Created
October 7, 2014 20:39
-
-
Save alex2006hw/bbf720a208534cf9f22d to your computer and use it in GitHub Desktop.
basic nginx config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
####################################################### | |
### copy from Calomel.org /etc/nginx.conf BEGIN | |
####################################################### | |
# | |
worker_processes 4; # one(1) worker or equal the number of _real_ cpu cores. 4=4 core cpu | |
worker_priority 15; # renice workers to reduce priority compared to system processes for | |
# machine health. worst case nginx will get ~25% system resources at nice=15 | |
#worker_rlimit_nofile 1024; # maximum number of open files | |
events { | |
#worker_connections 512; # number of parallel or concurrent connections per worker_processes | |
#accept_mutex on; # serially accept() connections and pass to workers, efficient if workers gt 1 | |
#accept_mutex_delay 500ms; # worker process will accept mutex after this delay if not assigned. (default 500ms) | |
} | |
http { | |
## Size Limits | |
#client_body_buffer_size 8k; | |
#client_header_buffer_size 1k; | |
#client_max_body_size 1m; | |
#large_client_header_buffers 4 4k/8k; | |
# Timeouts, do not keep connections open longer then necessary to reduce | |
# resource usage and deny Slowloris type attacks. | |
client_body_timeout 5s; # maximum time between packets the client can pause when sending nginx any data | |
client_header_timeout 5s; # maximum time the client has to send the entire header to nginx | |
keepalive_timeout 75s; # timeout which a single keep-alive client connection will stay open | |
send_timeout 15s; # maximum time between packets nginx is allowed to pause when sending the client data | |
## General Options | |
#aio on; # asynchronous file I/O, fast with ZFS, make sure sendfile=off | |
charset utf-8; # adds the line "Content-Type" into response-header, same as "source_charset" | |
default_type application/octet-stream; | |
gzip off; # disable on the fly gzip compression due to higher latency, only use gzip_static | |
#gzip_http_version 1.0; # serve gzipped content to all clients including HTTP/1.0 | |
gzip_static on; # precompress content (gzip -9) with an external script | |
#gzip_vary on; # send response header "Vary: Accept-Encoding" | |
gzip_proxied any; # allows compressed responses for any request even from proxies | |
ignore_invalid_headers on; | |
include /etc/mime.types; | |
keepalive_requests 50; # number of requests per connection, does not affect SPDY | |
keepalive_disable none; # allow all browsers to use keepalive connections | |
max_ranges 1; # allow a single range header for resumed downloads and to stop large range header DoS attacks | |
msie_padding off; | |
open_file_cache max=1000 inactive=2h; | |
open_file_cache_errors on; | |
open_file_cache_min_uses 1; | |
open_file_cache_valid 1h; | |
output_buffers 1 512; | |
postpone_output 1440; # postpone sends to match our machine's MSS | |
read_ahead 512K; # kernel read head set to the output_buffers | |
recursive_error_pages on; | |
reset_timedout_connection on; # reset timed out connections freeing ram | |
sendfile on; # on for decent direct disk I/O | |
server_tokens off; # version number in error pages | |
server_name_in_redirect off; # if off, nginx will use the requested Host header | |
source_charset utf-8; # same value as "charset" | |
tcp_nodelay on; # Nagle buffering algorithm, used for keepalive only | |
tcp_nopush off; | |
## Request limits | |
limit_req_zone $binary_remote_addr zone=gulag:1m rate=60r/m; | |
## Log Format | |
log_format main '$remote_addr $host $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $ssl_cipher $request_time'; | |
## Deny access to any host other than (www.)mydomain.com. Only use this | |
## option is you want to lock down the name in the Host header the client sends. | |
# server { | |
# server_name ""; #default | |
# return 444; | |
# } | |
## Server (www.)mydomain.com | |
server { | |
add_header Cache-Control "public"; | |
#add_header Content-Security-Policy "default-src 'none';style-src 'self';img-src 'self' data: ;"; | |
add_header X-Frame-Options "DENY"; | |
access_log /var/log/nginx/access.log main buffer=32k; | |
error_log /var/log/nginx/error.log error; | |
expires max; | |
limit_req zone=gulag burst=200 nodelay; | |
listen 127.0.0.1:80; | |
root /var/www/htdocs; | |
server_name mydomain.com www.mydomain; | |
# Note: if{} sections are very expensive to process. Only use an If{} | |
# block is really need them. Please take a look lower down on the page | |
# for our discussion of if{} statements. | |
## Only allow GET and HEAD request methods. By default Nginx blocks | |
## all requests type other then GET and HEAD for static content. | |
# if ($request_method !~ ^(GET|HEAD)$ ) { | |
# return 405; | |
# } | |
## Deny illegal Host headers. | |
# if ($host !~* ^(mydomain.com|www.mydomain.com)$ ) { | |
# return 405; | |
# } | |
## Deny certain User-Agents (case insensitive) | |
## The ~* makes it case insensitive as opposed to just a ~ | |
# if ($http_user_agent ~* (Baiduspider|Jullo) ) { | |
# return 405; | |
# } | |
## Deny certain Referers (case insensitive) | |
## The ~* makes it case insensitive as opposed to just a ~ | |
# if ($http_referer ~* (babes|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|sex|teen|video|webcam|zippo) ) { | |
# return 405; | |
# } | |
## Redirect from www to non-www. Notice we are stripping out arguments with "?" | |
# if ($host != 'mydomain.com') { return 301 http://mydomain.com$uri; } | |
## Stop Image and Document Hijacking | |
#location ~* (\.jpg|\.png|\.css)$ { | |
# if ($http_referer !~ ^(http://mydomain.com) ) { | |
# return 405; | |
# } | |
#} | |
## Restricted Access directory by password in the access_list file. | |
location ^~ /secure/ { | |
allow 127.0.0.1/32; | |
allow 10.10.10.0/24; | |
deny all; | |
auth_basic "RESTRICTED ACCESS"; | |
auth_basic_user_file /var/www/htdocs/secure/access_list; | |
} | |
## Serve an empty 1x1 gif _OR_ an error 204 (No Content) for favicon.ico | |
location = /favicon.ico { | |
#empty_gif; | |
return 204; | |
} | |
## System Maintenance (Service Unavailable) | |
#location / { try_files system_maintenance.html =503; } | |
## default location | |
location / { try_files $uri $uri/ =404; } | |
## All other errors get the generic error page | |
error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 495 496 497 | |
500 501 502 503 504 505 506 507 /error_page.html; | |
location /error_page.html { internal; } | |
} | |
} | |
# | |
####################################################### | |
### copy from Calomel.org /etc/nginx.conf END | |
####################################################### |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment