Created
October 7, 2014 20:44
-
-
Save alex2006hw/7b971a9d57bd473938b4 to your computer and use it in GitHub Desktop.
ssl nginx config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
####################################################### | |
### copy from Calomel.org /etc/nginx.conf BEGIN | |
####################################################### | |
# | |
worker_processes 4; # one(1) worker or equal the number of _real_ cpu cores. 4=4 core cpu | |
worker_priority 15; # renice workers to reduce priority compared to system processes for | |
# machine health. worst case nginx will get ~25% system resources at nice=15 | |
#worker_rlimit_nofile 1024; # maximum number of open files | |
events { | |
#worker_connections 512; # number of parallel or concurrent connections per worker_processes | |
#accept_mutex on; # serially accept() connections and pass to workers, efficient if workers gt 1 | |
#accept_mutex_delay 500ms; # worker process will accept mutex after this delay if not assigned. (default 500ms) | |
} | |
http { | |
## Size Limits | |
#client_body_buffer_size 8k; | |
#client_header_buffer_size 1k; | |
#client_max_body_size 1m; | |
#large_client_header_buffers 4 4k/8k; | |
# Timeouts, do not keep connections open longer then necessary to reduce | |
# resource usage and deny Slowloris type attacks. | |
client_body_timeout 4s; # maximum time between packets the client can pause when sending nginx any data | |
client_header_timeout 4s; # maximum time the client has to send the entire header to nginx | |
keepalive_timeout 75s; # timeout which a single keep-alive client connection will stay open | |
send_timeout 24s; # maximum time between packets nginx is allowed to pause when sending the client data | |
spdy_keepalive_timeout 123s; # inactivity timeout after which the SPDY connection is closed | |
spdy_recv_timeout 4s; # timeout if nginx is currently expecting data from the client but nothing arrives | |
## General Options | |
#aio on; # asynchronous file I/O, fast with ZFS, make sure sendfile=off | |
charset utf-8; # adds the line "Content-Type" into response-header, same as "source_charset" | |
default_type application/octet-stream; | |
gzip off; # disable on the fly gzip compression due to higher latency, only use gzip_static | |
#gzip_http_version 1.0; # serve gzipped content to all clients including HTTP/1.0 | |
gzip_static on; # precompress content (gzip -9) with an external script | |
#gzip_vary on; # send response header "Vary: Accept-Encoding" | |
gzip_proxied any; # allows compressed responses for any request even from proxies | |
ignore_invalid_headers on; | |
include /etc/mime.types; | |
keepalive_requests 50; # number of requests per connection, does not affect SPDY | |
keepalive_disable none; # allow all browsers to use keepalive connections | |
max_ranges 1; # allow a single range header for resumed downloads and to stop large range header DoS attacks | |
msie_padding off; | |
open_file_cache max=1000 inactive=2h; | |
open_file_cache_errors on; | |
open_file_cache_min_uses 1; | |
open_file_cache_valid 1h; | |
output_buffers 1 512; | |
#postpone_output 1460; # postpone sends to match our machine's MSS | |
read_ahead 512K; # kernel read head set to the output_buffers | |
recursive_error_pages on; | |
reset_timedout_connection on; # reset timed out connections freeing ram | |
sendfile on; # on for decent direct disk I/O | |
server_tokens off; # version number in error pages | |
server_name_in_redirect off; # if off, nginx will use the requested Host header | |
source_charset utf-8; # same value as "charset" | |
tcp_nodelay on; # Nagle buffering algorithm, used for keepalive only | |
tcp_nopush off; | |
## Request limits | |
limit_req_zone $binary_remote_addr zone=gulag:1m rate=60r/m; | |
## Log Format | |
log_format main '$remote_addr $host $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $ssl_cipher $request_time'; | |
# global SSL options with Perfect Forward Secrecy (PFS) high strength ciphers | |
# first. PFS ciphers are those which start with ECDHE which means (EC)DHE | |
# which stands for (Elliptic Curve) Diffie-Hellman Ephemeral. | |
# RSA ciphers | |
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:ECDHE-RSA-RC4-SHA; | |
# ECDSA ssl ciphers; google chrome prefered order, 128bit most prefered | |
#ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA; | |
ssl_ecdh_curve secp384r1; # 384 bit prime modulus curve efficiently supports ECDHE ssl_ciphers up to a SHA384 hash | |
ssl_prefer_server_ciphers on; | |
ssl_protocols TLSv1.2 TLSv1.1 TLSv1; | |
#ssl_session_timeout 5m; # SPDY timeout=180sec, keepalive=20sec; connection close=session expires | |
## http .:. redirect to https | |
server { | |
#add_header Alternate-Protocol "443:npn-spdy/3.1"; | |
add_header Cache-Control "public"; | |
access_log /var/log/nginx/access.log main buffer=32k; | |
error_log /var/log/nginx/error.log error; | |
expires max; | |
limit_req zone=gulag burst=200 nodelay; | |
listen 127.0.0.1:80; | |
root /var/empty; | |
return 301 https://example.com$uri; | |
} | |
## https .:. (www.)example.com | |
server { | |
add_header Cache-Control "public"; | |
#add_header Content-Security-Policy "default-src 'none';style-src 'self';img-src 'self' data: ;"; | |
add_header X-Content-Type-Options "nosniff"; | |
add_header X-Frame-Options "DENY"; | |
add_header Strict-Transport-Security "max-age=315360000; includeSubdomains"; | |
access_log /var/log/nginx/access.log main; | |
error_log /var/log/nginx/error.log info; | |
expires max; | |
index index.html; | |
limit_req zone=gulag burst=200 nodelay; | |
listen 127.0.0.1:443 ssl spdy; | |
root /var/www/htdocs; | |
#server_name example.com www.example.com; | |
server_name ""; | |
# SSL certs | |
ssl on; | |
ssl_session_cache shared:SSL:1m; | |
ssl_certificate /ssl_keys/example.com_ssl.crt; | |
ssl_certificate_key /ssl_keys/example.com_ssl.key; | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
# Note: if{} sections are very expensive to process. Only use an If{} | |
# block is really need them. Please take a look lower down on the page | |
# for our discussion of if{} statements. | |
## Only allow GET and HEAD request methods. By default Nginx blocks | |
## all requests type other then GET and HEAD for static content. | |
# if ($request_method !~ ^(GET|HEAD)$ ) { | |
# return 405; | |
# } | |
## Deny illegal Host headers. | |
# if ($host !~* ^(mydomain.com|www.mydomain.com)$ ) { | |
# return 405; | |
# } | |
## Deny certain User-Agents (case insensitive) | |
## The ~* makes it case insensitive as opposed to just a ~ | |
# if ($http_user_agent ~* (Baiduspider|Jullo) ) { | |
# return 405; | |
# } | |
## Deny certain Referers (case insensitive) | |
## The ~* makes it case insensitive as opposed to just a ~ | |
# if ($http_referer ~* (girl|jewelry|love|nudit|organic|poker|porn|teen|video|webcam|zippo) ) { | |
# return 405; | |
# } | |
## Redirect from www to non-www. Notice we are stripping out arguments with "?" | |
# if ($host != 'mydomain.com') { return 301 https://mydomain.com$uri; } | |
## Stop Image and Document Hijacking | |
#location ~* (\.jpg|\.png|\.css)$ { | |
# if ($http_referer !~ ^(http://mydomain.com) ) { | |
# return 405; | |
# } | |
#} | |
## Restricted Access directory by password in the access_list file. | |
location ^~ /secure/ { | |
allow 127.0.0.1/32; | |
allow 10.10.10.0/24; | |
deny all; | |
auth_basic "RESTRICTED ACCESS"; | |
auth_basic_user_file /var/www/htdocs/secure/access_list; | |
} | |
## Serve an empty 1x1 gif _OR_ an error 204 (No Content) for favicon.ico | |
location = /favicon.ico { | |
#empty_gif; | |
return 204; | |
} | |
# apple icons, all apple icon requests are served the same local file | |
# location ~* /apple-touch-icon(.*)\.png$ { rewrite ^ /apple-touch-icon.png break; } | |
## default location with System Maintenance (Service Unavailable) check | |
location / { try_files system_maintenance.html $uri $uri/ =404; } | |
## All other errors get the generic error page | |
error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 495 496 497 | |
500 501 502 503 504 505 506 507 /error_page.html; | |
location /error_page.html { internal; } | |
} | |
} | |
####################################################### | |
### copy from Calomel.org /etc/nginx.conf END | |
####################################################### |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment