devster31/nginx.conf

## nginx.conf
# https://www.nginx.com/blog/tuning-nginx/
worker_connections 1024;

# Limit the number of connections NGINX allows, for example from a single client
# IP address. Setting them can help prevent individual clients from opening too
# many connections and consuming too many resources.
server {
    # When several limit_conn directives are specified, any configured limit will apply.
    limit_conn perip 10;
    limit_conn perserver 100;
}
limit_conn_status 503;
limit_conn_zone $binary_remote_addr zone=perip:10m;
limit_conn_zone $server_name zone=perserver:10m;

# Limits the amount of bandwidth allowed for a client on a single connection.
# Setting it can prevent the system from being overloaded by certain clients
# and can help to ensure that all clients receive good quality of service.
limit_rate

# Limit the rate of requests being processed by NGINX. As with limit_rate,
# setting them can help prevent the system from being overloaded by certain
# clients and can help to ensure that all clients receive good quality of service.
# They can also be used to improve security, especially for login pages, by
# limiting the request rate so that it is adequate for a human user but too
# slow for programs trying to access your application (such as bots in a DDoS attack).

# If the requests rate exceeds the rate configured for a zone, their processing is
# delayed such that requests are processed at a defined rate. Excessive requests are
# delayed until their number exceeds the maximum burst size in which case the request
# is terminated with an error 503 (Service Temporarily Unavailable). By default, the
# maximum burst size is equal to zero.
# limit_req zone=name [burst=number] [nodelay];
location { limit_req zone=one burst=5; }

limit_req_status 503;
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; # or r/m

# parameter to the server directive in an upstream configuration block
# Set the maximum number of simultaneous connections accepted by a server in an
# upstream group. This can help prevent the upstream servers from being overloaded.
# The default is zero, meaning that there is no limit.
max_conns 0;

# If max_conns is set for any upstream server, governs what happens when a request
# cannot be processed because there are no available servers in the upstream group
# and some of those servers have reached the max_conns limit. This directive can be
# set to the number of requests to queue and for how long. If this directive is not
# set, no queuing occurs.
# queue number [timeout=time]; The default value of the timeout parameter is 60 seconds.
# Context: upstream
queue 100 timeout=60;

gzip_min_length 10240;
gzip_disable "MSIE [1-6]\.";

#If you're serving a large number of static files you'll benefit from keeping filehandles
# to requested files open - this avoids the need to reopen them in the future.
# NOTE: You should only run with this enabled if you're not editing the files at
# the time you're serving them. Because file accesses are cached any 404s will be
# cached too, similarly file-sizes will be cached, and if you change them your served
# content will be out of date.
open_file_cache          max=2000 inactive=20s;
open_file_cache_valid    60s;
open_file_cache_min_uses 5;
open_file_cache_errors   off;

location {
  fastcgi_buffer_size 128k;
  fastcgi_buffers 256 16k;
  fastcgi_busy_buffers_size 256k;
  fastcgi_temp_file_write_size 256k;
}

http {
	# from http://stale.coffee/ec2-micro-instance-adventure-nginx-php-mysql.html
	fastcgi_cache CACHE;
	fastcgi_cache_methods GET HEAD;
	fastcgi_cache_valid 200 1m;
	fastcgi_cache_bypass $no_cache;
	fastcgi_no_cache $no_cache;

	#move next 3 lines to /etc/nginx/nginx.conf if you want to use fastcgi_cache across many sites
	fastcgi_cache_path /var/run/nginx-cache levels=1:2 keys_zone=WORDPRESS:500m inactive=60m;
	fastcgi_cache_key "$scheme$request_method$host$request_uri";
	fastcgi_cache_use_stale error timeout invalid_header http_500;
}

server {
  #fastcgi_cache start
  set $no_cache 0;

  # POST requests and urls with a query string should always go to PHP
  if ($request_method = POST) {
    set $no_cache 1;
  }

  if ($query_string != "") {
    set $no_cache 1;
  }

  # Don't cache uris containing the following segments
  if ($request_uri ~* "(/wp-admin/|/xmlrpc.php|/wp-(app|cron|login|register|mail).php|wp-.*.php|/feed/|index.php|wp-comments-popup.php|wp-links-opml.php|wp-locations.php|sitemap(_index)?.xml|[a-z0-9_-]+-sitemap([0-9]+)?.xml)") {
    set $no_cache 1;
  }

  # Don't use the cache for logged in users or recent commenters
	if ($http_cookie ~* "comment_author|wordpress_[a-f0-9]+|wp-postpass|wordpress_no_cache|wordpress_logged_in") {
  	set $no_cache 1;
  }
}

# Pass all .php files onto a php-fpm/php-fcgi server.
location ~ [^/]\.php(/|$) {
	fastcgi_split_path_info ^(.+?\.php)(/.*)$;
	# This is a robust solution for path info security issue and works
	# with "cgi.fix_pathinfo = 1" in /etc/php.ini (default)
	if (!-f $document_root$fastcgi_script_name) {
		return 404;
	}

	include fastcgi.conf;
	fastcgi_index index.php;
#	fastcgi_intercept_errors on;
	fastcgi_pass php;

  # Options for fcgi cache if enabled
  # fastcgi_cache_bypass $no_cache;
  # fastcgi_no_cache $no_cache;

  # fastcgi_cache WORDPRESS;
  # fastcgi_cache_valid 200 60m;
}

location ~ /purge(/.*) {
  # Uncomment the following two lines to allow purge only from the webserver
  #allow 127.0.0.1;
	#deny all;

  fastcgi_cache_purge WORDPRESS "$scheme$request_method$host$1";
}

## php-fpm.conf
emergency_restart_threshold 10
emergency_restart_interval 1m
process_control_timeout 10s

## second-sysctl.conf
# from http://engineering.chartbeat.com/2014/01/02/part-1-lessons-learned-tuning-tcp-and-nginx-in-ec2/
# Max receive buffer size (8 Mb)
 net.core.rmem_max=8388608
# Max send buffer size (8 Mb)
 net.core.wmem_max=8388608

# Default receive buffer size
 net.core.rmem_default=65536
# Default send buffer size
 net.core.wmem_default=65536

# The first value tells the kernel the minimum receive/send buffer for each TCP connection,
 # and this buffer is always allocated to a TCP socket,
 # even under high pressure on the system. …
 # The second value specified tells the kernel the default receive/send buffer
 # allocated for each TCP socket. This value overrides the /proc/sys/net/core/rmem_default
 # value used by other protocols. … The third and last value specified
 # in this variable specifies the maximum receive/send buffer that can be allocated for a TCP socket.
 # Note: The kernel will auto tune these values between the min-max range
 # If for some reason you wanted to change this behavior, disable net.ipv4.tcp_moderate_rcvbuf
 net.ipv4.tcp_rmem=8192 873800 8388608
 net.ipv4.tcp_wmem=4096 655360 8388608

# Units are in page size (default page size is 4 kb)
 # These are global variables affecting total pages for TCP
 # sockets
 # 8388608 * 4 = 32 GB
 #  low pressure high
 #  When mem allocated by TCP exceeds “pressure”, kernel will put pressure on TCP memory
 #  We set all these values high to basically prevent any mem pressure from ever occurring
 #  on our TCP sockets
 net.ipv4.tcp_mem=8388608 8388608 8388608

# Increase max number of sockets allowed in TIME_WAIT
 net.ipv4.tcp_max_tw_buckets=6000000

# Increase max half-open connections.
 net.ipv4.tcp_max_syn_backlog=65536

# Increase max TCP orphans
 # These are sockets which have been closed and no longer have a file handle attached to them
 net.ipv4.tcp_max_orphans=262144

# Max listen queue backlog
 # make sure to increase nginx backlog as well if changed
 net.core.somaxconn = 16384

# Max number of packets that can be queued on interface input
 # If kernel is receiving packets faster than can be processed
 # this queue increases
 net.core.netdev_max_backlog = 16384

# Only retry creating TCP connections twice
 # Minimize the time it takes for a connection attempt to fail
 net.ipv4.tcp_synack_retries = 2
 net.ipv4.tcp_syn_retries = 2

# Timeout closing of TCP connections after 7 seconds
 net.ipv4.tcp_fin_timeout = 7

# Avoid falling back to slow start after a connection goes idle
 # keeps our cwnd large with the keep alive connections
 net.ipv4.tcp_slow_start_after_idle = 0

## ssl-server.conf
server {
    # listens both on IPv4 and IPv6 on 443 and enables HTTPS and HTTP/2 support.
    # HTTP/2 is available in nginx 1.9.5 and above.
    listen *:443 ssl http2;
    listen [::]:443 ssl http2;

    # indicate locations of SSL key files.
    ssl_certificate /srv/www/ssl/ssl.crt;
    ssl_certificate_key /srv/www/ssl/ssl.key;
    ssl_dhparam /srv/www/master/ssl/dhparam.pem;

    # indicate the server name
    server_name example.com *.example.com;

    # Enable HSTS. This forces SSL on clients that respect it, most modern browsers. The includeSubDomains flag is optional.
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

    # Set caches, protocols, and accepted ciphers. This config will merit an A+ SSL Labs score as of Sept 2015.
    ssl_session_cache shared:SSL:20m;
    ssl_session_timeout 10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5';
}

## sysctl.conf
vm.swappiness = 20 (10)
net.core.somaxconn = 256 # max 512 before nginx backlog needs changing
net.core.netdev_max_backlog =
net.core.rmem_default = 212992
net.core.rmem_max = 212992 # 16777216
net.core.wmem_default = 212992
net.core.wmem_max = 212992 # 16777216
net.ipv4.ip_local_port_range = 1024 65535
# Enables fast recycling of TIME_WAIT sockets.
# (Use with caution according to the kernel documentation!)
net.ipv4.tcp_tw_recycle = 1
# Allow reuse of sockets in TIME_WAIT state for new connections
# only when it is safe from the network stack’s perspective.
net.ipv4.tcp_tw_reuse = 1
# Increase the number of outstanding syn requests allowed.
# c.f. The use of syncookies.
net.ipv4.tcp_max_syn_backlog = 4096
net.ipv4.tcp_syncookies = 1
fs.file-max = 98236
# Forking servers, like PostgreSQL or Apache, scale to much
# higher levels of concurrent connections if this is made larger,
# by at least an order of magnitude:
kernel.sched_migration_cost_ns = 5000000
# PostgreSQL specific
kernel.sched_autogroup_enabled = 0

# generic noatime for system mounts

## wordpress.conf
# WordPress single site rules.
# Designed to be included in any server {} block.

# This order might seem weird - this is attempted to match last if rules below fail.
# http://wiki.nginx.org/HttpCoreModule
location / {
	try_files $uri $uri/ /index.php?$args;
}

# Add trailing slash to */wp-admin requests.
rewrite /wp-admin$ $scheme://$host$uri/ permanent;

# Directives to send expires headers and turn off 404 error logging.
location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
       access_log off; log_not_found off; expires max;
}

## www.conf
; from http://stale.coffee/ec2-micro-instance-adventure-nginx-php-mysql.html
[global]
emergency_restart_threshold = 10
emergency_restart_interval = 1m
process_control_timeout = 10s

[www]
listen = /var/run/php-fpm/php-fpm.sock
listen.owner = nginx
listen.group = nginx
listen.mode = 0664
user = nginx
group = nginx

pm.max_children = 20
pm.start_servers = 5
pm.min_spare_servers = 5
pm.max_spare_servers = 20
pm.max_requests = 200

php_admin_value[memory_limit] = 64M
	# https://www.nginx.com/blog/tuning-nginx/
	worker_connections 1024;

	# Limit the number of connections NGINX allows, for example from a single client
	# IP address. Setting them can help prevent individual clients from opening too
	# many connections and consuming too many resources.
	server {
	# When several limit_conn directives are specified, any configured limit will apply.
	limit_conn perip 10;
	limit_conn perserver 100;
	}
	limit_conn_status 503;
	limit_conn_zone $binary_remote_addr zone=perip:10m;
	limit_conn_zone $server_name zone=perserver:10m;

	# Limits the amount of bandwidth allowed for a client on a single connection.
	# Setting it can prevent the system from being overloaded by certain clients
	# and can help to ensure that all clients receive good quality of service.
	limit_rate

	# Limit the rate of requests being processed by NGINX. As with limit_rate,
	# setting them can help prevent the system from being overloaded by certain
	# clients and can help to ensure that all clients receive good quality of service.
	# They can also be used to improve security, especially for login pages, by
	# limiting the request rate so that it is adequate for a human user but too
	# slow for programs trying to access your application (such as bots in a DDoS attack).

	# If the requests rate exceeds the rate configured for a zone, their processing is
	# delayed such that requests are processed at a defined rate. Excessive requests are
	# delayed until their number exceeds the maximum burst size in which case the request
	# is terminated with an error 503 (Service Temporarily Unavailable). By default, the
	# maximum burst size is equal to zero.
	# limit_req zone=name [burst=number] [nodelay];
	location { limit_req zone=one burst=5; }

	limit_req_status 503;
	limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; # or r/m

	# parameter to the server directive in an upstream configuration block
	# Set the maximum number of simultaneous connections accepted by a server in an
	# upstream group. This can help prevent the upstream servers from being overloaded.
	# The default is zero, meaning that there is no limit.
	max_conns 0;

	# If max_conns is set for any upstream server, governs what happens when a request
	# cannot be processed because there are no available servers in the upstream group
	# and some of those servers have reached the max_conns limit. This directive can be
	# set to the number of requests to queue and for how long. If this directive is not
	# set, no queuing occurs.
	# queue number [timeout=time]; The default value of the timeout parameter is 60 seconds.
	# Context: upstream
	queue 100 timeout=60;

	gzip_min_length 10240;
	gzip_disable "MSIE [1-6]\.";

	#If you're serving a large number of static files you'll benefit from keeping filehandles
	# to requested files open - this avoids the need to reopen them in the future.
	# NOTE: You should only run with this enabled if you're not editing the files at
	# the time you're serving them. Because file accesses are cached any 404s will be
	# cached too, similarly file-sizes will be cached, and if you change them your served
	# content will be out of date.
	open_file_cache max=2000 inactive=20s;
	open_file_cache_valid 60s;
	open_file_cache_min_uses 5;
	open_file_cache_errors off;

	location {
	fastcgi_buffer_size 128k;
	fastcgi_buffers 256 16k;
	fastcgi_busy_buffers_size 256k;
	fastcgi_temp_file_write_size 256k;
	}

	http {
	# from http://stale.coffee/ec2-micro-instance-adventure-nginx-php-mysql.html
	fastcgi_cache CACHE;
	fastcgi_cache_methods GET HEAD;
	fastcgi_cache_valid 200 1m;
	fastcgi_cache_bypass $no_cache;
	fastcgi_no_cache $no_cache;

	#move next 3 lines to /etc/nginx/nginx.conf if you want to use fastcgi_cache across many sites
	fastcgi_cache_path /var/run/nginx-cache levels=1:2 keys_zone=WORDPRESS:500m inactive=60m;
	fastcgi_cache_key "$scheme$request_method$host$request_uri";
	fastcgi_cache_use_stale error timeout invalid_header http_500;
	}

	server {
	#fastcgi_cache start
	set $no_cache 0;

	# POST requests and urls with a query string should always go to PHP
	if ($request_method = POST) {
	set $no_cache 1;
	}

	if ($query_string != "") {
	set $no_cache 1;
	}

	# Don't cache uris containing the following segments
	if ($request_uri ~* "(/wp-admin/\|/xmlrpc.php\|/wp-(app\|cron\|login\|register\|mail).php\|wp-.*.php\|/feed/\|index.php\|wp-comments-popup.php\|wp-links-opml.php\|wp-locations.php\|sitemap(_index)?.xml\|[a-z0-9_-]+-sitemap([0-9]+)?.xml)") {
	set $no_cache 1;
	}

	# Don't use the cache for logged in users or recent commenters
	if ($http_cookie ~* "comment_author\|wordpress_[a-f0-9]+\|wp-postpass\|wordpress_no_cache\|wordpress_logged_in") {
	set $no_cache 1;
	}
	}

	# Pass all .php files onto a php-fpm/php-fcgi server.
	location ~ [^/]\.php(/\|$) {
	fastcgi_split_path_info ^(.+?\.php)(/.*)$;
	# This is a robust solution for path info security issue and works
	# with "cgi.fix_pathinfo = 1" in /etc/php.ini (default)
	if (!-f $document_root$fastcgi_script_name) {
	return 404;
	}

	include fastcgi.conf;
	fastcgi_index index.php;
	# fastcgi_intercept_errors on;
	fastcgi_pass php;

	# Options for fcgi cache if enabled
	# fastcgi_cache_bypass $no_cache;
	# fastcgi_no_cache $no_cache;

	# fastcgi_cache WORDPRESS;
	# fastcgi_cache_valid 200 60m;
	}

	location ~ /purge(/.*) {
	# Uncomment the following two lines to allow purge only from the webserver
	#allow 127.0.0.1;
	#deny all;

	fastcgi_cache_purge WORDPRESS "$scheme$request_method$host$1";
	}
	emergency_restart_threshold 10
	emergency_restart_interval 1m
	process_control_timeout 10s
	# from http://engineering.chartbeat.com/2014/01/02/part-1-lessons-learned-tuning-tcp-and-nginx-in-ec2/
	# Max receive buffer size (8 Mb)
	net.core.rmem_max=8388608
	# Max send buffer size (8 Mb)
	net.core.wmem_max=8388608

	# Default receive buffer size
	net.core.rmem_default=65536
	# Default send buffer size
	net.core.wmem_default=65536

	# The first value tells the kernel the minimum receive/send buffer for each TCP connection,
	# and this buffer is always allocated to a TCP socket,
	# even under high pressure on the system. …
	# The second value specified tells the kernel the default receive/send buffer
	# allocated for each TCP socket. This value overrides the /proc/sys/net/core/rmem_default
	# value used by other protocols. … The third and last value specified
	# in this variable specifies the maximum receive/send buffer that can be allocated for a TCP socket.
	# Note: The kernel will auto tune these values between the min-max range
	# If for some reason you wanted to change this behavior, disable net.ipv4.tcp_moderate_rcvbuf
	net.ipv4.tcp_rmem=8192 873800 8388608
	net.ipv4.tcp_wmem=4096 655360 8388608

	# Units are in page size (default page size is 4 kb)
	# These are global variables affecting total pages for TCP
	# sockets
	# 8388608 * 4 = 32 GB
	# low pressure high
	# When mem allocated by TCP exceeds “pressure”, kernel will put pressure on TCP memory
	# We set all these values high to basically prevent any mem pressure from ever occurring
	# on our TCP sockets
	net.ipv4.tcp_mem=8388608 8388608 8388608

	# Increase max number of sockets allowed in TIME_WAIT
	net.ipv4.tcp_max_tw_buckets=6000000

	# Increase max half-open connections.
	net.ipv4.tcp_max_syn_backlog=65536

	# Increase max TCP orphans
	# These are sockets which have been closed and no longer have a file handle attached to them
	net.ipv4.tcp_max_orphans=262144

	# Max listen queue backlog
	# make sure to increase nginx backlog as well if changed
	net.core.somaxconn = 16384

	# Max number of packets that can be queued on interface input
	# If kernel is receiving packets faster than can be processed
	# this queue increases
	net.core.netdev_max_backlog = 16384

	# Only retry creating TCP connections twice
	# Minimize the time it takes for a connection attempt to fail
	net.ipv4.tcp_synack_retries = 2
	net.ipv4.tcp_syn_retries = 2

	# Timeout closing of TCP connections after 7 seconds
	net.ipv4.tcp_fin_timeout = 7

	# Avoid falling back to slow start after a connection goes idle
	# keeps our cwnd large with the keep alive connections
	net.ipv4.tcp_slow_start_after_idle = 0
	server {
	# listens both on IPv4 and IPv6 on 443 and enables HTTPS and HTTP/2 support.
	# HTTP/2 is available in nginx 1.9.5 and above.
	listen *:443 ssl http2;
	listen [::]:443 ssl http2;

	# indicate locations of SSL key files.
	ssl_certificate /srv/www/ssl/ssl.crt;
	ssl_certificate_key /srv/www/ssl/ssl.key;
	ssl_dhparam /srv/www/master/ssl/dhparam.pem;

	# indicate the server name
	server_name example.com *.example.com;

	# Enable HSTS. This forces SSL on clients that respect it, most modern browsers. The includeSubDomains flag is optional.
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

	# Set caches, protocols, and accepted ciphers. This config will merit an A+ SSL Labs score as of Sept 2015.
	ssl_session_cache shared:SSL:20m;
	ssl_session_timeout 10m;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers 'ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5';
	}
	vm.swappiness = 20 (10)
	net.core.somaxconn = 256 # max 512 before nginx backlog needs changing
	net.core.netdev_max_backlog =
	net.core.rmem_default = 212992
	net.core.rmem_max = 212992 # 16777216
	net.core.wmem_default = 212992
	net.core.wmem_max = 212992 # 16777216
	net.ipv4.ip_local_port_range = 1024 65535
	# Enables fast recycling of TIME_WAIT sockets.
	# (Use with caution according to the kernel documentation!)
	net.ipv4.tcp_tw_recycle = 1
	# Allow reuse of sockets in TIME_WAIT state for new connections
	# only when it is safe from the network stack’s perspective.
	net.ipv4.tcp_tw_reuse = 1
	# Increase the number of outstanding syn requests allowed.
	# c.f. The use of syncookies.
	net.ipv4.tcp_max_syn_backlog = 4096
	net.ipv4.tcp_syncookies = 1
	fs.file-max = 98236
	# Forking servers, like PostgreSQL or Apache, scale to much
	# higher levels of concurrent connections if this is made larger,
	# by at least an order of magnitude:
	kernel.sched_migration_cost_ns = 5000000
	# PostgreSQL specific
	kernel.sched_autogroup_enabled = 0

	# generic noatime for system mounts
	# WordPress single site rules.
	# Designed to be included in any server {} block.

	# This order might seem weird - this is attempted to match last if rules below fail.
	# http://wiki.nginx.org/HttpCoreModule
	location / {
	try_files $uri $uri/ /index.php?$args;
	}

	# Add trailing slash to */wp-admin requests.
	rewrite /wp-admin$ $scheme://$host$uri/ permanent;

	# Directives to send expires headers and turn off 404 error logging.
	location ~* ^.+\.(ogg\|ogv\|svg\|svgz\|eot\|otf\|woff\|mp4\|ttf\|rss\|atom\|jpg\|jpeg\|gif\|png\|ico\|zip\|tgz\|gz\|rar\|bz2\|doc\|xls\|exe\|ppt\|tar\|mid\|midi\|wav\|bmp\|rtf)$ {
	access_log off; log_not_found off; expires max;
	}
	; from http://stale.coffee/ec2-micro-instance-adventure-nginx-php-mysql.html
	[global]
	emergency_restart_threshold = 10
	emergency_restart_interval = 1m
	process_control_timeout = 10s

	[www]
	listen = /var/run/php-fpm/php-fpm.sock
	listen.owner = nginx
	listen.group = nginx
	listen.mode = 0664
	user = nginx
	group = nginx

	pm.max_children = 20
	pm.start_servers = 5
	pm.min_spare_servers = 5
	pm.max_spare_servers = 20
	pm.max_requests = 200

	php_admin_value[memory_limit] = 64M