-
Notifications
You must be signed in to change notification settings - Fork 45
/
Copy pathnginx.conf
167 lines (118 loc) · 4.79 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
worker_rlimit_nofile 65535;
events {
multi_accept on;
worker_connections 2048;
}
http {
server_tokens off;
etag on;
http3 on;
quic_gso on;
# quic_bpf on;
http3_max_concurrent_streams 256;
http3_stream_buffer_size 128k;
quic_active_connection_id_limit 4;
http2 on;
http2_max_concurrent_streams 256;
http2_recv_buffer_size 512k;
http2_chunk_size 16k;
keepalive_requests 2000;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.3;
ssl_session_cache shared:SSL:30m;
ssl_session_timeout 1h;
ssl_session_tickets off;
ssl_buffer_size 32k;
# ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE";
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
# add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy "no-referrer-when-downgrade";
add_header Permissions-Policy "geolocation=(), microphone=()";
add_header Cache-Control "public, max-age=31536000, immutable";
add_header Last-Modified $date_gmt;
server_names_hash_max_size 1024;
server_names_hash_bucket_size 128;
types_hash_max_size 2048;
types_hash_bucket_size 128;
variables_hash_max_size 1024;
variables_hash_bucket_size 128;
open_file_cache max=2000 inactive=30s;
open_file_cache_valid 60s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
limit_req_zone $binary_remote_addr zone=example_zone:100m rate=35r/s;
limit_req zone=example_zone burst=100 nodelay;
limit_rate 50m;
# fastcgi
fastcgi_cache_path /var/cache/nginx levels=1:2 keys_zone=my_cache:20m max_size=512m inactive=30m;
# fastcgi_cache my_cache;
fastcgi_cache_key "$scheme$request_method$host$request_uri$http_accept_encoding";
fastcgi_cache_bypass $request_method;
fastcgi_no_cache $request_method;
fastcgi_cache_valid 200 120m;
fastcgi_cache_valid 404 10m;
fastcgi_cache_valid 301 302 1h;
fastcgi_cache_valid 500 502 503 504 0;
fastcgi_cache_lock on;
fastcgi_cache_lock_timeout 5s;
fastcgi_buffering on;
fastcgi_buffer_size 128k;
fastcgi_buffers 16 512k;
fastcgi_busy_buffers_size 512k;
fastcgi_keep_conn on;
# proxy
proxy_cache_path /var/cache/nginx/proxy levels=1:2 keys_zone=my_proxy_cache:20m max_size=512m inactive=30m ;
# proxy_cache my_proxy_cache;
proxy_cache_key "$scheme$request_method$host$request_uri$http_accept_encoding";
proxy_cache_bypass $request_method;
proxy_no_cache $request_method;
proxy_cache_background_update on;
proxy_cache_valid 200 302 10m;
proxy_cache_valid 404 1m;
proxy_cache_lock on;
proxy_cache_lock_timeout 5s;
proxy_buffering on;
proxy_buffer_size 128k;
proxy_buffers 16 512k;
proxy_busy_buffers_size 512k;
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 30s;
send_timeout 30s;
# expires 1h;
gzip on;
gzip_static on;
gzip_proxied any;
gzip_vary on;
gzip_comp_level 6;
gzip_buffers 64 8k;
gzip_min_length 1024;
gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript;
client_body_buffer_size 128k;
client_header_buffer_size 4k;
client_body_timeout 20s;
client_header_timeout 20s;
large_client_header_buffers 4 16k;
output_buffers 4 32k;
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 64;
include /etc/nginx/conf.d/*.conf;
}