Skip to content

Instantly share code, notes, and snippets.

@terrywang
Last active July 28, 2022 23:29
Show Gist options
  • Save terrywang/9612069 to your computer and use it in GitHub Desktop.
Save terrywang/9612069 to your computer and use it in GitHub Desktop.
Nginx config file template for self-hosted personal site on Fedora, Ubuntu, Debian and Arch Linux
# User and group used by worker processes
# ubuntu
# user www-data;
# fedora
user nginx;
# Ideally # of worker processes = # of CPUs or cores
# Set to auto to autodetect
# max_clients = worker_processes * worker_connections
worker_processes auto;
pid /run/nginx.pid;
# Maximum number of open file descriptors per process
# should be > worker_connections
worker_rlimit_nofile 10240;
events {
# Use epoll on Linux 2.6+
use epoll;
# Max number of simultaneous connections per worker process
worker_connections 2048;
# Accept all new connections at one time
multi_accept on;
}
http {
##
# Basic Settings
##
# Hide nginx version information
server_tokens off;
# Speed up file transfers by using sendfile() to copy directly
# between descriptors rather than using read()/write()
sendfile on;
# Tell Nginx not to send out partial frames; this increases throughput
# since TCP frames are filled up before being sent out (adds TCP_CORK)
# Send the response header and the beginning of a file in one packet
# Send a file in full packets
tcp_nopush on;
# Tell Nginx to enable the Nagle buffering algorithm for TCP packets
# which collates several smaller packets together into one larger packet
# thus saving bandwidth at the cost of a nearly imperceptible increase to latency
tcp_nodelay off;
send_timeout 30;
# How long to allow each connection to stay idle;
# Longer values are better for each individual client, especially SSL
# But means that worker connections are tied up longer.75
keepalive_timeout 60;
keepalive_requests 200;
# client_header_timeout 20;
# client_body_timeout 20;
reset_timedout_connection on;
types_hash_max_size 2048;
server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
# default_type application/octet-stream;
default_type text/html;
charset UTF-8;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
# Enable Gzip compression
gzip on;
# This should be turned on if pre-compressed copies (.gz) of static files exist
# If NOT it should be left off as it will cause extra I/O
# default: off
# gzip_static on;
# Do NOT compress anything smaller than 256 bytes
gzip_min_length 256;
# Fuck IE6
gzip_disable "msie6";
# Tell proxies to cache both the gzipped and regular version of a resource
# whenever the client's Accept-Encoding capabilities header varies;
# Avoids the issue where a non-gzip capable client (rare)
# would display gibberish if their proxy gave them the gzipped version.
# gzip_vary on;
# Compress data even for clients that are connecting via proxies
# Identified by the "Via" header
gzip_proxied any;
# Compression level (1-9)
# 5 is the perfect compromise between size and CPU usage
gzip_comp_level 5;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
gzip_types
text/plain
text/css
application/json
application/x-javascript
text/xml
application/xml
application/xml+rss
text/javascript;
# Cache open file descriptors, their sizes and mtime
# information on existence of directories
# file lookup error such as "file not found", "no read permission" and so on
#
# Pros: nginx can immediately begin sending data when a popular file is requested
# and will also immediately send a 404 if a file doesn't exist, and so on
#
# Cons: The server will NOT react immediately to changes on file system
# which may be undesirable
#
# Config: inactive files are released from the cache after 20 seconds
# whereas active (recently requested) files are re-validated every 30 seconds
# File descriptors will NOT be cached unless they are used at least twice in 20s (inactive)
#
# A maximum of the 1000 most recently used file descriptors will be cached at any time
#
# Production servers with stable file collections will definitely want to enable the cache
open_file_cache max=1000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
##
# nginx-naxsi config
##
# Uncomment it if you installed nginx-naxsi
##
#include /etc/nginx/naxsi_core.rules;
##
# nginx-passenger config
##
# Uncomment it if you installed nginx-passenger
##
#passenger_root /usr;
#passenger_ruby /usr/bin/ruby;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
upstream php {
# ubuntu
# server unix:/run/php/php8.1-fpm.sock;
# fedora
server unix:/run/php-fpm/www.sock;
}
server {
listen 80;
# listen [::]:80 default ipv6only=on;
server_name terry.im www.terry.im;
# redirect all HTTP requests to HTTPS with a 301 Moved Permanently response
location / {
return 301 https://$host$request_uri;
}
}
server {
# listen 443 ssl;
listen 443 ssl http2;
server_name terry.im www.terry.im;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /path/to/.lego/certificates/terry.im.crt;
ssl_certificate_key /path/to/lego/.lego/certificates/terry.im.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m; # 10m about 40k sessions
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits
# openssl dhparam -out /path/to/dhparams_4096.pem 4096
ssl_dhparam /etc/ssl/private/dhparams_4096.pem;
# modern configuration, tweak to your needs
# ssl_protocols TLSv1.2 TLSv1.3;
ssl_protocols TLSv1.3;
# ssl_ecdh_curve X25519:P-256:P-384:P-224:P-521;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
# ssl_ciphers '[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES';
ssl_prefer_server_ciphers on;
# intermediate configuration, tweak to your needs
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
# add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;";
add_header Strict-Transport-Security "max-age=63072000; always;";
# OCSP Stapling
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /path/to/lego/.lego/certificates/terry.im.crt;
# resolver <IP DNS resolver> valid=300s;
# resolver_timeout 5s;
resolver 8.8.8.8 1.1.1.1 valid=30s ipv6=off;
resolver_timeout 5s;
root /var/www/terry.im;
index index.php index.html index.htm;
# rewrite ^(.*)$ $scheme://www.terry.im$1;
access_log /var/log/nginx/terry.im-access.log;
error_log /var/log/nginx/terry.im-error.log;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to index.html
try_files $uri $uri/ /index.html;
}
# skillmatrix rewrite rules
location /skillmatrix {
rewrite ^/(.*)$ https://sites.google.com/site/imterry/$1 permanent;
#rewrite ^/.*$ https://sites.google.com/site/imterry/$1 permanent;
#rewrite ^(/.*)$ https://sites.google.com/site/imterry/$1 permanent;
access_log /var/log/nginx/skillmatrix-access.log;
error_log /var/log/nginx/skillmatrix-error.log notice;
rewrite_log on;
}
location ~ \.php$ {
try_files $uri =404;
fastcgi_index index.php;
# include fastcgi_params;
# nginx 1.6.1 upstream change - use fastcgi.conf
include fastcgi.conf;
# fastcgi_pass unix:/var/run/php-fpm.sock;
# Use upstream
fastcgi_pass php;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $remote_addr;
# proxy_set_header Host $host;
# proxy_pass http://127.0.0.1:8080;
# proxy_redirect off;
}
# tweetnest rewrite rules
location ~ /tweetnest {
satisfy all;
# deny cidr
allow 192.168.1.0/24;
deny all;
# basic authentication
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
rewrite ^/tweetnest/sort/?$ /tweetnest/sort.php last;
rewrite ^/tweetnest/favorites/?$ /tweetnest/favorites.php last;
rewrite ^/tweetnest/search/?$ /tweetnest/search.php last;
rewrite ^/tweetnest/([0-9]+)/([0-9]+)/?$ /tweetnest/month.php?y=$1&m=$2;
rewrite ^/tweetnest/([0-9]+)/([0-9]+)/([0-9]+)/?$ /tweetnest/day.php?y=$1&m=$2&d=$3;
}
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location ^~ /.well-known/ {
allow all;
}
location ~ /\. {
deny all;
}
location ~* (?:\.(?:bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$ {
deny all;
}
# Browser cache
location ~* ^.+\.(css|js|jpg|jpeg|gif|png|ico|gz|svg|svgz|ttf|otf|woff|eot|mp4|ogg|ogv|webm)$ {
expires 30d;
log_not_found off;
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment