mirror of
https://github.com/deuill/coreos-home-server.git
synced 2024-09-21 13:40:45 +00:00
Alex Palaistras
f877a72e83
This commit contains a fairly large diff for a fairly small change: moving the `config/common` directory to `host/base` to better reflect its intended use, and promoting `config/service` to the root directory. These changes unlock some improvements in `coreos-home-server-update` processes, which will (assuming `/etc/coreos-home-server/base` exists) keep host-wide systemd services in sync in addition to service-specific ones. Changes have been make to the `Makefile` and a few other places where `config/common` was referenced, but most of this work is renames that are not intended to break compatibility with new or running servers.
329 lines
12 KiB
Nginx Configuration File
329 lines
12 KiB
Nginx Configuration File
# Configuration File - Nginx Server Configs
|
|
# https://nginx.org/en/docs/
|
|
|
|
# Run as a unique, less privileged user for security reasons.
|
|
# Default: nobody nobody
|
|
# https://nginx.org/en/docs/ngx_core_module.html#user
|
|
user nginx nginx;
|
|
|
|
# Sets the worker threads to the number of CPU cores available in the system for
|
|
# best performance. Should be > the number of CPU cores.
|
|
# Maximum number of connections = worker_processes * worker_connections
|
|
# Default: 1
|
|
# https://nginx.org/en/docs/ngx_core_module.html#worker_processes
|
|
worker_processes auto;
|
|
|
|
# Maximum number of open files per worker process.
|
|
# Should be > worker_connections.
|
|
# Default: no limit
|
|
# https://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile
|
|
worker_rlimit_nofile 8192;
|
|
|
|
# Provides the configuration file context in which the directives that affect
|
|
# connection processing are specified.
|
|
# https://nginx.org/en/docs/ngx_core_module.html#events
|
|
events {
|
|
# If you need more connections than this, you start optimizing your OS.
|
|
# That's probably the point at which you hire people who are smarter than you
|
|
# as this is *a lot* of requests.
|
|
# Should be < worker_rlimit_nofile.
|
|
# Default: 512
|
|
# https://nginx.org/en/docs/ngx_core_module.html#worker_connections
|
|
worker_connections 8000;
|
|
}
|
|
|
|
# Log errors and warnings to this file
|
|
# This is only used when you don't override it on a `server` level
|
|
# Default: logs/error.log error
|
|
# https://nginx.org/en/docs/ngx_core_module.html#error_log
|
|
error_log /var/log/nginx/error.log warn;
|
|
|
|
# The file storing the process ID of the main process
|
|
# Default: logs/nginx.pid
|
|
# https://nginx.org/en/docs/ngx_core_module.html#pid
|
|
pid /var/run/nginx.pid;
|
|
|
|
http {
|
|
# Prevent Nginx from sending its version number in the "Server" response header.
|
|
# https://nginx.org/en/docs/http/ngx_http_core_module.html#server_tokens
|
|
server_tokens off;
|
|
|
|
# Serve resources with the proper media types (f.k.a. MIME types).
|
|
# https://www.iana.org/assignments/media-types/media-types.xhtml
|
|
# https://nginx.org/en/docs/http/ngx_http_core_module.html#types
|
|
include mime.types;
|
|
|
|
# Default: text/plain
|
|
# https://nginx.org/en/docs/http/ngx_http_core_module.html#default_type
|
|
default_type application/octet-stream;
|
|
|
|
# Serve all resources labeled as `text/html` or `text/plain` with the media type
|
|
# `charset` parameter set to `UTF-8`.
|
|
# https://nginx.org/en/docs/http/ngx_http_charset_module.html#charset
|
|
charset utf-8;
|
|
|
|
# Update charset_types to match updated mime.types. `text/html` is always included by charset module.
|
|
# Default: text/html text/xml text/plain text/vnd.wap.wml application/javascript application/rss+xml
|
|
# https://nginx.org/en/docs/http/ngx_http_charset_module.html#charset_types
|
|
charset_types text/css
|
|
text/plain
|
|
text/vnd.wap.wml
|
|
text/javascript
|
|
text/markdown
|
|
text/calendar
|
|
text/x-component
|
|
text/vcard
|
|
text/cache-manifest
|
|
text/vtt
|
|
application/json
|
|
application/manifest+json;
|
|
|
|
# Include $http_x_forwarded_for within default format used in log files
|
|
# https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format
|
|
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
|
'$status $body_bytes_sent "$http_referer" '
|
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
|
|
|
# Log access to this file
|
|
# This is only used when you don't override it on a `server` level
|
|
# Default: logs/access.log combined
|
|
# https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log
|
|
access_log /var/log/nginx/access.log main;
|
|
|
|
# How long to allow each connection to stay idle.
|
|
# Longer values are better for each individual client, particularly for SSL,
|
|
# but means that worker connections are tied up longer.
|
|
# Default: 75s
|
|
# https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
|
|
keepalive_timeout 20s;
|
|
|
|
# The maximum size allowed for request bodies.
|
|
# Default: 1m
|
|
# http://nginx.org/en/docs/http/ngx_http_core_module.html#client_max_body_size
|
|
client_max_body_size 32m;
|
|
|
|
# Speed up file transfers by using `sendfile()` to copy directly between
|
|
# descriptors rather than using `read()`/`write()``.
|
|
# For performance reasons, on FreeBSD systems w/ ZFS this option should be
|
|
# disabled as ZFS's ARC caches frequently used files in RAM by default.
|
|
# Default: off
|
|
# https://nginx.org/en/docs/http/ngx_http_core_module.html#sendfile
|
|
sendfile on;
|
|
|
|
# Don't send out partial frames; this increases throughput since TCP frames
|
|
# are filled up before being sent out.
|
|
# Default: off
|
|
# https://nginx.org/en/docs/http/ngx_http_core_module.html#tcp_nopush
|
|
tcp_nopush on;
|
|
|
|
# Enable gzip compression.
|
|
# https://nginx.org/en/docs/http/ngx_http_gzip_module.html
|
|
# Default: off
|
|
gzip on;
|
|
|
|
# Compression level (1-9).
|
|
# 5 is a perfect compromise between size and CPU usage, offering about 75%
|
|
# reduction for most ASCII files (almost identical to level 9).
|
|
# Default: 1
|
|
gzip_comp_level 5;
|
|
|
|
# Don't compress anything that's already small and unlikely to shrink much if at
|
|
# all (the default is 20 bytes, which is bad as that usually leads to larger
|
|
# files after gzipping).
|
|
# Default: 20
|
|
gzip_min_length 256;
|
|
|
|
# Compress data even for clients that are connecting to us via proxies,
|
|
# identified by the "Via" header (required for CloudFront).
|
|
# Default: off
|
|
gzip_proxied any;
|
|
|
|
# Tell proxies to cache both the gzipped and regular version of a resource
|
|
# whenever the client's Accept-Encoding capabilities header varies;
|
|
# Avoids the issue where a non-gzip capable client (which is extremely rare
|
|
# today) would display gibberish if their proxy gave them the gzipped version.
|
|
# Default: off
|
|
gzip_vary on;
|
|
|
|
# Compress all output labeled with one of the following MIME-types.
|
|
# `text/html` is always compressed by gzip module.
|
|
# Default: text/html
|
|
gzip_types application/atom+xml
|
|
application/geo+json
|
|
application/javascript
|
|
application/x-javascript
|
|
application/json
|
|
application/ld+json
|
|
application/manifest+json
|
|
application/rdf+xml
|
|
application/rss+xml
|
|
application/vnd.ms-fontobject
|
|
application/wasm
|
|
application/x-web-app-manifest+json
|
|
application/xhtml+xml
|
|
application/xml
|
|
font/eot
|
|
font/otf
|
|
font/ttf
|
|
image/bmp
|
|
image/svg+xml
|
|
text/cache-manifest
|
|
text/calendar
|
|
text/css
|
|
text/javascript
|
|
text/markdown
|
|
text/plain
|
|
text/xml
|
|
text/vcard
|
|
text/vnd.rim.location.xloc
|
|
text/vtt
|
|
text/x-component
|
|
text/x-cross-domain-policy;
|
|
|
|
# Serve resources with a far-future expiration date.
|
|
#
|
|
# (!) If you don't control versioning with filename-based cache busting, you
|
|
# should consider lowering the cache times to something like one week.
|
|
#
|
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cache-Control
|
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Expires
|
|
# https://nginx.org/en/docs/http/ngx_http_headers_module.html#expires
|
|
|
|
map $sent_http_content_type $expires {
|
|
default 1M;
|
|
|
|
# No content
|
|
"" off;
|
|
|
|
# CSS
|
|
~*text/css 1y;
|
|
|
|
# Data interchange
|
|
~*application/atom\+xml 1h;
|
|
~*application/rdf\+xml 1h;
|
|
~*application/rss\+xml 1h;
|
|
|
|
~*application/json 0;
|
|
~*application/ld\+json 0;
|
|
~*application/schema\+json 0;
|
|
~*application/geo\+json 0;
|
|
~*application/xml 0;
|
|
~*text/calendar 0;
|
|
~*text/xml 0;
|
|
|
|
# Favicon (cannot be renamed!) and cursor images
|
|
~*image/vnd.microsoft.icon 1w;
|
|
~*image/x-icon 1w;
|
|
|
|
# HTML
|
|
~*text/html 0;
|
|
|
|
# JavaScript
|
|
~*application/javascript 1y;
|
|
~*application/x-javascript 1y;
|
|
~*text/javascript 1y;
|
|
|
|
# Manifest files
|
|
~*application/manifest\+json 1w;
|
|
~*application/x-web-app-manifest\+json 0;
|
|
~*text/cache-manifest 0;
|
|
|
|
# Markdown
|
|
~*text/markdown 0;
|
|
|
|
# Media files
|
|
~*audio/ 1M;
|
|
~*image/ 1M;
|
|
~*video/ 1M;
|
|
|
|
# WebAssembly
|
|
~*application/wasm 1y;
|
|
|
|
# Web fonts
|
|
~*font/ 1M;
|
|
~*application/vnd.ms-fontobject 1M;
|
|
~*application/x-font-ttf 1M;
|
|
~*application/x-font-woff 1M;
|
|
~*application/font-woff 1M;
|
|
~*application/font-woff2 1M;
|
|
|
|
# Other
|
|
~*text/x-cross-domain-policy 1w;
|
|
}
|
|
|
|
expires $expires;
|
|
|
|
# Add X-XSS-Protection for HTML documents.
|
|
# conf/security/x-xss-protection.conf
|
|
map $sent_http_content_type $x_xss_protection {
|
|
~*text/html "1; mode=block";
|
|
}
|
|
|
|
# Add X-Frame-Options for HTML documents.
|
|
# conf/security/x-frame-options.conf
|
|
map $sent_http_content_type $x_frame_options {
|
|
~*text/html SAMEORIGIN;
|
|
}
|
|
|
|
# Add Content-Security-Policy for HTML documents.
|
|
# conf/security/content-security-policy.conf
|
|
map $sent_http_content_type $content_security_policy {
|
|
~*text/(html|javascript)|application/pdf|xml "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; upgrade-insecure-requests";
|
|
}
|
|
|
|
# Add Referrer-Policy for HTML documents.
|
|
# conf/security/referrer-policy.conf.conf
|
|
map $sent_http_content_type $referrer_policy {
|
|
~*text/(css|html|javascript)|application\/pdf|xml "strict-origin-when-cross-origin";
|
|
}
|
|
|
|
# Add X-UA-Compatible for HTML documents.
|
|
# conf/internet_explorer/x-ua-compatible.conf
|
|
map $sent_http_content_type $x_ua_compatible {
|
|
~*text/html "IE=edge";
|
|
}
|
|
|
|
# Add Access-Control-Allow-Origin.
|
|
# conf/cross-origin/requests.conf
|
|
map $sent_http_content_type $cors {
|
|
# Images
|
|
~*image/ "*";
|
|
|
|
# Web fonts
|
|
~*font/ "*";
|
|
~*application/vnd.ms-fontobject "*";
|
|
~*application/x-font-ttf "*";
|
|
~*application/font-woff "*";
|
|
~*application/x-font-woff "*";
|
|
~*application/font-woff2 "*";
|
|
}
|
|
|
|
# For services that don't need backward compatibility, the parameters below provide a higher level
|
|
# of security.
|
|
#
|
|
# https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
|
|
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers EECDH+CHACHA20:EECDH+AES;
|
|
ssl_ecdh_curve X25519:prime256v1:secp521r1:secp384r1;
|
|
|
|
# OCSP is a lightweight, only one record to help clients verify the validity of the server
|
|
# certificate. OCSP stapling allows the server to send its cached OCSP record during the TLS
|
|
# handshake, without the need of 3rd party OCSP responder.
|
|
#
|
|
# https://wiki.mozilla.org/Security/Server_Side_TLS#OCSP_Stapling
|
|
# https://tools.ietf.org/html/rfc6066#section-8
|
|
# https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
|
|
resolver_timeout 2s;
|
|
resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]
|
|
8.8.8.8 8.8.4.4 [2001:4860:4860::8888] [2001:4860:4860::8844] valid=60s;
|
|
|
|
# Include files in the conf.d folder.
|
|
# `server` configuration files should be placed in the conf.d folder.
|
|
# The configurations should be disabled by prefixing files with a dot.
|
|
include conf.d/*.conf;
|
|
}
|