-
Notifications
You must be signed in to change notification settings - Fork 246
/
nginx.conf
234 lines (187 loc) · 8.89 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
user www-data;
## If you're using an Nginx version below 1.3.8 or 1.2. then uncomment
## the line below and set it to the number of cores of the
## server. Otherwise nginx will determine it automatically.
#worker_processes 4;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
worker_rlimit_nofile 8192;
events {
worker_connections 4096;
## Accept as many connections as possible.
multi_accept on;
}
http {
## MIME types.
include /etc/nginx/mime.types;
default_type application/octet-stream;
## Default log and error files.
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
## Use sendfile() syscall to speed up I/O operations and speed up
## static file serving.
sendfile on;
## Handling of IPs in proxied and load balancing situations.
set_real_ip_from 0.0.0.0/32; # all addresses get a real IP.
real_ip_header X-Forwarded-For; # the ip is forwarded from the load balancer/proxy
## Define a zone for limiting the number of simultaneous
## connections nginx accepts. 1m means 32000 simultaneous
## sessions. We need to define for each server the limit_conn
## value refering to this or other zones.
limit_conn_zone $binary_remote_addr zone=arbeit:10m;
## Define a zone for limiting the number of simultaneous
## connections nginx accepts. 1m means 32000 simultaneous
## sessions. We need to define for each server the limit_conn
## value refering to this or other zones.
## ** Use this directive for nginx versions below 1.1.8. Uncomment the line below.
#limit_zone arbeit $binary_remote_addr 10m;
## Timeouts.
client_body_timeout 60;
client_header_timeout 60;
keepalive_timeout 10 10;
send_timeout 60;
## Reset lingering timed out connections. Deflect DDoS.
reset_timedout_connection on;
## Body size.
client_max_body_size 10m;
## TCP options.
tcp_nodelay on;
## Optimization of socket handling when using sendfile.
tcp_nopush on;
## Compression.
gzip on;
gzip_buffers 16 8k;
gzip_comp_level 1;
gzip_http_version 1.1;
gzip_min_length 10;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/x-icon application/vnd.ms-fontobject font/opentype application/x-font-ttf;
gzip_vary on;
gzip_proxied any; # Compression for all requests.
## No need for regexps. See
## http://wiki.nginx.org/NginxHttpGzipModule#gzip_disable
gzip_disable msie6;
## Serve already compressed files directly, bypassing on-the-fly
## compression.
##
# Usually you don't make much use of this. It's better to just
# enable gzip_static on the locations you need it.
# gzip_static on;
## Hide the Nginx version number.
server_tokens off;
## Use a SSL/TLS cache for SSL session resume. This needs to be
## here (in this context, for session resumption to work. See this
## thread on the Nginx mailing list:
## http://nginx.org/pipermail/nginx/2010-November/023736.html.
ssl_session_cache shared:SSL:30m;
ssl_session_timeout 1d;
## The server dictates the choice of cipher suites.
ssl_prefer_server_ciphers on;
## Use only Perfect Forward Secrecy Ciphers. Fallback on non ECDH
## for crufty clients.
ssl_ciphers ECDH+aRSA+AESGCM:ECDH+aRSA+SHA384:ECDH+aRSA+SHA256:ECDH:EDH+CAMELLIA:EDH+aRSA:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA;
## No SSL2 support. Legacy support of SSLv3.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
## Pregenerated Diffie-Hellman parameters.
ssl_dhparam /etc/nginx/dh_param.pem;
## Curve to use for ECDH.
ssl_ecdh_curve secp521r1;
## Enable OCSP stapling. A better way to revocate server certificates.
ssl_stapling on;
## Enable verification of OCSP stapling responses by the server.
ssl_stapling_verify on;
## Fill in with your own resolver.
resolver 8.8.8.8;
## Uncomment to increase map_hash_bucket_size. If start getting
## [emerg]: could not build the map_hash, you should increase
## map_hash_bucket_size: 64 in your
## logs. Cf. http://wiki.nginx.org/NginxOptimizations.
#map_hash_bucket_size 192;
## Uncomment one of the lines below if you start getting this message:
## "[emerg] could not build the variables_hash, you should increase
## either variables_hash_max_size: 512 or variables_hash_bucket_size: 64"
## You only need to increase one. Increasing variables_hash_max_size to 1024
## was recommended in nginx forum by developers.
## See this forum topic and responses
## http://forum.nginx.org/read.php?2,192277,192286#msg-192286
## See http://wiki.nginx.org/HttpCoreModule#variables_hash_bucket_size
## The line variables_hash_bucket_size was added for completeness but not
## changed from default.
#variables_hash_max_size 1024; # default 512
#variables_hash_bucket_size 64; # default is 64
## For the filefield_nginx_progress module to work. From the
## README. Reserve 1MB under the name 'uploads' to track uploads.
upload_progress uploads 1m;
## Enable the builtin cross-site scripting (XSS) filter available
## in modern browsers. Usually enabled by default we just
## reinstate in case it has been somehow disabled for this
## particular server instance.
## https://www.owasp.org/index.php/List_of_useful_HTTP_headers.
add_header X-XSS-Protection '1; mode=block';
## Enable clickjacking protection in modern browsers. Available in
## IE8 also. See
## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12).
## Uncomment the line below if you're not using media streaming.
## For sites being framing on the same domqin uncomment the line below.
#add_header X-Frame-Options SAMEORIGIN;
## For sites accepting to be framed in any context comment the
## line below.
add_header X-Frame-Options DENY;
## Enable this if using HTTPS. See sites-available/example.com.conf
## for details.
#add_header Strict-Transport-Security "max-age=7200";
## Block MIME type sniffing on IE.
add_header X-Content-Options nosniff;
## Add a cache miss/hit status header. This can be disabled if not including
## any of the apps/drupal/microcache* files.
add_header X-Micro-Cache $upstream_cache_status;
## FastCGI.
include /etc/nginx/fastcgi.conf;
## Include the upstream servers for PHP FastCGI handling config.
## This one uses the FCGI process listening on TCP sockets.
include upstream_phpcgi_tcp.conf;
## Include the upstream servers for PHP FastCGI handling
## configuration. This setup uses UNIX sockets for talking with the
## upstream.
#include upstream_phpcgi_unix.conf;
## Include the map to block HTTP methods.
include map_block_http_methods.conf;
## If using Nginx version >= 1.1.11 then there's a $https variable
## that has the value 'on' if the used scheme is https and '' if not.
## See: http://trac.nginx.org/nginx/changeset/4380/nginx
## http://trac.nginx.org/nginx/changeset/4333/nginx and
## http://trac.nginx.org/nginx/changeset/4334/nginx. If using a
## previous version then uncomment out the line below.
#include map_https_fcgi.conf;
## Support the X-Forwarded-Proto header for fastcgi.
map $http_x_forwarded_proto $fastcgi_https {
default $https;
http '';
https on;
}
## Include the upstream servers for Apache handling the PHP
## processes. In this case Nginx functions as a reverse proxy.
#include reverse_proxy.conf;
#include upstream_phpapache.conf;
## Include the php-fpm status allowed hosts configuration block.
## Uncomment to enable if you're running php-fpm.
#include php_fpm_status_allowed_hosts.conf;
## Include the Nginx stub status allowed hosts configuration block.
include nginx_status_allowed_hosts.conf;
## If you want to run cron using Drupal cron.php. i.e., you're not
## using drush then uncomment the line below. Specify in
## cron_allowed_hosts.conf which hosts can invole cron.
# include apps/drupal/cron_allowed_hosts.conf;
## Include blacklist for bad bot and referer blocking.
include blacklist.conf;
## Include the caching setup. Needed for using Drupal with an external cache.
include apps/drupal/map_cache.conf;
## Microcache zone definition for FastCGI.
include fastcgi_microcache_zone.conf;
## If you're using Apache for handling PHP then comment the line
## above and uncomment the line below.
#include proxy_microcache_zone.conf
## Include all vhosts.
include /etc/nginx/sites-enabled/*;
}