arenadoon/nginx.conf

## nginx.conf
user www-data;
worker_processes 1; # set to number of cores
worker_priority  15; # be nice

# todo: put these on tmpfs, slow write logs to non-volatile
error_log  /var/log/nginx/error.log;
pid        /var/run/nginx.pid;

# set open fd limit to 81920
worker_rlimit_nofile 81920; # must be equal or higher as 'worker_processes' * 'worker_connections'

events {
        worker_connections 10240; # 'worker_processes' * 'worker_connections' cannot exceed 'worker_rlimit_nofile'
        use epoll;
        multi_accept on;
}

http {
        include                   mime.types;
        default_type              application/octet-stream;
        index index.html;

        access_log  /var/log/nginx/access.log;
	access_log off;
	log_format main '$http_x_forwarded_for - $remote_user [$time_local] "$host" "$request" '
            '$status $body_bytes_sent "$http_referer" '
            '"$http_user_agent" $request_time';

	ssi on;

	fastcgi_ignore_headers Cache-Control Expires Set-Cookie;

        # Timeouts, do not keep connections open longer then necessary to reduce
        # resource usage and deny Slowloris type attacks.
        client_body_timeout       3s; # maximum time between packets the client can pause when sending nginx any data
        client_header_timeout     3s; # maximum time the client has to send the entire header to nginx
        send_timeout              3s; # maximum time between packets nginx is allowed to pause when sending the client data
        keepalive_timeout         9s; # timeout which a single keep-alive client connection will stay open
        keepalive_requests        10;  # number of requests per connection, does not affect SPDY
        keepalive_disable         none; # allow all browsers to use keepalive connections

        # General options
        charset                   utf-8; # adds the line "Content-Type" into response-header, same as "source_charset"
        ignore_invalid_headers    on; # throws away non-standard headers in the client request
        max_ranges                0; # disabled to stop range header DoS attacks as resumed downloads are denied
        msie_padding              off;
        #open_file_cache           max=200000 inactive=1m;
        #open_file_cache_errors    off;
        #open_file_cache_min_uses  2;
        #open_file_cache_valid     1m;
        output_buffers            1 512;
        postpone_output           1440;   # postpone sends to match our machine's MSS
        read_ahead                512K;   # kernel read head set to the output_buffers
        recursive_error_pages     on;
        reset_timedout_connection on;  # reset timed out connections freeing ram
        sendfile                  off;  # on for decent direct disk I/O
        server_name_in_redirect   off; # if off, nginx will use the requested Host header
        source_charset            utf-8; # same value as "charset"
        tcp_nodelay               on; # Nagle buffering algorithm, used for keepalive only
        tcp_nopush                on; # Do not send out partial frames (latency improvements up to 100ms)

        ##
        # Compression
        ##

        gzip                      on;
        gzip_min_length           1100;
        gzip_buffers              4 32k;
        gzip_vary                 on;
        gzip_http_version         1.0;
        gzip_comp_level           5; # 5 has best overall compression vs slightly higher cpu. Depending on server load this can be set to 4.
        gzip_proxied              any;
        gzip_types                text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript application/json;
        gzip_disable              "MSIE [1-6]\.(?!.*SV1)";

        server_names_hash_bucket_size 2048;
        variables_hash_max_size       2048;
        variables_hash_bucket_size    512;
        types_hash_max_size           2048;

        ## Size Limits
        client_body_buffer_size       8k;
        client_header_buffer_size     1k;
        client_max_body_size          10m;
        large_client_header_buffers   4 4k;

	##
	# SSL configuration
	##

	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:10m;
    	ssl_session_tickets off;

	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    	# openssl dhparam -out dhparam.pem 2048
	ssl_dhparam /etc/nginx/dhparam.pem;

	ssl_protocols TLSv1.1 TLSv1.2;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
	ssl_prefer_server_ciphers on;

	# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
	add_header Strict-Transport-Security max-age=15768000;

	# OCSP Stapling
	ssl_stapling on;
	ssl_stapling_verify on;

	## verify chain of trust of OCSP response using Root CA and Intermediate certs
	# actual chain is in each vhost
	resolver 8.8.8.8 8.8.4.4 valid=86400;
	resolver_timeout 10;

        ##
        # Extra security
        ##

        # don't send the nginx version number in error pages and Server header
        server_tokens off;

        # config to don't allow the browser to render the page inside an frame or iframe
        # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
        # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
        # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
        #
        # Only use if site is on no way used in an iFrame (like Google Analytics layovers)
        #
        # add_header X-Frame-Options SAMEORIGIN;

        # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
        # to disable content-type sniffing on some browsers.
        # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
        # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
        # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
        # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
        add_header X-Content-Type-Options nosniff;

        # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
        # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
        # this particular website if it was disabled by the user.
        # https://www.owasp.org/index.php/List_of_useful_HTTP_headers
        add_header X-XSS-Protection "1; mode=block";

        ##
        # Virtual Host Configs
        ##
        include /etc/nginx/conf.d/*.conf;
}
	user www-data;
	worker_processes 1; # set to number of cores
	worker_priority 15; # be nice

	# todo: put these on tmpfs, slow write logs to non-volatile
	error_log /var/log/nginx/error.log;
	pid /var/run/nginx.pid;

	# set open fd limit to 81920
	worker_rlimit_nofile 81920; # must be equal or higher as 'worker_processes' * 'worker_connections'

	events {
	worker_connections 10240; # 'worker_processes' * 'worker_connections' cannot exceed 'worker_rlimit_nofile'
	use epoll;
	multi_accept on;
	}

	http {
	include mime.types;
	default_type application/octet-stream;
	index index.html;

	access_log /var/log/nginx/access.log;
	access_log off;
	log_format main '$http_x_forwarded_for - $remote_user [$time_local] "$host" "$request" '
	'$status $body_bytes_sent "$http_referer" '
	'"$http_user_agent" $request_time';

	ssi on;

	fastcgi_ignore_headers Cache-Control Expires Set-Cookie;

	# Timeouts, do not keep connections open longer then necessary to reduce
	# resource usage and deny Slowloris type attacks.
	client_body_timeout 3s; # maximum time between packets the client can pause when sending nginx any data
	client_header_timeout 3s; # maximum time the client has to send the entire header to nginx
	send_timeout 3s; # maximum time between packets nginx is allowed to pause when sending the client data
	keepalive_timeout 9s; # timeout which a single keep-alive client connection will stay open
	keepalive_requests 10; # number of requests per connection, does not affect SPDY
	keepalive_disable none; # allow all browsers to use keepalive connections

	# General options
	charset utf-8; # adds the line "Content-Type" into response-header, same as "source_charset"
	ignore_invalid_headers on; # throws away non-standard headers in the client request
	max_ranges 0; # disabled to stop range header DoS attacks as resumed downloads are denied
	msie_padding off;
	#open_file_cache max=200000 inactive=1m;
	#open_file_cache_errors off;
	#open_file_cache_min_uses 2;
	#open_file_cache_valid 1m;
	output_buffers 1 512;
	postpone_output 1440; # postpone sends to match our machine's MSS
	read_ahead 512K; # kernel read head set to the output_buffers
	recursive_error_pages on;
	reset_timedout_connection on; # reset timed out connections freeing ram
	sendfile off; # on for decent direct disk I/O
	server_name_in_redirect off; # if off, nginx will use the requested Host header
	source_charset utf-8; # same value as "charset"
	tcp_nodelay on; # Nagle buffering algorithm, used for keepalive only
	tcp_nopush on; # Do not send out partial frames (latency improvements up to 100ms)

	##
	# Compression
	##

	gzip on;
	gzip_min_length 1100;
	gzip_buffers 4 32k;
	gzip_vary on;
	gzip_http_version 1.0;
	gzip_comp_level 5; # 5 has best overall compression vs slightly higher cpu. Depending on server load this can be set to 4.
	gzip_proxied any;
	gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript application/json;
	gzip_disable "MSIE [1-6]\.(?!.*SV1)";

	server_names_hash_bucket_size 2048;
	variables_hash_max_size 2048;
	variables_hash_bucket_size 512;
	types_hash_max_size 2048;

	## Size Limits
	client_body_buffer_size 8k;
	client_header_buffer_size 1k;
	client_max_body_size 10m;
	large_client_header_buffers 4 4k;

	##
	# SSL configuration
	##

	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;

	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
	# openssl dhparam -out dhparam.pem 2048
	ssl_dhparam /etc/nginx/dhparam.pem;

	ssl_protocols TLSv1.1 TLSv1.2;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
	ssl_prefer_server_ciphers on;

	# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
	add_header Strict-Transport-Security max-age=15768000;

	# OCSP Stapling
	ssl_stapling on;
	ssl_stapling_verify on;

	## verify chain of trust of OCSP response using Root CA and Intermediate certs
	# actual chain is in each vhost
	resolver 8.8.8.8 8.8.4.4 valid=86400;
	resolver_timeout 10;

	##
	# Extra security
	##

	# don't send the nginx version number in error pages and Server header
	server_tokens off;

	# config to don't allow the browser to render the page inside an frame or iframe
	# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
	# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
	# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
	#
	# Only use if site is on no way used in an iFrame (like Google Analytics layovers)
	#
	# add_header X-Frame-Options SAMEORIGIN;

	# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
	# to disable content-type sniffing on some browsers.
	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
	# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
	# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
	add_header X-Content-Type-Options nosniff;

	# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
	# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
	# this particular website if it was disabled by the user.
	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	add_header X-XSS-Protection "1; mode=block";

	##
	# Virtual Host Configs
	##
	include /etc/nginx/conf.d/*.conf;
	}