alex2006hw/nginx config

## nginx config
#######################################################
### copy from Calomel.org  /etc/nginx.conf  BEGIN
#######################################################
#
worker_processes     4;     # one(1) worker or equal the number of _real_ cpu cores. 4=4 core cpu
worker_priority      15;    # renice workers to reduce priority compared to system processes for
                            # machine health. worst case nginx will get ~25% system resources at nice=15
#worker_rlimit_nofile 1024; # maximum number of open files

events {
#worker_connections 512;  # number of parallel or concurrent connections per worker_processes
#accept_mutex        on;  # serially accept() connections and pass to workers, efficient if workers gt 1
#accept_mutex_delay 500ms; # worker process will accept mutex after this delay if not assigned. (default 500ms)
}

http {

 ## Size Limits
 #client_body_buffer_size   8k;
 #client_header_buffer_size 1k;
 #client_max_body_size      1m;
 #large_client_header_buffers 4 4k/8k;

 # Timeouts, do not keep connections open longer then necessary to reduce
 # resource usage and deny Slowloris type attacks.
  client_body_timeout      5s; # maximum time between packets the client can pause when sending nginx any data
  client_header_timeout    5s; # maximum time the client has to send the entire header to nginx
  keepalive_timeout       75s; # timeout which a single keep-alive client connection will stay open
  send_timeout            15s; # maximum time between packets nginx is allowed to pause when sending the client data

 ## General Options
 #aio                       on;  # asynchronous file I/O, fast with ZFS, make sure sendfile=off
  charset                   utf-8; # adds the line "Content-Type" into response-header, same as "source_charset"
  default_type              application/octet-stream;
  gzip                      off; # disable on the fly gzip compression due to higher latency, only use gzip_static
 #gzip_http_version         1.0; # serve gzipped content to all clients including HTTP/1.0
  gzip_static               on;  # precompress content (gzip -9) with an external script
 #gzip_vary                 on;  # send response header "Vary: Accept-Encoding"
  gzip_proxied             any;  # allows compressed responses for any request even from proxies
  ignore_invalid_headers    on;
  include                   /etc/mime.types;
  keepalive_requests        50;  # number of requests per connection, does not affect SPDY
  keepalive_disable         none; # allow all browsers to use keepalive connections
  max_ranges                1; # allow a single range header for resumed downloads and to stop large range header DoS attacks
  msie_padding              off;
  open_file_cache           max=1000 inactive=2h;
  open_file_cache_errors    on;
  open_file_cache_min_uses  1;
  open_file_cache_valid     1h;
  output_buffers            1 512;
  postpone_output           1440;   # postpone sends to match our machine's MSS
  read_ahead                512K;   # kernel read head set to the output_buffers
  recursive_error_pages     on;
  reset_timedout_connection on;  # reset timed out connections freeing ram
  sendfile                  on;  # on for decent direct disk I/O
  server_tokens             off; # version number in error pages
  server_name_in_redirect   off; # if off, nginx will use the requested Host header
  source_charset            utf-8; # same value as "charset"
  tcp_nodelay               on; # Nagle buffering algorithm, used for keepalive only
  tcp_nopush                off;

 ## Request limits
  limit_req_zone  $binary_remote_addr  zone=gulag:1m   rate=60r/m;

 ## Log Format
  log_format  main  '$remote_addr $host $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $ssl_cipher $request_time';

 ## Deny access to any host other than (www.)mydomain.com. Only use this
 ## option is you want to lock down the name in the Host header the client sends.
  # server {
  #      server_name  "";  #default
  #      return 444;
  #  }

 ## Server (www.)mydomain.com
  server {
      add_header  Cache-Control "public";
     #add_header  Content-Security-Policy "default-src 'none';style-src 'self';img-src 'self' data: ;";
      add_header  X-Frame-Options "DENY";
      access_log  /var/log/nginx/access.log main buffer=32k;
      error_log   /var/log/nginx/error.log error;
      expires     max;
      limit_req   zone=gulag burst=200 nodelay;
      listen      127.0.0.1:80;
      root        /var/www/htdocs;
      server_name mydomain.com www.mydomain;

     # Note: if{} sections are very expensive to process. Only use an If{}
     # block is really need them.  Please take a look lower down on the page
     # for our discussion of if{} statements.

     ## Only allow GET and HEAD request methods. By default Nginx blocks
     ## all requests type other then GET and HEAD for static content.
     # if ($request_method !~ ^(GET|HEAD)$ ) {
     #   return 405;
     # }

     ## Deny illegal Host headers.
     # if ($host !~* ^(mydomain.com|www.mydomain.com)$ ) {
     #  return 405;
     # }

     ## Deny certain User-Agents (case insensitive)
     ## The ~* makes it case insensitive as opposed to just a ~
     # if ($http_user_agent ~* (Baiduspider|Jullo) ) {
     #  return 405;
     # }

     ## Deny certain Referers (case insensitive)
     ## The ~* makes it case insensitive as opposed to just a ~
     # if ($http_referer ~* (babes|click|diamond|forsale|girl|jewelry|love|nudit|organic|poker|porn|poweroversoftware|sex|teen|video|webcam|zippo) ) {
     #  return 405;
     # }

     ## Redirect from www to non-www. Notice we are stripping out arguments with "?"
     # if ($host != 'mydomain.com') { return 301 http://mydomain.com$uri; }

     ## Stop Image and Document Hijacking
     #location ~* (\.jpg|\.png|\.css)$ {
     #  if ($http_referer !~ ^(http://mydomain.com) ) {
     #    return 405;
     #  }
     #}

     ## Restricted Access directory by password in the access_list file.
      location ^~ /secure/ {
            allow 127.0.0.1/32;
            allow 10.10.10.0/24;
            deny all;
            auth_basic "RESTRICTED ACCESS";
            auth_basic_user_file /var/www/htdocs/secure/access_list;
        }

     ## Serve an empty 1x1 gif _OR_ an error 204 (No Content) for favicon.ico
      location = /favicon.ico {
       #empty_gif;
        return 204;
      }

     ## System Maintenance (Service Unavailable)
     #location  / { try_files system_maintenance.html =503; }

     ## default location
      location  / { try_files $uri $uri/ =404; }

     ## All other errors get the generic error page
      error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 495 496 497
                 500 501 502 503 504 505 506 507 /error_page.html;
      location  /error_page.html { internal; }
  }
}
#
#######################################################
###  copy from Calomel.org  /etc/nginx.conf  END
#######################################################
	#######################################################
	### copy from Calomel.org /etc/nginx.conf BEGIN
	#######################################################
	#
	worker_processes 4; # one(1) worker or equal the number of _real_ cpu cores. 4=4 core cpu
	worker_priority 15; # renice workers to reduce priority compared to system processes for
	# machine health. worst case nginx will get ~25% system resources at nice=15
	#worker_rlimit_nofile 1024; # maximum number of open files

	events {
	#worker_connections 512; # number of parallel or concurrent connections per worker_processes
	#accept_mutex on; # serially accept() connections and pass to workers, efficient if workers gt 1
	#accept_mutex_delay 500ms; # worker process will accept mutex after this delay if not assigned. (default 500ms)
	}

	http {

	## Size Limits
	#client_body_buffer_size 8k;
	#client_header_buffer_size 1k;
	#client_max_body_size 1m;
	#large_client_header_buffers 4 4k/8k;

	# Timeouts, do not keep connections open longer then necessary to reduce
	# resource usage and deny Slowloris type attacks.
	client_body_timeout 5s; # maximum time between packets the client can pause when sending nginx any data
	client_header_timeout 5s; # maximum time the client has to send the entire header to nginx
	keepalive_timeout 75s; # timeout which a single keep-alive client connection will stay open
	send_timeout 15s; # maximum time between packets nginx is allowed to pause when sending the client data

	## General Options
	#aio on; # asynchronous file I/O, fast with ZFS, make sure sendfile=off
	charset utf-8; # adds the line "Content-Type" into response-header, same as "source_charset"
	default_type application/octet-stream;
	gzip off; # disable on the fly gzip compression due to higher latency, only use gzip_static
	#gzip_http_version 1.0; # serve gzipped content to all clients including HTTP/1.0
	gzip_static on; # precompress content (gzip -9) with an external script
	#gzip_vary on; # send response header "Vary: Accept-Encoding"
	gzip_proxied any; # allows compressed responses for any request even from proxies
	ignore_invalid_headers on;
	include /etc/mime.types;
	keepalive_requests 50; # number of requests per connection, does not affect SPDY
	keepalive_disable none; # allow all browsers to use keepalive connections
	max_ranges 1; # allow a single range header for resumed downloads and to stop large range header DoS attacks
	msie_padding off;
	open_file_cache max=1000 inactive=2h;
	open_file_cache_errors on;
	open_file_cache_min_uses 1;
	open_file_cache_valid 1h;
	output_buffers 1 512;
	postpone_output 1440; # postpone sends to match our machine's MSS
	read_ahead 512K; # kernel read head set to the output_buffers
	recursive_error_pages on;
	reset_timedout_connection on; # reset timed out connections freeing ram
	sendfile on; # on for decent direct disk I/O
	server_tokens off; # version number in error pages
	server_name_in_redirect off; # if off, nginx will use the requested Host header
	source_charset utf-8; # same value as "charset"
	tcp_nodelay on; # Nagle buffering algorithm, used for keepalive only
	tcp_nopush off;

	## Request limits
	limit_req_zone $binary_remote_addr zone=gulag:1m rate=60r/m;

	## Log Format
	log_format main '$remote_addr $host $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $ssl_cipher $request_time';

	## Deny access to any host other than (www.)mydomain.com. Only use this
	## option is you want to lock down the name in the Host header the client sends.
	# server {
	# server_name ""; #default
	# return 444;
	# }

	## Server (www.)mydomain.com
	server {
	add_header Cache-Control "public";
	#add_header Content-Security-Policy "default-src 'none';style-src 'self';img-src 'self' data: ;";
	add_header X-Frame-Options "DENY";
	access_log /var/log/nginx/access.log main buffer=32k;
	error_log /var/log/nginx/error.log error;
	expires max;
	limit_req zone=gulag burst=200 nodelay;
	listen 127.0.0.1:80;
	root /var/www/htdocs;
	server_name mydomain.com www.mydomain;

	# Note: if{} sections are very expensive to process. Only use an If{}
	# block is really need them. Please take a look lower down on the page
	# for our discussion of if{} statements.

	## Only allow GET and HEAD request methods. By default Nginx blocks
	## all requests type other then GET and HEAD for static content.
	# if ($request_method !~ ^(GET\|HEAD)$ ) {
	# return 405;
	# }

	## Deny illegal Host headers.
	# if ($host !~* ^(mydomain.com\|www.mydomain.com)$ ) {
	# return 405;
	# }

	## Deny certain User-Agents (case insensitive)
	## The ~* makes it case insensitive as opposed to just a ~
	# if ($http_user_agent ~* (Baiduspider\|Jullo) ) {
	# return 405;
	# }

	## Deny certain Referers (case insensitive)
	## The ~* makes it case insensitive as opposed to just a ~
	# if ($http_referer ~* (babes\|click\|diamond\|forsale\|girl\|jewelry\|love\|nudit\|organic\|poker\|porn\|poweroversoftware\|sex\|teen\|video\|webcam\|zippo) ) {
	# return 405;
	# }

	## Redirect from www to non-www. Notice we are stripping out arguments with "?"
	# if ($host != 'mydomain.com') { return 301 http://mydomain.com$uri; }

	## Stop Image and Document Hijacking
	#location ~* (\.jpg\|\.png\|\.css)$ {
	# if ($http_referer !~ ^(http://mydomain.com) ) {
	# return 405;
	# }
	#}

	## Restricted Access directory by password in the access_list file.
	location ^~ /secure/ {
	allow 127.0.0.1/32;
	allow 10.10.10.0/24;
	deny all;
	auth_basic "RESTRICTED ACCESS";
	auth_basic_user_file /var/www/htdocs/secure/access_list;
	}

	## Serve an empty 1x1 gif _OR_ an error 204 (No Content) for favicon.ico
	location = /favicon.ico {
	#empty_gif;
	return 204;
	}

	## System Maintenance (Service Unavailable)
	#location / { try_files system_maintenance.html =503; }

	## default location
	location / { try_files $uri $uri/ =404; }

	## All other errors get the generic error page
	error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 495 496 497
	500 501 502 503 504 505 506 507 /error_page.html;
	location /error_page.html { internal; }
	}
	}
	#
	#######################################################
	### copy from Calomel.org /etc/nginx.conf END
	#######################################################