Skip to content

Instantly share code, notes, and snippets.

@Yinchie
Last active January 6, 2017 22:43
Show Gist options
  • Save Yinchie/a7ea220171a003badfdc547f4761ca53 to your computer and use it in GitHub Desktop.
Save Yinchie/a7ea220171a003badfdc547f4761ca53 to your computer and use it in GitHub Desktop.
nginx.conf (gist colors) = www.itchy.nl.conf - my optimized Nginx configuration for ghost blog
# main server
server {
listen 443 default_server fastopen=256 ssl http2;
listen [::]:443 fastopen=256 ssl http2 ipv6only=on;
charset utf-8;
server_name www.itchy.nl;
include /etc/nginx/includes/tls.conf;
# modify versions being displayed in http header.
more_set_headers "Server: www.itchy.nl";
more_set_headers "X-Powered-By: Vultr - www.vultr.com/?ref=6878145";
location / {
# block bad bots, spammers, etc
if ($host !~ ^(www.itchy.nl|itchy.nl)$ ) { return 444; }
if ($bad_bot) { return 444; }
if ($bad_referer) { return 444; }
if ($bad_urls1) { return 444; }
if ($bad_urls2) { return 444; }
if ($bad_urls3) { return 444; }
if ($bad_urls4) { return 444; }
if ($validate_client) { return 444; }
if ($is_spamhaus_drop) { return 444; }
if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 444; }
if ($http_user_agent = "") { return 444; }
access_log /var/log/nginx/access.log main buffer=1m flush=10s;
proxy_ignore_headers Set-Cookie X-Accel-Expires Expires Cache-Control;
proxy_hide_header Set-Cookie;
# caching
proxy_cache MAIN;
proxy_cache_valid any 1m;
proxy_cache_valid 200 301 120m;
proxy_cache_valid 302 20m;
proxy_cache_valid 404 10m;
proxy_cache_revalidate on;
proxy_cache_lock on;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
add_header X-Proxy-Cache $upstream_cache_status;
include /etc/nginx/includes/security_headers.conf;
include /etc/nginx/includes/proxy.conf;
expires 15m;
}
# no caching on the admin page.
# restrict access to IP address.
location ~ ^/(?:ghost|signout) {
allow 127.0.0.1;
deny all;
add_header Cache-Control "no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0";
expires -1;
include /etc/nginx/includes/security_headers.conf;
include /etc/nginx/includes/proxy.conf;
}
# to prevent unnecessary overhead on proxy.
# serve assets right off the filesystem.
location ^~ /assets/ {
root /var/www/ghost/content/themes/ycasper;
log_not_found off;
add_header Cache-Control "public";
brotli_static on;
gzip_static on;
gzip_vary on;
# serve Webp images over jpg/png for supported clients.
location ^~ /assets/icons/ {
add_header Cache-Control "public, no-transform";
add_header Vary "Accept-Encoding";
try_files $uri$webp_suffix $uri =404;
}
expires max;
}
# serve images directly right off the filesystem.
location ^~ /content/images/ {
root /var/www/ghost;
log_not_found off;
add_header Cache-Control "public, no-transform";
add_header Vary "Accept-Encoding";
# serve Webp images over jpg/png for supported clients.
try_files $uri$webp_suffix $uri =404;
expires max;
}
# serving a few direct files.
location = /favicon.ico { alias /var/www/ghost/content/themes/ycasper/assets/icons/favicon.ico; }
location = /browserconfig.xml { alias /var/www/ghost/content/themes/ycasper/assets/icons/browserconfig.xml; }
location = /pgp.asc { alias /var/www/public/pgp.asc; }
location = /humans.txt { alias /var/www/public/humans.txt; }
location = /robots.txt { alias /var/www/public/robots.txt; }
# 410 gone error for unsupported file extensions.
location ~ \.(aspx|php|jsp|cgi)$ { return 410; }
# default nginx error pages.
error_page 500 502 503 504 /50x.html;
location = /50x.html { root /etc/nginx/html; }
}
# in mime.types add image/webp webp;
map $http_accept $webp_suffix {
default "";
"~*webp" ".webp";
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment