|
# nginx.conf - base config for nginx web server |
|
# This file is written by config management: |
|
# ANY CHANGES WILL BE OVERWRITTEN |
|
|
|
# This file includes all nginx default directive values in comments. |
|
# Non-default settings should explain why they are made, ideally |
|
# including business value and ticket number. This file is not the |
|
# place document what any particular directive does. Documentation |
|
# for all directives lives at http://nginx.org/en/docs/dirindex.html |
|
|
|
# daemon on; |
|
# user nobody nobody; # nginx default |
|
user www-data; # debian default, allow writing files |
|
# pid nginx.pid; |
|
pid /var/run/nginx.pid; # LSB |
|
# lock_file logs/nginx.lock; |
|
# working_directory -; |
|
# env TZ; |
|
|
|
# error_log logs/error.log error; # nginx default |
|
error_log /var/log/nginx/error.log; # debian default, LSB |
|
|
|
# debug_points -; |
|
# pcre_jit off; |
|
# ssl_engine -; |
|
# timer_resolution -; |
|
|
|
# master_process on; |
|
# worker_cpu_affinity -; |
|
# worker_priority 0; |
|
# worker_processes 1; # nginx default |
|
# worker_processes 4; # debian default |
|
# worker_processes auto; # v1.3.8+, do not require uniq config for different sized servers |
|
# worker_rlimit_core -; |
|
# worker_rlimit_nofile -; |
|
# worker_rlimit_sigpending -; |
|
|
|
events { |
|
# accept_mutex on; |
|
# accept_mutex_delay 500ms; |
|
# debug_connection -; |
|
# multi_accept off; |
|
# use -; # autoselect fastest |
|
# worker_aio_requests 32; |
|
# worker_connections 512; # nginx default |
|
# worker_connections 768; # debian default |
|
} |
|
|
|
http { |
|
## Content ## |
|
# error_page -; |
|
# disable_symlinks off; |
|
# recursive_error_pages off; |
|
# root html; |
|
root /var/www; # LSB |
|
# satisfy all; |
|
# satisfy_any off; |
|
# types { |
|
# text/html html; |
|
# image/gif gif; |
|
# image/jpeg jpg; |
|
# } |
|
include mime.types; |
|
# default_type text/plain; # nginx default |
|
default_type application/octet-stream; # debian default, download files, don't display in-browser as text |
|
# charset off; |
|
charset utf-8; # when in doubt, UTF-8 |
|
|
|
## GZip ## |
|
# gzip off; # nginx default |
|
gzip on; # debian default |
|
# gzip_disable -; |
|
gzip_disable msie6; # support msie6 users ;_; |
|
# gzip_vary off; |
|
gzip_vary on; # Vary: Accept-Encoding is good HTTP |
|
# gzip_proxied off; |
|
gzip_proxied any; # Assume proxies are not broken |
|
# gzip_comp_level 1; |
|
gzip_comp_level 6; # default for gzip command |
|
# gzip_min_length 20; |
|
# gzip_buffers 32 4k|16 8k; |
|
# gzip_http_version 1.1; |
|
# gzip_types text/html; |
|
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; # common text context types |
|
|
|
## Body ## |
|
# client_max_body_size 1m; |
|
# client_body_in_file_only off; |
|
# client_body_temp_path client_body_temp; |
|
# client_body_timeout 60s; |
|
|
|
## Headers ## |
|
# etag on; |
|
# if_modified_since exact; |
|
if_modified_since before; # intelligent IfModifiedSince is good HTTP |
|
# server_tokens on; |
|
server_tokens off; # reduce server fingerprinting |
|
# client_header_timeout 60s; |
|
# port_in_redirect on; |
|
# server_name_in_redirect off; |
|
# underscores_in_headers off; |
|
# ignore_invalid_headers on; |
|
|
|
## HTTP ## |
|
# chunked_transfer_encoding on; |
|
# keepalive_disable msie6; |
|
# keepalive_requests 100; |
|
# keepalive_timeout 75s; # nginx default |
|
# keepalive_timeout 65s; # debian default |
|
# merge_slashes on; |
|
# msie_padding on; |
|
# msie_refresh off; |
|
|
|
## SSL ## |
|
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2; |
|
ssl_protocols TLSv1.1 TLSv1.2; # mozilla modern https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility |
|
# ssl_ciphers HIGH:!aNULL:!MD5; # nginx |
|
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK; # mozilla modern https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility |
|
# ssl_prefer_server_ciphers off; |
|
ssl_prefer_server_ciphers on; # mozilla modern https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility |
|
ssl_dhparam /etc/nginx/ssl/dhparam.pem; |
|
# ssl_ecdh_curve prime256v1; |
|
# ssl_stapling off; |
|
ssl_stapling on; # mozilla modern https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility |
|
# ssl_stapling_verify off; |
|
ssl_stapling_verify on; # mozilla modern https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility |
|
# ssl_trusted_certificate -; |
|
# ssl_session_tickets on; |
|
# ssl_session_ticket_key -; |
|
# ssl_session_cache none; |
|
ssl_session_cache shared:SSL:10m; # nginx recomendation |
|
# ssl_session_timeout 5m; |
|
ssl_session_timeout 10m; # nginx recomendation |
|
# ssl_verify_client off; |
|
# ssl_verify_depth 1; |
|
# ssl_client_certificate -; |
|
# ssl_crl -; |
|
# ssl_buffer_size 16k; |
|
# ssl_password_file -; |
|
|
|
## Logging ## |
|
# log_not_found on; |
|
# |
|
# log_format combined '$remote_addr - $remote_user [$time_local] ' |
|
# '"$request" $status $body_bytes_sent ' |
|
# '"$http_referer" "$http_user_agent"'; |
|
# access_log logs/access.log combined; # nginx default |
|
access_log /var/log/nginx/access.log; # debian default, LSB |
|
# access_log syslog:server=unix:/dev/log; # v1.7.1+, syslog |
|
# log_subrequest off; |
|
# open_log_file_cache off; |
|
# error_log logs/error.log error; # nginx default |
|
# error_log /var/log/nginx/error.log; # debian default |
|
# error_log syslog:server=unix:/dev/log; # v1.7.1+, syslog |
|
|
|
## System Calls ## |
|
# aio off; |
|
# aio sendfile; # FreeBSD only |
|
# directio off; |
|
# directio_alignment 512; |
|
# sendfile off; # nginx default |
|
sendfile on; # debian default, less memory usage for small files |
|
# read_ahead 0; |
|
# send_lowat 0; |
|
# sendfile_max_chunk 0; |
|
|
|
## Network stack ## |
|
# tcp_nodelay on; |
|
# tcp_nopush off; # nginx default |
|
tcp_nopush on; # debian default |
|
# reset_timedout_connection off; |
|
# resolver -; |
|
resolver 8.8.4.4 8.8.8.8 valid=300s; # for ocsp stapling |
|
# resolver_timeout 30s; |
|
|
|
## Memory ## |
|
# client_body_buffer_size 16k; |
|
# client_body_in_single_buffer off; |
|
# client_header_buffer_size 1k; |
|
# large_client_header_buffers 4 8k; |
|
# output_buffers 1 32k; |
|
# open_file_cache off; |
|
# open_file_cache_errors off; |
|
# open_file_cache_min_uses 1; |
|
# open_file_cache_valid 60s; |
|
# request_pool_size 4k; |
|
# server_names_hash_bucket_size 32|64|128; |
|
# server_names_hash_max_size 512; |
|
# types_hash_bucket_size 64; |
|
# types_hash_max_size 1024; |
|
# variables_hash_bucket_size 64; |
|
# variables_hash_max_size 1024; |
|
|
|
## System Tunables ## |
|
# connection_pool_size 256; |
|
# limit_rate 0; |
|
# limit_rate_after 0; |
|
# lingering_close on; |
|
# lingering_time 30s; |
|
# lingering_timeout 5s; |
|
# postpone_output 1460; |
|
# send_timeout 60s; |
|
|
|
## Proxy Features ## |
|
# proxy_buffering on; |
|
# proxy_cache off; |
|
proxy_cache CACHE; |
|
# proxy_cache_convert_head on; |
|
# proxy_cache_key $scheme$proxy_host$request_uri; |
|
# proxy_cache_lock off; |
|
# proxy_cache_methods GET HEAD; |
|
# proxy_cache_path {path} keys_zone={zone}:{size} use_temp_path=on |
|
# inactive=10m loader_files=100 loader_sleep=50ms |
|
# loader_threshold=200ms; |
|
proxy_cache_path /var/lib/nginx/cache keys_zone=CACHE:10m; # ~80k keys |
|
# proxy_cache_revalidate off; |
|
proxy_cache_revalidate on; # Conditional GETs are good HTTP |
|
# proxy_cache_use_stale off; |
|
proxy_cache_use_stale error timeout invalid_header updating |
|
http_500 http_502 http_503 http_504; |
|
# proxy_cookie_domain off; |
|
# proxy_cookie_path off; |
|
# proxy_force_ranges off; |
|
# proxy_http_version 1.0; |
|
proxy_http_version 1.1; # recomended for keepalive conns |
|
# proxy_ignore_client_abort off; |
|
# proxy_intercept_errors off; |
|
# proxy_next_upstream error timeout; |
|
proxy_next_upstream error timeout invalid_header |
|
http_500 http_502 http_503 http_504; |
|
# proxy_request_buffering on; |
|
# proxy_store off; |
|
# proxy_store_access user:rw; |
|
# proxy_temp_path proxy_temp; |
|
|
|
## Proxy Tuning ## |
|
# proxy_buffer_size 4k|8k; |
|
# proxy_buffers 8 4k|8k; |
|
# proxy_busy_buffers_size 8k|16k; |
|
# proxy_cache_lock_age 5s; |
|
# proxy_cache_lock_timeout 5s; |
|
# proxy_connect_timeout 60s; |
|
# proxy_headers_hash_bucket_size 64; |
|
# proxy_headers_hash_max_size 512; |
|
# proxy_limit_rate 0; |
|
# proxy_max_temp_file_size 1024m; |
|
# proxy_min_uses 1; |
|
# proxy_next_upstream_timeout 0; |
|
# proxy_next_upstream_tries 0; |
|
# proxy_read_timeout 60s; |
|
# proxy_send_timeout 60s; |
|
# proxy_temp_file_write_size 16k; |
|
|
|
## Proxy SSL ## |
|
# proxy_ssl_ciphers DEFAULT; |
|
# proxy_ssl_name $proxy_host; |
|
# proxy_ssl_server_name off; |
|
# proxy_ssl_session_reuse on; |
|
# proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2; |
|
# proxy_ssl_verify off; |
|
# proxy_ssl_verify_depth 1; |
|
|
|
include /etc/nginx/conf.d/*.conf; |
|
include /etc/nginx/sites-enabled/*; |
|
} |