Created
July 7, 2016 16:41
-
-
Save wrannaman/9c01968750b4c6604340219a8c96d277 to your computer and use it in GitHub Desktop.
sample nginx.conf file with subdomain for blog.domain.com and least connected and ssl
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# For more information on configuration, see: | |
# * Official English Documentation: http://nginx.org/en/docs/ | |
# * Official Russian Documentation: http://nginx.org/ru/docs/ | |
user nginx; | |
worker_processes auto; | |
error_log /var/log/nginx/error.log; | |
#error_log /var/log/nginx/error.log notice; | |
#error_log /var/log/nginx/error.log info; | |
pid /var/run/nginx.pid; | |
events { | |
worker_connections 1024; | |
} | |
http { | |
include /etc/nginx/mime.types; | |
default_type application/octet-stream; | |
log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | |
'$status $body_bytes_sent "$http_referer" ' | |
'"$http_user_agent" "$http_x_forwarded_for"'; | |
access_log /var/log/nginx/access.log main; | |
sendfile on; | |
tcp_nopush on; | |
tcp_nodelay on; | |
proxy_read_timeout 300s; | |
#keepalive_timeout 0; | |
keepalive_timeout 65; | |
types_hash_max_size 2048; | |
client_max_body_size 20M; | |
# see https://www.nginx.com/resources/admin-guide/compression-and-decompression/ | |
gzip on; | |
gzip_types text/css text/x-component application/x-javascript application/javascript text/javascript text/x-js text/richtext image/svg+xml text/plain text/xsd text/xsl text/xml image/x-icon; | |
gzip_proxied no-cache no-store private expired auth; | |
# Define a content cache location on disk | |
proxy_cache_path /tmp/cache keys_zone=mycache:10m inactive=24h levels=1:2; | |
# Load modular configuration files from the /etc/nginx/conf.d directory. | |
# See http://nginx.org/en/docs/ngx_core_module.html#include | |
# for more information. | |
include /etc/nginx/conf.d/*.conf; | |
index index.php index.html index.htm; | |
# the upstream servers inherit the name you supply here | |
# if you don't set this to the domain name, then emails | |
# originating from an upstream server will have links | |
# pointing back to this name (ie, http://mycluster/xx) | |
upstream domain.com { | |
ip_hash; | |
#least_conn; | |
server ec2-xx-xx-xx-xxx.us-west-2.compute.amazonaws.com; | |
server ec2-xx-xx-xx-xxx.us-west-2.compute.amazonaws.com; | |
#server ec2-xx-xx-xx-xx.us-west-2.compute.amazonaws.com; | |
#server ec2-xx-xx-xxx-xxx.us-west-2.compute.amazonaws.com; | |
#health_check; | |
} | |
server { | |
listen 80; | |
server_name domain.com; | |
root /usr/share/nginx/html; | |
#charset koi8-r; | |
#access_log /var/log/nginx/hos/t.access.log main; | |
return 301 https://domain.com$request_uri; | |
} | |
server { | |
listen 443 ssl spdy; | |
server_name domain.com; | |
#root /usr/share/nginx/html; | |
root /var/www; | |
#charset koi8-r; | |
#access_log /var/log/nginx/host.access.log main; | |
# see https://codex.wordpress.org/Nginx | |
include global/restrictions.conf; | |
# this location handles all base requests to the main | |
# site that get load-balanced to the production web server | |
location / { | |
# this needs to point to the upstream cluster | |
# you defined just prior to the server declaration | |
proxy_pass http://domain.com; | |
# enable local caching on all the requests sent | |
# through this location | |
proxy_cache mycache; | |
} | |
# this location handles blog requests. if you don't | |
# include the /blog/ reference in the try_files, then | |
# the wordpress permalinks will 404 | |
location /blog { | |
try_files $uri $uri/ /blog/index.php?$args; | |
} | |
# Pass all .php files onto a php-fpm/php-fcgi server. | |
location ~ \.php$ { | |
fastcgi_split_path_info ^(.+?\.php)(/.*)$; | |
if (!-f $document_root$fastcgi_script_name) { | |
return 404; | |
} | |
# This is a robust solution for path info security issue and works with "cgi.fix_pathinfo = 1" in /etc/php.ini (default) | |
include fastcgi_params; | |
fastcgi_index index.php; | |
fastcgi_intercept_errors on; | |
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
fastcgi_pass unix:/tmp/php-fpm.sock; | |
} | |
ssl on; | |
ssl_certificate /etc/ssl/bundle.crt; | |
ssl_certificate_key /etc/ssl/key.com.key; | |
## Send header to tell the browser to prefer https to http traffic | |
add_header Strict-Transport-Security max-age=31536000; | |
## Use TLS instead of SSL - Compatibility issues with some Java clients | |
## and older versions of of IE, however, more secure. | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
## Use more secure and less CPU tasking ciphers compared to nginx defaults | |
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS; | |
## Improves TTFB by using a smaller SSL buffer than the nginx default | |
ssl_buffer_size 8k; | |
## Specifies that server ciphers should be preferred over client ciphers | |
ssl_prefer_server_ciphers on; | |
## Enables all nginx worker processes share SSL session information | |
ssl_session_cache shared:SSL:30m; | |
## Increases the amount of time SSL session information in the cache is valid | |
ssl_session_timeout 30m; | |
## Specifies a file with DH parameters for EDH ciphers | |
## Run "openssl dhparam -out /path/to/ssl/dhparam.pem 2048" in | |
## terminal to generate it | |
ssl_dhparam /etc/ssl/dhparam.pem; | |
## Enables OCSP stapling | |
ssl_stapling on; | |
resolver 8.8.8.8; | |
ssl_stapling_verify on; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment