Created
August 24, 2019 00:56
-
-
Save arenadoon/1aab6725e530b492225172c260e6f4c6 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
user www-data; | |
worker_processes 1; # set to number of cores | |
worker_priority 15; # be nice | |
# todo: put these on tmpfs, slow write logs to non-volatile | |
error_log /var/log/nginx/error.log; | |
pid /var/run/nginx.pid; | |
# set open fd limit to 81920 | |
worker_rlimit_nofile 81920; # must be equal or higher as 'worker_processes' * 'worker_connections' | |
events { | |
worker_connections 10240; # 'worker_processes' * 'worker_connections' cannot exceed 'worker_rlimit_nofile' | |
use epoll; | |
multi_accept on; | |
} | |
http { | |
include mime.types; | |
default_type application/octet-stream; | |
index index.html; | |
access_log /var/log/nginx/access.log; | |
access_log off; | |
log_format main '$http_x_forwarded_for - $remote_user [$time_local] "$host" "$request" ' | |
'$status $body_bytes_sent "$http_referer" ' | |
'"$http_user_agent" $request_time'; | |
ssi on; | |
fastcgi_ignore_headers Cache-Control Expires Set-Cookie; | |
# Timeouts, do not keep connections open longer then necessary to reduce | |
# resource usage and deny Slowloris type attacks. | |
client_body_timeout 3s; # maximum time between packets the client can pause when sending nginx any data | |
client_header_timeout 3s; # maximum time the client has to send the entire header to nginx | |
send_timeout 3s; # maximum time between packets nginx is allowed to pause when sending the client data | |
keepalive_timeout 9s; # timeout which a single keep-alive client connection will stay open | |
keepalive_requests 10; # number of requests per connection, does not affect SPDY | |
keepalive_disable none; # allow all browsers to use keepalive connections | |
# General options | |
charset utf-8; # adds the line "Content-Type" into response-header, same as "source_charset" | |
ignore_invalid_headers on; # throws away non-standard headers in the client request | |
max_ranges 0; # disabled to stop range header DoS attacks as resumed downloads are denied | |
msie_padding off; | |
#open_file_cache max=200000 inactive=1m; | |
#open_file_cache_errors off; | |
#open_file_cache_min_uses 2; | |
#open_file_cache_valid 1m; | |
output_buffers 1 512; | |
postpone_output 1440; # postpone sends to match our machine's MSS | |
read_ahead 512K; # kernel read head set to the output_buffers | |
recursive_error_pages on; | |
reset_timedout_connection on; # reset timed out connections freeing ram | |
sendfile off; # on for decent direct disk I/O | |
server_name_in_redirect off; # if off, nginx will use the requested Host header | |
source_charset utf-8; # same value as "charset" | |
tcp_nodelay on; # Nagle buffering algorithm, used for keepalive only | |
tcp_nopush on; # Do not send out partial frames (latency improvements up to 100ms) | |
## | |
# Compression | |
## | |
gzip on; | |
gzip_min_length 1100; | |
gzip_buffers 4 32k; | |
gzip_vary on; | |
gzip_http_version 1.0; | |
gzip_comp_level 5; # 5 has best overall compression vs slightly higher cpu. Depending on server load this can be set to 4. | |
gzip_proxied any; | |
gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript application/json; | |
gzip_disable "MSIE [1-6]\.(?!.*SV1)"; | |
server_names_hash_bucket_size 2048; | |
variables_hash_max_size 2048; | |
variables_hash_bucket_size 512; | |
types_hash_max_size 2048; | |
## Size Limits | |
client_body_buffer_size 8k; | |
client_header_buffer_size 1k; | |
client_max_body_size 10m; | |
large_client_header_buffers 4 4k; | |
## | |
# SSL configuration | |
## | |
ssl_session_timeout 1d; | |
ssl_session_cache shared:SSL:10m; | |
ssl_session_tickets off; | |
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits | |
# openssl dhparam -out dhparam.pem 2048 | |
ssl_dhparam /etc/nginx/dhparam.pem; | |
ssl_protocols TLSv1.1 TLSv1.2; | |
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; | |
ssl_prefer_server_ciphers on; | |
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) | |
add_header Strict-Transport-Security max-age=15768000; | |
# OCSP Stapling | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
## verify chain of trust of OCSP response using Root CA and Intermediate certs | |
# actual chain is in each vhost | |
resolver 8.8.8.8 8.8.4.4 valid=86400; | |
resolver_timeout 10; | |
## | |
# Extra security | |
## | |
# don't send the nginx version number in error pages and Server header | |
server_tokens off; | |
# config to don't allow the browser to render the page inside an frame or iframe | |
# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking | |
# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri | |
# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options | |
# | |
# Only use if site is on no way used in an iFrame (like Google Analytics layovers) | |
# | |
# add_header X-Frame-Options SAMEORIGIN; | |
# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header, | |
# to disable content-type sniffing on some browsers. | |
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers | |
# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx | |
# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx | |
# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020 | |
add_header X-Content-Type-Options nosniff; | |
# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. | |
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for | |
# this particular website if it was disabled by the user. | |
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers | |
add_header X-XSS-Protection "1; mode=block"; | |
## | |
# Virtual Host Configs | |
## | |
include /etc/nginx/conf.d/*.conf; | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment