-
Notifications
You must be signed in to change notification settings - Fork 17
/
nginx.conf
160 lines (125 loc) · 5.31 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
#This config is made for user with the basic "nginx-extras" package available on Debian Buster
#Uncomment these two lines for Crowdsec support (tested on Debian 11 - NGINX Extras)
#load_module modules/ndk_http_module.so;
#load_module modules/ngx_http_lua_module.so;
user www-data;
worker_processes auto;
worker_cpu_affinity auto;
pid /run/nginx.pid;
load_module modules/ngx_http_headers_more_filter_module.so;
events {
worker_connections 16384;
multi_accept on;
use epoll;
}
# worker_rlimit_nofile = (worker_connections * 1) + 500
# worker_rlimit_nofile = (worker_connections * 2) + 500 if you use nginx as reverse proxy
worker_rlimit_nofile 16884;
http {
##
# Basic Settings
##
server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##VirtualHosts and configs includes
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
##
# TLS
##
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:!AES128';
ssl_prefer_server_ciphers off;
##
# Headers
#
##Less Verbose for Nginx headers
server_tokens off;
##Common headers for security
## You need to adapt the configuration to your website need, It may break some shitty content management system or poorly build websites.
more_set_headers "Content-Security-Policy : default-src https: data: 'unsafe-inline' 'unsafe-eval' always";
more_set_headers "Permissions-Policy: geolocation=();midi=();notifications=();push=();sync-xhr=();microphone=();camera=();magnetometer=();gyroscope=();speaker self;vibrate=();fullscreen self;payment=();;"
more_set_headers "Strict-Transport-Security : max-age=15768000; includeSubDomains; preload";
more_set_headers "X-Frame-Options : SAMEORIGIN";
more_set_headers "X-Xss-Protection : 1; mode=block";
more_set_headers "X-Content-Type-Options : nosniff";
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
more_set_headers "Server : Follow the white rabbit.";
more_set_headers "Cross-Origin-Opener-Policy : same-origin"
more_set_headers "Cross-Origin-Embedder-Policy : unsafe-none"
more_set_headers "Origin-Agent-Cluster : ?1"
more_set_headers "Permissions-Policy : accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), clipboard-write=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), sync-xhr=(), usb=(), xr-spatial-tracking=()";
##OCSP settings
ssl_stapling on;
ssl_stapling_verify on;
#ssl_trusted_certificate /etc/ssl/private/ocsp-certs.pem; # <- Add signing certs here
resolver 1.0.0.1 8.8.4.4 valid=300s;
resolver_timeout 5s;
##
# Logging
##
#access_log /var/log/nginx/access.log; #Disabled for performance
access_log off;
error_log /var/log/nginx/error.log;
##
# Gzip
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# GeoIP
##
#GeoIP (optional)
#geoip_country /usr/local/share/GeoIP/GeoIP.dat;
#geoip_city /usr/local/share/GeoIP/GeoLiteCity.dat;
##
# Performance and Cache
##
#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
aio threads;
#Enable 0-RTT support for TLS 1.3
ssl_early_data on;
proxy_set_header Early-Data $ssl_early_data;
#Simple DOS mitigation
##Max c/s by ip
limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
limit_conn limit_per_ip 40;
##Max rq/s by ip
limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
limit_req zone=allips burst=400 nodelay;
#PHP
fastcgi_buffers 256 32k;
fastcgi_buffer_size 256k;
fastcgi_connect_timeout 4s;
fastcgi_send_timeout 120s;
fastcgi_read_timeout 120s;
fastcgi_busy_buffers_size 512k;
fastcgi_temp_file_write_size 512K;
reset_timedout_connection on;
#Others
open_file_cache max=2000 inactive=20s;
open_file_cache_valid 60s;
open_file_cache_min_uses 5;
open_file_cache_errors off;
client_max_body_size 50M;
client_body_buffer_size 1m;
client_body_timeout 15;
client_header_timeout 15;
keepalive_timeout 65;
send_timeout 15;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
}