forked from nomadturk/nginx-conf
-
Notifications
You must be signed in to change notification settings - Fork 0
/
nginx.conf
216 lines (173 loc) · 8.5 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
# Run as a less privileged user for security reasons.
user www-data;
# The maximum number of connections for Nginx is calculated by:
# max_clients = worker_processes * worker_connections
# It is better if you set the worker_processes count 1 less than your cpu cores. You have other processes running as well!
worker_processes 1;
# Maximum open file descriptors per process;
# should be > worker_connections.
worker_rlimit_nofile 50000;
pid /run/nginx.pid;
events {
# When you need > 8000 * cpu_cores connections, you start optimizing your OS,
# and this is probably the point at which you hire people who are smarter than
# you, as this is *a lot* of requests.
worker_connections 4096 ;
use epoll;
# accept_mutex off;
# Accept as many connections as possible.
multi_accept on;
}
http {
############################################################################ General Settings
# Define the MIME types for files.
# Usually located at mime.types;
include mime.types;
default_type application/octet-stream;
# Update charset_types due to updated mime.types
charset_types text/xml text/plain text/vnd.wap.wml application/x-javascript application/rss+xml text/css application/javascript application/json;
client_max_body_size 20m;
client_body_buffer_size 128k;
large_client_header_buffers 2 1k;
## Hide the Nginx version number.
server_tokens off;
server_names_hash_bucket_size 512;
server_names_hash_max_size 512;
server_name_in_redirect off;
variables_hash_max_size 2048;
variables_hash_bucket_size 64;
# Speed up file transfers by using sendfile() to copy directly
# between descriptors rather than using read()/write().
sendfile on;
# Tell Nginx not to send out partial frames; this increases throughput
# since TCP frames are filled up before being sent out. (adds TCP_CORK)
tcp_nopush on;
# Tell Nginx to enable the Nagle buffering algorithm for TCP packets, which
# collates several smaller packets together into one larger packet, thus saving
# bandwidth at the cost of a nearly imperceptible increase to latency. (removes TCP_NODELAY)
tcp_nodelay on;
# Don't put the IP to the end of url when there's a redirection
port_in_redirect off;
# Let's make a lot of keepalive requests possible
keepalive_requests 100000;
# How long to allow each connection to stay idle; longer values are better
# for each individual client, particularly for SSL, but means that worker
# connections are tied up longer. (Default: 65)
keepalive_timeout 30;
client_body_timeout 30;
client_header_timeout 60;
send_timeout 30;
## Reset lingering timed out connections. Deflect DDoS.
reset_timedout_connection on;
############################################################################ Gzip Settings
# Enable Gzip compressed.
# Pagespeed might not allow us to turn it on
gzip on;
gzip_buffers 16 8k;
# This feature allow you to use static GZipped versions of your files (you need to create them yourself) and serve those gzipped files directly through Nginx. Nginx just looks for a filename identical to the one requested by the browsers, but with a “.gz” extension (eg. if 'index.html' is requested, nginx will look for a 'index.html.gz' file next to it). If it exists, Nginx serves this -already compressed- file and does not perform gzip compression, thus reducing CPU overhead and response time.
gzip_static on;
# Enable compression both for HTTP/1.0 and HTTP/1.1 (required for CloudFront).
gzip_http_version 1.1;
# Compression level (1-9).
# 5 is a perfect compromise between size and cpu usage, offering about
# 75% reduction for most ascii files (almost identical to level 9).
gzip_comp_level 7;
# Don't compress anything that's already small and unlikely to shrink much
# if at all (the default is 20 bytes, which is bad as that usually leads to
# larger files after gzipping).
gzip_min_length 1064;
# Compress data even for clients that are connecting to us via proxies,
# identified by the "Via" header (required for CloudFront).
gzip_proxied expired no-cache no-store private auth;
# Tell proxies to cache both the gzipped and regular version of a resource
# whenever the clients Accept-Encoding capabilities header varies;
# Avoids the issue where a non-gzip capable client (which is extremely rare
# today) would display gibberish if their proxy gave them the gzipped version.
gzip_vary on;
# Disable gzip for non-supporting browsers.
gzip_disable "MSIE [1-6]\.";
# Compress all output labeled with one of the following MIME-types.
gzip_types application/atom+xml
application/javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/x-javascript
application/xhtml+xml
application/xml
font/opentype
image/svg+xml
image/x-icon
image/bmp
text/css
text/richtext
text/xsd
text/xsl
text/xml
text/plain
text/x-component
text/javascript;
#text/html is always compressed by HttpGzipModule
############################################################################ Caching
# Define a cache path for fastcgi caching under the zone name microcache
fastcgi_cache_path /var/cache/nginx/ levels=1:2 keys_zone=microcache:10m max_size=1000m inactive=60m;
proxy_cache_path /var/cache/nginx/proxy/ levels=1:2 keys_zone=proxy:10m;
# Improve static content handling by caching metadata, not the files itself
open_file_cache max=1000 inactive=1h;
open_file_cache_valid 2h;
open_file_cache_min_uses 1;
open_file_cache_errors on;
# Define a zone for limiting the number of simultaneous
# connections nginx accepts. 1m means 32000 simultaneous
# sessions. We need to define for each server the limit_conn
# value refering to this or other zones.
# ** This syntax requires nginx version >=
# ** 1.1.8. Cf. http://nginx.org/en/CHANGES. If using an older
# ** version then use the limit_zone directive below
# ** instead. Comment out this
# ** one if not using nginx version >= 1.1.8.
# limit_conn_zone $binary_remote_addr zone=arbeit:10m;
# For the filefield_nginx_progress module to work. From the
# README. Reserve 1MB under the name 'uploads' to track uploads.
# upload_progress uploads 1m;
############################################################################ Security
# Enable the builtin cross-site scripting (XSS) filter available
# in modern browsers. Usually enabled by default we just
# reinstate in case it has been somehow disabled for this
# particular server instance.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers.
add_header X-XSS-Protection '1; mode=block';
# Enable clickjacking protection in modern browsers. Available in
# IE8 also. See
# https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
# This may conflicts with pseudo streaming (at least with Nginx version 1.0.12).
# Uncomment the line below if you are not using media streaming.
# For sites being framing on the same domqin uncomment the line below.
#add_header X-Frame-Options SAMEORIGIN;
# For sites accepting to be framed in any context comment the
# line below.
add_header X-Frame-Options DENY;
## Block MIME type sniffing on IE.
add_header X-Content-Options nosniff;
############################################################################ Logging
log_format custom '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" nocache:$no_cache';
#log_format varnish_log '$http_x_forwarded_for - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent "$http_referer" ' ;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
############################################################################ Pagespeed
# Edit this file to add your domain.
# https://developers.google.com/speed/pagespeed/module/domains
# include conf.d/pagespeed/pagespeed.conf;
# Virtual Host Configs
include conf.d/*.conf;
include sites-enabled/*;
############################################################################ CLOUDFLARE GET REALIP PROBE
include nomad-conf/realip.add;
}