2021-01-13 16:36:50 +00:00
|
|
|
# Configuration File - Nginx Server Configs
|
|
|
|
# https://nginx.org/en/docs/
|
|
|
|
|
|
|
|
# Run as a unique, less privileged user for security reasons.
|
|
|
|
# Default: nobody nobody
|
|
|
|
# https://nginx.org/en/docs/ngx_core_module.html#user
|
|
|
|
user nginx nginx;
|
|
|
|
|
|
|
|
# Sets the worker threads to the number of CPU cores available in the system for
|
|
|
|
# best performance. Should be > the number of CPU cores.
|
|
|
|
# Maximum number of connections = worker_processes * worker_connections
|
|
|
|
# Default: 1
|
|
|
|
# https://nginx.org/en/docs/ngx_core_module.html#worker_processes
|
|
|
|
worker_processes auto;
|
|
|
|
|
|
|
|
# Maximum number of open files per worker process.
|
|
|
|
# Should be > worker_connections.
|
|
|
|
# Default: no limit
|
|
|
|
# https://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile
|
|
|
|
worker_rlimit_nofile 8192;
|
|
|
|
|
|
|
|
# Provides the configuration file context in which the directives that affect
|
|
|
|
# connection processing are specified.
|
|
|
|
# https://nginx.org/en/docs/ngx_core_module.html#events
|
|
|
|
events {
|
|
|
|
# If you need more connections than this, you start optimizing your OS.
|
|
|
|
# That's probably the point at which you hire people who are smarter than you
|
|
|
|
# as this is *a lot* of requests.
|
|
|
|
# Should be < worker_rlimit_nofile.
|
|
|
|
# Default: 512
|
|
|
|
# https://nginx.org/en/docs/ngx_core_module.html#worker_connections
|
|
|
|
worker_connections 8000;
|
|
|
|
}
|
|
|
|
|
|
|
|
# Log errors and warnings to this file
|
|
|
|
# This is only used when you don't override it on a `server` level
|
|
|
|
# Default: logs/error.log error
|
|
|
|
# https://nginx.org/en/docs/ngx_core_module.html#error_log
|
|
|
|
error_log /var/log/nginx/error.log warn;
|
|
|
|
|
|
|
|
# The file storing the process ID of the main process
|
|
|
|
# Default: logs/nginx.pid
|
|
|
|
# https://nginx.org/en/docs/ngx_core_module.html#pid
|
|
|
|
pid /var/run/nginx.pid;
|
|
|
|
|
|
|
|
http {
|
|
|
|
# Prevent Nginx from sending its version number in the "Server" response header.
|
|
|
|
# https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens
|
|
|
|
server_tokens off;
|
|
|
|
|
|
|
|
# Serve resources with the proper media types (f.k.a. MIME types).
|
|
|
|
# https://www.iana.org/assignments/media-types/media-types.xhtml
|
|
|
|
# https://nginx.org/en/docs/http/ngx_http_core_module.html#types
|
|
|
|
include mime.types;
|
|
|
|
|
|
|
|
# Default: text/plain
|
|
|
|
# https://nginx.org/en/docs/http/ngx_http_core_module.html#default_type
|
|
|
|
default_type application/octet-stream;
|
|
|
|
|
|
|
|
# Serve all resources labeled as `text/html` or `text/plain` with the media type
|
|
|
|
# `charset` parameter set to `UTF-8`.
|
|
|
|
# https://nginx.org/en/docs/http/ngx_http_charset_module.html#charset
|
|
|
|
charset utf-8;
|
|
|
|
|
|
|
|
# Update charset_types to match updated mime.types. `text/html` is always included by charset module.
|
|
|
|
# Default: text/html text/xml text/plain text/vnd.wap.wml application/javascript application/rss+xml
|
|
|
|
# https://nginx.org/en/docs/http/ngx_http_charset_module.html#charset_types
|
|
|
|
charset_types text/css
|
|
|
|
text/plain
|
|
|
|
text/vnd.wap.wml
|
|
|
|
text/javascript
|
|
|
|
text/markdown
|
|
|
|
text/calendar
|
|
|
|
text/x-component
|
|
|
|
text/vcard
|
|
|
|
text/cache-manifest
|
|
|
|
text/vtt
|
|
|
|
application/json
|
|
|
|
application/manifest+json;
|
|
|
|
|
|
|
|
# Include $http_x_forwarded_for within default format used in log files
|
|
|
|
# https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format
|
|
|
|
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
|
|
|
'$status $body_bytes_sent "$http_referer" '
|
|
|
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
|
|
|
|
|
|
|
# Log access to this file
|
|
|
|
# This is only used when you don't override it on a `server` level
|
|
|
|
# Default: logs/access.log combined
|
|
|
|
# https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log
|
|
|
|
access_log /var/log/nginx/access.log main;
|
|
|
|
|
|
|
|
# How long to allow each connection to stay idle.
|
|
|
|
# Longer values are better for each individual client, particularly for SSL,
|
|
|
|
# but means that worker connections are tied up longer.
|
|
|
|
# Default: 75s
|
|
|
|
# https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
|
|
|
|
keepalive_timeout 20s;
|
|
|
|
|
2021-08-01 21:31:25 +00:00
|
|
|
# The maximum size allowed for request bodies.
|
|
|
|
# Default: 1m
|
|
|
|
# http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
|
|
|
|
client_max_body_size 32m;
|
|
|
|
|
2021-01-13 16:36:50 +00:00
|
|
|
# Speed up file transfers by using `sendfile()` to copy directly between
|
|
|
|
# descriptors rather than using `read()`/`write()``.
|
|
|
|
# For performance reasons, on FreeBSD systems w/ ZFS this option should be
|
|
|
|
# disabled as ZFS's ARC caches frequently used files in RAM by default.
|
|
|
|
# Default: off
|
|
|
|
# https://nginx.org/en/docs/http/ngx_http_core_module.html#sendfile
|
|
|
|
sendfile on;
|
|
|
|
|
|
|
|
# Don't send out partial frames; this increases throughput since TCP frames
|
|
|
|
# are filled up before being sent out.
|
|
|
|
# Default: off
|
|
|
|
# https://nginx.org/en/docs/http/ngx_http_core_module.html#tcp_nopush
|
|
|
|
tcp_nopush on;
|
|
|
|
|
|
|
|
# Enable gzip compression.
|
|
|
|
# https://nginx.org/en/docs/http/ngx_http_gzip_module.html
|
|
|
|
# Default: off
|
|
|
|
gzip on;
|
|
|
|
|
|
|
|
# Compression level (1-9).
|
|
|
|
# 5 is a perfect compromise between size and CPU usage, offering about 75%
|
|
|
|
# reduction for most ASCII files (almost identical to level 9).
|
|
|
|
# Default: 1
|
|
|
|
gzip_comp_level 5;
|
|
|
|
|
|
|
|
# Don't compress anything that's already small and unlikely to shrink much if at
|
|
|
|
# all (the default is 20 bytes, which is bad as that usually leads to larger
|
|
|
|
# files after gzipping).
|
|
|
|
# Default: 20
|
|
|
|
gzip_min_length 256;
|
|
|
|
|
|
|
|
# Compress data even for clients that are connecting to us via proxies,
|
|
|
|
# identified by the "Via" header (required for CloudFront).
|
|
|
|
# Default: off
|
|
|
|
gzip_proxied any;
|
|
|
|
|
|
|
|
# Tell proxies to cache both the gzipped and regular version of a resource
|
|
|
|
# whenever the client's Accept-Encoding capabilities header varies;
|
|
|
|
# Avoids the issue where a non-gzip capable client (which is extremely rare
|
|
|
|
# today) would display gibberish if their proxy gave them the gzipped version.
|
|
|
|
# Default: off
|
|
|
|
gzip_vary on;
|
|
|
|
|
|
|
|
# Compress all output labeled with one of the following MIME-types.
|
|
|
|
# `text/html` is always compressed by gzip module.
|
|
|
|
# Default: text/html
|
|
|
|
gzip_types application/atom+xml
|
|
|
|
application/geo+json
|
|
|
|
application/javascript
|
|
|
|
application/x-javascript
|
|
|
|
application/json
|
|
|
|
application/ld+json
|
|
|
|
application/manifest+json
|
|
|
|
application/rdf+xml
|
|
|
|
application/rss+xml
|
|
|
|
application/vnd.ms-fontobject
|
|
|
|
application/wasm
|
|
|
|
application/x-web-app-manifest+json
|
|
|
|
application/xhtml+xml
|
|
|
|
application/xml
|
|
|
|
font/eot
|
|
|
|
font/otf
|
|
|
|
font/ttf
|
|
|
|
image/bmp
|
|
|
|
image/svg+xml
|
|
|
|
text/cache-manifest
|
|
|
|
text/calendar
|
|
|
|
text/css
|
|
|
|
text/javascript
|
|
|
|
text/markdown
|
|
|
|
text/plain
|
|
|
|
text/xml
|
|
|
|
text/vcard
|
|
|
|
text/vnd.rim.location.xloc
|
|
|
|
text/vtt
|
|
|
|
text/x-component
|
|
|
|
text/x-cross-domain-policy;
|
|
|
|
|
|
|
|
# Serve resources with a far-future expiration date.
|
|
|
|
#
|
|
|
|
# (!) If you don't control versioning with filename-based cache busting, you
|
|
|
|
# should consider lowering the cache times to something like one week.
|
|
|
|
#
|
|
|
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
|
|
|
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expires
|
|
|
|
# https://nginx.org/en/docs/http/ngx_http_headers_module.html#expires
|
|
|
|
|
|
|
|
map $sent_http_content_type $expires {
|
|
|
|
default 1M;
|
|
|
|
|
|
|
|
# No content
|
|
|
|
"" off;
|
|
|
|
|
|
|
|
# CSS
|
|
|
|
~*text/css 1y;
|
|
|
|
|
|
|
|
# Data interchange
|
|
|
|
~*application/atom\+xml 1h;
|
|
|
|
~*application/rdf\+xml 1h;
|
|
|
|
~*application/rss\+xml 1h;
|
|
|
|
|
|
|
|
~*application/json 0;
|
|
|
|
~*application/ld\+json 0;
|
|
|
|
~*application/schema\+json 0;
|
|
|
|
~*application/geo\+json 0;
|
|
|
|
~*application/xml 0;
|
|
|
|
~*text/calendar 0;
|
|
|
|
~*text/xml 0;
|
|
|
|
|
|
|
|
# Favicon (cannot be renamed!) and cursor images
|
|
|
|
~*image/vnd.microsoft.icon 1w;
|
|
|
|
~*image/x-icon 1w;
|
|
|
|
|
|
|
|
# HTML
|
|
|
|
~*text/html 0;
|
|
|
|
|
|
|
|
# JavaScript
|
|
|
|
~*application/javascript 1y;
|
|
|
|
~*application/x-javascript 1y;
|
|
|
|
~*text/javascript 1y;
|
|
|
|
|
|
|
|
# Manifest files
|
|
|
|
~*application/manifest\+json 1w;
|
|
|
|
~*application/x-web-app-manifest\+json 0;
|
|
|
|
~*text/cache-manifest 0;
|
|
|
|
|
|
|
|
# Markdown
|
|
|
|
~*text/markdown 0;
|
|
|
|
|
|
|
|
# Media files
|
|
|
|
~*audio/ 1M;
|
|
|
|
~*image/ 1M;
|
|
|
|
~*video/ 1M;
|
|
|
|
|
|
|
|
# WebAssembly
|
|
|
|
~*application/wasm 1y;
|
|
|
|
|
|
|
|
# Web fonts
|
|
|
|
~*font/ 1M;
|
|
|
|
~*application/vnd.ms-fontobject 1M;
|
|
|
|
~*application/x-font-ttf 1M;
|
|
|
|
~*application/x-font-woff 1M;
|
|
|
|
~*application/font-woff 1M;
|
|
|
|
~*application/font-woff2 1M;
|
|
|
|
|
|
|
|
# Other
|
|
|
|
~*text/x-cross-domain-policy 1w;
|
|
|
|
}
|
|
|
|
|
|
|
|
expires $expires;
|
|
|
|
|
|
|
|
# Add X-XSS-Protection for HTML documents.
|
|
|
|
# conf/security/x-xss-protection.conf
|
|
|
|
map $sent_http_content_type $x_xss_protection {
|
|
|
|
~*text/html "1; mode=block";
|
|
|
|
}
|
|
|
|
|
|
|
|
# Add X-Frame-Options for HTML documents.
|
|
|
|
# conf/security/x-frame-options.conf
|
|
|
|
map $sent_http_content_type $x_frame_options {
|
2021-07-23 22:31:01 +00:00
|
|
|
~*text/html SAMEORIGIN;
|
2021-01-13 16:36:50 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
# Add Content-Security-Policy for HTML documents.
|
|
|
|
# conf/security/content-security-policy.conf
|
|
|
|
map $sent_http_content_type $content_security_policy {
|
|
|
|
~*text/(html|javascript)|application/pdf|xml "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests";
|
|
|
|
}
|
|
|
|
|
|
|
|
# Add Referrer-Policy for HTML documents.
|
|
|
|
# conf/security/referrer-policy.conf.conf
|
|
|
|
map $sent_http_content_type $referrer_policy {
|
|
|
|
~*text/(css|html|javascript)|application\/pdf|xml "strict-origin-when-cross-origin";
|
|
|
|
}
|
|
|
|
|
|
|
|
# Add X-UA-Compatible for HTML documents.
|
|
|
|
# conf/internet_explorer/x-ua-compatible.conf
|
|
|
|
map $sent_http_content_type $x_ua_compatible {
|
|
|
|
~*text/html "IE=edge";
|
|
|
|
}
|
|
|
|
|
|
|
|
# Add Access-Control-Allow-Origin.
|
|
|
|
# conf/cross-origin/requests.conf
|
|
|
|
map $sent_http_content_type $cors {
|
|
|
|
# Images
|
|
|
|
~*image/ "*";
|
|
|
|
|
|
|
|
# Web fonts
|
|
|
|
~*font/ "*";
|
|
|
|
~*application/vnd.ms-fontobject "*";
|
|
|
|
~*application/x-font-ttf "*";
|
|
|
|
~*application/font-woff "*";
|
|
|
|
~*application/x-font-woff "*";
|
|
|
|
~*application/font-woff2 "*";
|
|
|
|
}
|
|
|
|
|
|
|
|
# For services that don't need backward compatibility, the parameters below provide a higher level
|
|
|
|
# of security.
|
|
|
|
#
|
|
|
|
# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
|
|
|
|
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html
|
|
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
|
|
ssl_ciphers EECDH+CHACHA20:EECDH+AES;
|
|
|
|
ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
|
|
|
|
|
|
|
|
# OCSP is a lightweight, only one record to help clients verify the validity of the server
|
|
|
|
# certificate. OCSP stapling allows the server to send its cached OCSP record during the TLS
|
|
|
|
# handshake, without the need of 3rd party OCSP responder.
|
|
|
|
#
|
|
|
|
# https://wiki.mozilla.org/Security/Server_Side_TLS#OCSP_Stapling
|
|
|
|
# https://tools.ietf.org/html/rfc6066#section-8
|
|
|
|
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
|
|
|
|
ssl_stapling on;
|
|
|
|
ssl_stapling_verify on;
|
|
|
|
|
|
|
|
resolver_timeout 2s;
|
|
|
|
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]
|
|
|
|
8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844] valid=60s;
|
|
|
|
|
|
|
|
# Include files in the conf.d folder.
|
|
|
|
# `server` configuration files should be placed in the conf.d folder.
|
|
|
|
# The configurations should be disabled by prefixing files with a dot.
|
|
|
|
include conf.d/*.conf;
|
|
|
|
}
|