Skip to content

Instantly share code, notes, and snippets.

@igortik

igortik/nginx.conf

Last active July 15, 2023 04:09
Show Gist options
  • Star 25 You must be signed in to star a gist
  • Fork 12 You must be signed in to fork a gist
  • Save igortik/0130e69a163d14658ef3d013890c8395 to your computer and use it in GitHub Desktop.
Save igortik/0130e69a163d14658ef3d013890c8395 to your computer and use it in GitHub Desktop.
Download ZIP
Nginx optimized configuration with DDoS mitigation
Raw
nginx.conf
user nginx;
# one(1) worker or equal the number of _real_ cpu cores. 4=4 core cpu
worker_processes 4;
# renice workers to reduce priority compared to system processes for
# machine health. worst case nginx will get ~25% system resources at nice=15
worker_priority -5;
timer_resolution 100ms;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
worker_rlimit_nofile 100000;
events {
worker_connections 1024;
use epoll;
# Accept as many connections as possible, after nginx gets notification about a new connection.
multi_accept on;
}
http {
server_tokens off;
server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main buffer=16k;
access_log off;
# Timeouts, do not keep connections open longer then necessary to reduce
# resource usage and deny Slowloris type attacks.
# reset timed out connections freeing ram
reset_timedout_connection on;
# maximum time between packets the client can pause when sending nginx any data
client_body_timeout 10s;
# maximum time the client has to send the entire header to nginx
client_header_timeout 10s;
# timeout which a single keep-alive client connection will stay open
keepalive_timeout 65s;
# maximum time between packets nginx is allowed to pause when sending the client data
send_timeout 10s;
# number of requests per connection, does not affect SPDY
keepalive_requests 100;
# buffers
fastcgi_buffer_size 128k;
fastcgi_buffers 256 16k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
fastcgi_read_timeout 150;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
types_hash_max_size 2048;
#postpone_output 0;
gzip on;
gzip_vary on;
gzip_comp_level 2;
gzip_min_length 1000;
gzip_proxied expired no-cache no-store private auth;
gzip_types text/plain application/json text/xml application/xml;
gzip_disable "msie6";
client_max_body_size 20m;
# fastcgi cache, caching request without session variable initialized by session_start()
fastcgi_cache_path /var/cache/nginx/fastcgi_cache levels=1:2 keys_zone=fastcgi_cache:16m max_size=256m inactive=1d;
fastcgi_temp_path /var/cache/nginx/fastcgi_temp 1 2;
# DDoS Mitigation
limit_conn_zone $binary_remote_addr zone=perip:10m;
limit_conn perip 100;
limit_req_zone $binary_remote_addr zone=engine:10m rate=2r/s;
limit_req_zone $binary_remote_addr zone=static:10m rate=100r/s;
include /etc/nginx/conf.d/*.conf;
}
@EsmailELBoBDev2
Copy link

If you get nginx: [emerg] mkdir() "/var/cache/nginx/fastcgi_cache" failed (2: No such file or directory)
You need to simply create a dir for nginx's cach

sudo mkdir /var/cache/nginx
sudo chmod 755 /var/cache/nginx
sudo chown www-data:www-data /var/cache/nginx

in my case, nginx is named www-data so depend on your user www-data; var in nginx.conf file

@fastchain
Copy link

For DDOS mitigation you can also disable gzip, to offload CPU a bit

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment