Last active
July 22, 2020 22:53
-
-
Save goeroeku/52edb4eaf656b650b13b59f05fa1a6fb to your computer and use it in GitHub Desktop.
Script VPS
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# regex to split $uri to $fastcgi_script_name and $fastcgi_path | |
fastcgi_split_path_info ^(.+\.php)(/.+)$; | |
# Check that the PHP script exists before passing it | |
try_files $fastcgi_script_name =404; | |
# Bypass the fact that try_files resets $fastcgi_path_info | |
# see: http://trac.nginx.org/nginx/ticket/321 | |
set $path_info $fastcgi_path_info; | |
fastcgi_param PATH_INFO $path_info; | |
fastcgi_index index.php; | |
include fastcgi.conf; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
location = /favicon.ico { | |
access_log off; | |
log_not_found off; | |
expires max; | |
} | |
location = /robots.txt { | |
# Some WordPress plugin gererate robots.txt file | |
# Refer #340 issue | |
try_files $uri $uri/ /index.php?$args; | |
access_log off; | |
log_not_found off; | |
} | |
# Cache static files | |
location ~* \.(ogg|ogv|svg|svgz|eot|otf|woff|woff2|mp4|ttf|ttc|font.css|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf|swf)$ { | |
add_header "Access-Control-Allow-Origin" "*"; | |
access_log off; | |
log_not_found off; | |
expires max; | |
} | |
# Security settings for better privacy | |
# Deny hidden files | |
location ~ /\.well-known { | |
allow all; | |
} | |
location ~ /\. { | |
deny all; | |
access_log off; | |
log_not_found off; | |
} | |
# Deny backup extensions & log files | |
location ~* ^.+\.(bak|log|old|orig|original|php#|php~|php_bak|save|swo|swp|sql)$ { | |
deny all; | |
access_log off; | |
log_not_found off; | |
} | |
# Return 403 forbidden for readme.(txt|html) or license.(txt|html) or example.(txt|html) | |
if ($uri ~* "^.+(readme|license|example)\.(txt|html)$") { | |
return 403; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
types { | |
text/html html htm shtml; | |
text/css css; | |
text/xml xml; | |
image/gif gif; | |
image/jpeg jpeg jpg; | |
application/javascript js; | |
application/atom+xml atom; | |
application/rss+xml rss; | |
text/mathml mml; | |
text/plain txt; | |
text/vnd.sun.j2me.app-descriptor jad; | |
text/vnd.wap.wml wml; | |
text/x-component htc; | |
image/png png; | |
image/tiff tif tiff; | |
image/vnd.wap.wbmp wbmp; | |
image/x-icon ico; | |
image/x-jng jng; | |
image/x-ms-bmp bmp; | |
image/svg+xml svg svgz; | |
image/webp webp; | |
application/font-woff woff; | |
application/font-woff2 woff2; | |
application/x-font-ttf ttc ttf; | |
application/x-font-otf otf; | |
application/java-archive jar war ear; | |
application/json json; | |
application/mac-binhex40 hqx; | |
application/msword doc; | |
application/pdf pdf; | |
application/postscript ps eps ai; | |
application/rtf rtf; | |
application/vnd.apple.mpegurl m3u8; | |
application/vnd.ms-excel xls; | |
application/vnd.ms-fontobject eot; | |
application/vnd.ms-powerpoint ppt; | |
application/vnd.wap.wmlc wmlc; | |
application/vnd.google-earth.kml+xml kml; | |
application/vnd.google-earth.kmz kmz; | |
application/x-7z-compressed 7z; | |
application/x-cocoa cco; | |
application/x-java-archive-diff jardiff; | |
application/x-java-jnlp-file jnlp; | |
application/x-makeself run; | |
application/x-perl pl pm; | |
application/x-pilot prc pdb; | |
application/x-rar-compressed rar; | |
application/x-redhat-package-manager rpm; | |
application/x-sea sea; | |
application/x-shockwave-flash swf; | |
application/x-stuffit sit; | |
application/x-tcl tcl tk; | |
application/x-x509-ca-cert der pem crt; | |
application/x-xpinstall xpi; | |
application/xhtml+xml xhtml; | |
application/xspf+xml xspf; | |
application/zip zip; | |
application/octet-stream bin exe dll; | |
application/octet-stream deb; | |
application/octet-stream dmg; | |
application/octet-stream iso img; | |
application/octet-stream msi msp msm; | |
application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; | |
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; | |
application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; | |
audio/midi mid midi kar; | |
audio/mpeg mp3; | |
audio/ogg ogg; | |
audio/x-m4a m4a; | |
audio/x-realaudio ra; | |
video/3gpp 3gpp 3gp; | |
video/mp2t ts; | |
video/mp4 mp4; | |
video/mpeg mpeg mpg; | |
video/quicktime mov; | |
video/webm webm; | |
video/x-flv flv; | |
video/x-m4v m4v; | |
video/x-mng mng; | |
video/x-ms-asf asx asf; | |
video/x-ms-wmv wmv; | |
video/x-msvideo avi; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
user nginx; | |
worker_processes auto; | |
events { | |
#worker_connections 768; | |
# multi_accept on; | |
worker_connections 1024; | |
use epoll; | |
multi_accept on; | |
} | |
http { | |
## | |
# Basic Settings | |
## | |
sendfile on; | |
tcp_nopush on; | |
tcp_nodelay on; | |
keepalive_timeout 65; | |
keepalive_requests 100000; | |
types_hash_max_size 2048; | |
types_hash_bucket_size 128; | |
# server_tokens off; | |
client_body_buffer_size 128k; | |
client_max_body_size 10m; | |
client_header_buffer_size 1k; | |
large_client_header_buffers 4 4k; | |
output_buffers 1 32k; | |
postpone_output 1460; | |
client_header_timeout 3m; | |
client_body_timeout 3m; | |
send_timeout 3m; | |
open_file_cache max=1000 inactive=20s; | |
open_file_cache_valid 30s; | |
open_file_cache_min_uses 5; | |
open_file_cache_errors off; | |
server_names_hash_bucket_size 64; | |
#server_name_in_redirect off; | |
include /etc/nginx/mime.types; | |
default_type application/octet-stream; | |
## | |
# Logging Settings | |
## | |
#access_log logs/access.log; | |
#error_log logs/error.log; | |
## | |
# Gzip Settings | |
## | |
gzip on; | |
gzip_disable "MSIE [1-6]\."; | |
gzip_vary on; | |
gzip_min_length 10240; | |
gzip_proxied expired no-cache no-store private auth; | |
gzip_types application/x-javascript text/css application/javascript text/javascript text/plain text/xml application/json application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/xml font/eot font/opentype font/otf image/svg+xml image/vnd.microsoft.icon; | |
## | |
# Virtual Host Configs | |
## | |
#include /etc/nginx/conf.d/*.conf; | |
include /etc/nginx/sites-enabled/*; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
location / { | |
#try_files $uri $uri/ /index.php?$args; | |
try_files $uri $uri/ /index.php$is_args$args; | |
} | |
location ~ \.php$ { | |
include snippets/fastcgi-php.conf; ## atau masukan alamat dari fastcgi_params | |
# With php5-fpm: | |
fastcgi_pass unix:/var/run/php5-fpm.sock; ## see config on file www.conf (on php*-fpm directory) | |
# Prevent 504 Gateway Timeout | |
fastcgi_read_timeout 360; ## 10 menit, other ex : 3600 (1 jam) | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
### | |
### GENERAL SYSTEM SECURITY OPTIONS ### | |
### | |
# Controls the System Request debugging functionality of the kernel | |
kernel.sysrq = 0 | |
# Controls whether core dumps will append the PID to the core filename. | |
# Useful for debugging multi-threaded applications. | |
kernel.core_uses_pid = 1 | |
#Allow for more PIDs | |
kernel.pid_max = 65535 | |
# The contents of /proc/<pid>/maps and smaps files are only visible to | |
# readers that are allowed to ptrace() the process | |
kernel.maps_protect = 1 | |
#Enable ExecShield protection | |
kernel.exec-shield = 1 | |
kernel.randomize_va_space = 2 | |
# Controls the maximum size of a message, in bytes | |
kernel.msgmnb = 65535 | |
# Controls the default maxmimum size of a mesage queue | |
kernel.msgmax = 65535 | |
# Restrict core dumps | |
fs.suid_dumpable = 0 | |
# Hide exposed kernel pointers | |
kernel.kptr_restrict = 1 | |
### | |
### IMPROVE SYSTEM MEMORY MANAGEMENT ### | |
### | |
# Increase size of file handles and inode cache | |
fs.file-max = 209708 | |
# Do less swapping | |
vm.swappiness = 30 | |
vm.dirty_ratio = 30 | |
vm.dirty_background_ratio = 5 | |
# specifies the minimum virtual address that a process is allowed to mmap | |
vm.mmap_min_addr = 4096 | |
# 50% overcommitment of available memory | |
vm.overcommit_ratio = 50 | |
vm.overcommit_memory = 0 | |
# Set maximum amount of memory allocated to shm to 256MB | |
kernel.shmmax = 268435456 | |
kernel.shmall = 268435456 | |
# Keep at least 64MB of free RAM space available | |
vm.min_free_kbytes = 65535 | |
### | |
### GENERAL NETWORK SECURITY OPTIONS ### | |
### | |
#Prevent SYN attack, enable SYNcookies (they will kick-in when the max_syn_backlog reached) | |
net.ipv4.tcp_syncookies = 1 | |
net.ipv4.tcp_syn_retries = 2 | |
net.ipv4.tcp_synack_retries = 2 | |
net.ipv4.tcp_max_syn_backlog = 4096 | |
# Disables packet forwarding | |
net.ipv4.ip_forward = 0 | |
net.ipv4.conf.all.forwarding = 0 | |
net.ipv4.conf.default.forwarding = 0 | |
net.ipv6.conf.all.forwarding = 0 | |
net.ipv6.conf.default.forwarding = 0 | |
# Disables IP source routing | |
net.ipv4.conf.all.send_redirects = 0 | |
net.ipv4.conf.default.send_redirects = 0 | |
net.ipv4.conf.all.accept_source_route = 0 | |
net.ipv4.conf.default.accept_source_route = 0 | |
net.ipv6.conf.all.accept_source_route = 0 | |
net.ipv6.conf.default.accept_source_route = 0 | |
# Enable IP spoofing protection, turn on source route verification | |
net.ipv4.conf.all.rp_filter = 1 | |
net.ipv4.conf.default.rp_filter = 1 | |
# Disable ICMP Redirect Acceptance | |
net.ipv4.conf.all.accept_redirects = 0 | |
net.ipv4.conf.default.accept_redirects = 0 | |
net.ipv4.conf.all.secure_redirects = 0 | |
net.ipv4.conf.default.secure_redirects = 0 | |
net.ipv6.conf.all.accept_redirects = 0 | |
net.ipv6.conf.default.accept_redirects = 0 | |
# Enable Log Spoofed Packets, Source Routed Packets, Redirect Packets | |
net.ipv4.conf.all.log_martians = 1 | |
net.ipv4.conf.default.log_martians = 1 | |
# Decrease the time default value for tcp_fin_timeout connection | |
net.ipv4.tcp_fin_timeout = 7 | |
# Decrease the time default value for connections to keep alive | |
net.ipv4.tcp_keepalive_time = 300 | |
net.ipv4.tcp_keepalive_probes = 5 | |
net.ipv4.tcp_keepalive_intvl = 15 | |
# Don't relay bootp | |
net.ipv4.conf.all.bootp_relay = 0 | |
# Don't proxy arp for anyone | |
net.ipv4.conf.all.proxy_arp = 0 | |
# Turn on the tcp_timestamps, accurate timestamp make TCP congestion control algorithms work better | |
net.ipv4.tcp_timestamps = 1 | |
# Don't ignore directed pings | |
net.ipv4.icmp_echo_ignore_all = 0 | |
# Enable ignoring broadcasts request | |
net.ipv4.icmp_echo_ignore_broadcasts = 1 | |
# Enable bad error message Protection | |
net.ipv4.icmp_ignore_bogus_error_responses = 1 | |
# Allowed local port range | |
net.ipv4.ip_local_port_range = 16384 65535 | |
# Enable a fix for RFC1337 - time-wait assassination hazards in TCP | |
net.ipv4.tcp_rfc1337 = 1 | |
# Do not auto-configure IPv6 | |
net.ipv6.conf.all.autoconf=0 | |
net.ipv6.conf.all.accept_ra=0 | |
net.ipv6.conf.default.autoconf=0 | |
net.ipv6.conf.default.accept_ra=0 | |
net.ipv6.conf.eth0.autoconf=0 | |
net.ipv6.conf.eth0.accept_ra=0 | |
### | |
### TUNING NETWORK PERFORMANCE ### | |
### | |
# Use BBR TCP congestion control and set tcp_notsent_lowat to 16384 to ensure HTTP/2 prioritization works optimally | |
# Do a 'modprobe tcp_bbr' first (kernel > 4.9) | |
# Fall-back to htcp if bbr is unavailable (older kernels) | |
net.ipv4.tcp_congestion_control = htcp | |
net.ipv4.tcp_congestion_control = bbr | |
net.ipv4.tcp_notsent_lowat = 16384 | |
# For servers with tcp-heavy workloads, enable 'fq' queue management scheduler (kernel > 3.12) | |
net.core.default_qdisc = fq | |
# Turn on the tcp_window_scaling | |
net.ipv4.tcp_window_scaling = 1 | |
# Increase the read-buffer space allocatable | |
net.ipv4.tcp_rmem = 8192 87380 16777216 | |
net.ipv4.udp_rmem_min = 16384 | |
net.core.rmem_default = 262144 | |
net.core.rmem_max = 16777216 | |
# Increase the write-buffer-space allocatable | |
net.ipv4.tcp_wmem = 8192 65536 16777216 | |
net.ipv4.udp_wmem_min = 16384 | |
net.core.wmem_default = 262144 | |
net.core.wmem_max = 16777216 | |
# Increase number of incoming connections | |
net.core.somaxconn = 32768 | |
# Increase number of incoming connections backlog | |
net.core.netdev_max_backlog = 16384 | |
net.core.dev_weight = 64 | |
# Increase the maximum amount of option memory buffers | |
net.core.optmem_max = 65535 | |
# Increase the tcp-time-wait buckets pool size to prevent simple DOS attacks | |
net.ipv4.tcp_max_tw_buckets = 1440000 | |
# try to reuse time-wait connections, but don't recycle them (recycle can break clients behind NAT) | |
net.ipv4.tcp_tw_recycle = 0 | |
net.ipv4.tcp_tw_reuse = 1 | |
# Limit number of orphans, each orphan can eat up to 16M (max wmem) of unswappable memory | |
net.ipv4.tcp_max_orphans = 16384 | |
net.ipv4.tcp_orphan_retries = 0 | |
# Limit the maximum memory used to reassemble IP fragments (CVE-2018-5391) | |
net.ipv4.ipfrag_low_thresh = 196608 | |
net.ipv6.ip6frag_low_thresh = 196608 | |
net.ipv4.ipfrag_high_thresh = 262144 | |
net.ipv6.ip6frag_high_thresh = 262144 | |
# don't cache ssthresh from previous connection | |
net.ipv4.tcp_no_metrics_save = 1 | |
net.ipv4.tcp_moderate_rcvbuf = 1 | |
# Increase size of RPC datagram queue length | |
net.unix.max_dgram_qlen = 50 | |
# Don't allow the arp table to become bigger than this | |
net.ipv4.neigh.default.gc_thresh3 = 2048 | |
# Tell the gc when to become aggressive with arp table cleaning. | |
# Adjust this based on size of the LAN. 1024 is suitable for most /24 networks | |
net.ipv4.neigh.default.gc_thresh2 = 1024 | |
# Adjust where the gc will leave arp table alone - set to 32. | |
net.ipv4.neigh.default.gc_thresh1 = 32 | |
# Adjust to arp table gc to clean-up more often | |
net.ipv4.neigh.default.gc_interval = 30 | |
# Increase TCP queue length | |
net.ipv4.neigh.default.proxy_qlen = 96 | |
net.ipv4.neigh.default.unres_qlen = 6 | |
# Enable Explicit Congestion Notification (RFC 3168), disable it if it doesn't work for you | |
net.ipv4.tcp_ecn = 1 | |
net.ipv4.tcp_reordering = 3 | |
# How many times to retry killing an alive TCP connection | |
net.ipv4.tcp_retries2 = 15 | |
net.ipv4.tcp_retries1 = 3 | |
# Avoid falling back to slow start after a connection goes idle | |
# keeps our cwnd large with the keep alive connections (kernel > 3.6) | |
net.ipv4.tcp_slow_start_after_idle = 0 | |
# Allow the TCP fastopen flag to be used, beware some firewalls do not like TFO! (kernel > 3.7) | |
net.ipv4.tcp_fastopen = 3 | |
# This will enusre that immediatly subsequent connections use the new values | |
net.ipv4.route.flush = 1 | |
net.ipv6.route.flush = 1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment