# Configuration File - Nginx Server Configs # https://nginx.org/en/docs/ # Run as a unique, less privileged user for security reasons. # Default: nobody nobody # https://nginx.org/en/docs/ngx_core_module.html#user # https://en.wikipedia.org/wiki/Principle_of_least_privilege user nginx nginx; # Sets the worker threads to the number of CPU cores available in the system for # best performance. Should be > the number of CPU cores. # Maximum number of connections = worker_processes * worker_connections # Default: 1 # https://nginx.org/en/docs/ngx_core_module.html#worker_processes worker_processes auto; # Maximum number of open files per worker process. # Should be > worker_connections. # Default: no limit # https://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile worker_rlimit_nofile 8192; # Provides the configuration file context in which the directives that affect # connection processing are specified. # https://nginx.org/en/docs/ngx_core_module.html#events events { # If you need more connections than this, you start optimizing your OS. # That's probably the point at which you hire people who are smarter than you # as this is *a lot* of requests. # Should be < worker_rlimit_nofile. # Default: 512 # https://nginx.org/en/docs/ngx_core_module.html#worker_connections worker_connections 8000; } # Log errors and warnings to this file # This is only used when you don't override it on a `server` level # Default: logs/error.log error # https://nginx.org/en/docs/ngx_core_module.html#error_log error_log /var/log/nginx/error.log warn; # The file storing the process ID of the main process # Default: logs/nginx.pid # https://nginx.org/en/docs/ngx_core_module.html#pid pid /var/run/nginx.pid; http { # Prevent Nginx from sending its version number in the "Server" response header. # https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens server_tokens off; # Serve resources with the proper media types (f.k.a. MIME types). # https://www.iana.org/assignments/media-types/media-types.xhtml # https://nginx.org/en/docs/http/ngx_http_core_module.html#types include mime.types; # Default: text/plain # https://nginx.org/en/docs/http/ngx_http_core_module.html#default_type default_type application/octet-stream; # Serve all resources labeled as `text/html` or `text/plain` with the media type # `charset` parameter set to `UTF-8`. # https://nginx.org/en/docs/http/ngx_http_charset_module.html#charset charset utf-8; # Update charset_types to match updated mime.types. `text/html` is always included by charset module. # Default: text/html text/xml text/plain text/vnd.wap.wml application/javascript application/rss+xml # https://nginx.org/en/docs/http/ngx_http_charset_module.html#charset_types charset_types text/css text/plain text/vnd.wap.wml text/javascript text/markdown text/calendar text/x-component text/vcard text/cache-manifest text/vtt application/json application/manifest+json; # Include $http_x_forwarded_for within default format used in log files # https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; # Log access to this file # This is only used when you don't override it on a `server` level # Default: logs/access.log combined # https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log access_log /var/log/nginx/access.log main; # How long to allow each connection to stay idle. # Longer values are better for each individual client, particularly for SSL, # but means that worker connections are tied up longer. # Default: 75s # https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout keepalive_timeout 20s; # The maximum size allowed for request bodies. # Default: 1m # http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size client_max_body_size 32m; # Speed up file transfers by using `sendfile()` to copy directly between # descriptors rather than using `read()`/`write()``. # For performance reasons, on FreeBSD systems w/ ZFS this option should be # disabled as ZFS's ARC caches frequently used files in RAM by default. # Default: off # https://nginx.org/en/docs/http/ngx_http_core_module.html#sendfile sendfile on; # Don't send out partial frames; this increases throughput since TCP frames # are filled up before being sent out. # Default: off # https://nginx.org/en/docs/http/ngx_http_core_module.html#tcp_nopush tcp_nopush on; # Enable gzip compression. # https://nginx.org/en/docs/http/ngx_http_gzip_module.html # Default: off gzip on; # Compression level (1-9). # 5 is a perfect compromise between size and CPU usage, offering about 75% # reduction for most ASCII files (almost identical to level 9). # Default: 1 gzip_comp_level 5; # Don't compress anything that's already small and unlikely to shrink much if at # all (the default is 20 bytes, which is bad as that usually leads to larger # files after gzipping). # Default: 20 gzip_min_length 256; # Compress data even for clients that are connecting to us via proxies, # identified by the "Via" header (required for CloudFront). # Default: off gzip_proxied any; # Tell proxies to cache both the gzipped and regular version of a resource # whenever the client's Accept-Encoding capabilities header varies; # Avoids the issue where a non-gzip capable client (which is extremely rare # today) would display gibberish if their proxy gave them the gzipped version. # Default: off gzip_vary on; # Compress all output labeled with one of the following MIME-types. # `text/html` is always compressed by gzip module. # Default: text/html gzip_types application/atom+xml application/geo+json application/javascript application/x-javascript application/json application/ld+json application/manifest+json application/rdf+xml application/rss+xml application/vnd.ms-fontobject application/wasm application/x-web-app-manifest+json application/xhtml+xml application/xml font/eot font/otf font/ttf image/bmp image/svg+xml image/vnd.microsoft.icon image/x-icon text/cache-manifest text/calendar text/css text/javascript text/markdown text/plain text/xml text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # Serve resources with a far-future expiration date. # # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expires # https://nginx.org/en/docs/http/ngx_http_headers_module.html#expires map $sent_http_content_type $expires { # Default: Fallback default 1y; # Default: No content "" off; # Specific: Assets ~*image/svg\+xml 1y; ~*image/vnd.microsoft.icon 1w; ~*image/x-icon 1w; # Specific: Manifests ~*application/manifest\+json 1w; ~*text/cache-manifest epoch; # Specific: Data interchange ~*application/atom\+xml 1h; ~*application/rdf\+xml 1h; ~*application/rss\+xml 1h; # Specific: Documents ~*text/html epoch; ~*text/markdown epoch; ~*text/calendar epoch; # Specific: Other ~*text/x-cross-domain-policy 1w; # Generic: Data ~*json epoch; ~*xml epoch; } expires $expires; # Add Cache-Control. map $sent_http_content_type $cache_control { default "public, immutable, stale-while-revalidate"; # No content "" "no-store"; # Manifest files ~*application/manifest\+json "public"; ~*text/cache-manifest ""; # `no-cache` (*) # Assets ~*image/svg\+xml "public, immutable, stale-while-revalidate"; # Data interchange ~*application/(atom|rdf|rss)\+xml "public, stale-while-revalidate"; # Documents ~*text/html "private, must-revalidate"; ~*text/markdown "private, must-revalidate"; ~*text/calendar "private, must-revalidate"; # Data ~*json ""; # `no-cache` (*) ~*xml ""; # `no-cache` (*) } # Add X-Frame-Options for HTML documents. map $sent_http_content_type $x_frame_options { ~*text/html SAMEORIGIN; } # Add Content-Security-Policy for HTML documents. map $sent_http_content_type $content_security_policy { ~*text/(html|javascript)|application/pdf|xml "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; object-src 'none'; upgrade-insecure-requests"; } # Add Permissions-Policy for HTML documents. map $sent_http_content_type $permissions_policy { ~*text/(html|javascript)|application/pdf|xml "accelerometer=(),autoplay=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=()"; } # Add Referrer-Policy for HTML documents. map $sent_http_content_type $referrer_policy { ~*text/(css|html|javascript)|application\/pdf|xml "strict-origin-when-cross-origin"; } # Add Cross-Origin-Policies for HTML documents. # Cross-Origin-Embedder-Policy map $sent_http_content_type $coep_policy { ~*text/(html|javascript)|application/pdf|xml "require-corp"; } # Cross-Origin-Opener-Policy map $sent_http_content_type $coop_policy { ~*text/(html|javascript)|application/pdf|xml "same-origin"; } # Cross-Origin-Resource-Policy map $sent_http_content_type $corp_policy { ~*text/(html|javascript)|application/pdf|xml "same-origin"; } # Add Access-Control-Allow-Origin. map $sent_http_content_type $cors { # Images ~*image/ "*"; # Web fonts ~*font/ "*"; ~*application/vnd.ms-fontobject "*"; ~*application/x-font-ttf "*"; ~*application/font-woff "*"; ~*application/x-font-woff "*"; ~*application/font-woff2 "*"; } # For services that don't need backward compatibility, the parameters below provide a higher level # of security. # # https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations # https://nginx.org/en/docs/http/ngx_http_ssl_module.html ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers EECDH+CHACHA20:EECDH+AES; ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1; # OCSP is a lightweight, only one record to help clients verify the validity of the server # certificate. OCSP stapling allows the server to send its cached OCSP record during the TLS # handshake, without the need of 3rd party OCSP responder. # # https://wiki.mozilla.org/Security/Server_Side_TLS#OCSP_Stapling # https://tools.ietf.org/html/rfc6066#section-8 # https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling ssl_stapling on; ssl_stapling_verify on; resolver_timeout 2s; resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] 8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844] valid=60s; # Include files in the conf.d folder. # `server` configuration files should be placed in the conf.d folder. # The configurations should be disabled by prefixing files with a dot. include conf.d/*.conf; }