521r1;
## Enable OCSP stapling. A better way to revocate server certificates.
ssl_stapling on;
## Fill in with your own resolver.
resolver 8.8.8.8 8.8.4.4;
## For the filefield_nginx_progress module to work. From the
## README. Reserve 1MB under the name 'uploads' to track uploads.
upload_progress uploads 1m;
## Enable the builtin cross-site scripting (XSS) filter available
## in modern browsers. Usually enabled by default we just
## reinstate in case it has been somehow disabled for this
## particular server instance.
## https://www.owasp.org/index.php/List_of_useful_HTTP_headers.
# add_header X-XSS-Protection "1; mode=block";
## Enable clickjacking protection in modern browsers. Available in
## IE8 also. See
## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12).
## Uncomment the line below if you're not using media streaming.
## For sites being framing on the same domqin uncomment the line below.
#add_header X-Frame-Options SAMEORIGIN;
## For sites accepting to be framed in any context comment the
## line below.
# add_header X-Frame-Options DENY;
## Block MIME type sniffing on IE.
# add_header X-Content-Options nosniff;
## Include the map to block HTTP methods.
include map_block_http_methods.conf;
# Support the X-Forwarded-Proto header for fastcgi.
map $http_x_forwarded_proto $fastcgi_https {
default $https;
http '';
https on;
}
## Include blacklist for bad bot and referer blocking.
include blacklist.conf;
## Allow nginx to act as a proxy
include reverse_proxy.conf;
include sites-enabled/*.conf;
}