222 lines
No EOL
6.9 KiB
Nginx Configuration File
222 lines
No EOL
6.9 KiB
Nginx Configuration File
user root;
|
|
worker_processes auto;
|
|
pid /run/nginx.pid;
|
|
error_log /var/log/nginx/error.log notice;
|
|
worker_rlimit_nofile 65535;
|
|
include /etc/nginx/modules-enabled/*.conf;
|
|
|
|
events {
|
|
use epoll;
|
|
worker_connections 65535;
|
|
# multi_accept on;
|
|
epoll_events 512;
|
|
}
|
|
|
|
http {
|
|
|
|
##
|
|
# Basic Settings
|
|
##
|
|
|
|
geoip_country /etc/nginx/geoip/GeoIP.dat; # the country IP database
|
|
geoip_city /etc/nginx/geoip/GeoLiteCity.dat; # the city IP database
|
|
|
|
real_ip_recursive on;
|
|
|
|
set_real_ip_from 127.0.0.1;
|
|
set_real_ip_from 10.0.0.0/8;
|
|
set_real_ip_from 172.16.0.0/12;
|
|
set_real_ip_from 192.168.0.0/16;
|
|
#real_ip_header X-Forwarded-For;
|
|
|
|
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
|
'$status $body_bytes_sent "$http_referer" '
|
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
|
|
|
log_format cloudflare '$http_cf_connecting_ip - $remote_user [$time_local] "$request" '
|
|
'$status $body_bytes_sent "$http_referer" '
|
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
|
|
|
|
|
##
|
|
# Define fastcgi_cache settings
|
|
##
|
|
|
|
# FastCGI Cache Settings
|
|
fastcgi_cache_key "$scheme$request_method$host$request_uri$cookie_pll_language";
|
|
fastcgi_cache_use_stale error timeout invalid_header updating http_500 http_503;
|
|
fastcgi_cache_methods GET HEAD;
|
|
fastcgi_buffers 256 32k; # Reduced number of buffers, still maintaining good performance
|
|
fastcgi_buffer_size 256k; # Reduced to better match common response sizes
|
|
fastcgi_connect_timeout 3s; # Reduced to fail faster
|
|
fastcgi_send_timeout 180s; # Increased for better reliability with slow upstream
|
|
fastcgi_busy_buffers_size 512k;
|
|
fastcgi_temp_file_write_size 512k;
|
|
fastcgi_param SERVER_NAME $http_host;
|
|
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
|
|
fastcgi_keep_conn on;
|
|
fastcgi_cache_lock on;
|
|
fastcgi_cache_lock_age 1s; # Increased to reduce cache stampede
|
|
fastcgi_cache_lock_timeout 5s; # Increased for better reliability
|
|
|
|
# Proxy Settings
|
|
proxy_buffers 4 256k; # Optimized for typical response sizes
|
|
proxy_buffer_size 128k; # Adjusted for headers
|
|
proxy_busy_buffers_size 256k; # Reduced to save memory
|
|
proxy_connect_timeout 600; # Reduced to fail faster
|
|
proxy_send_timeout 600; # Balanced timeout
|
|
proxy_read_timeout 600; # Balanced timeout
|
|
|
|
# TCP Settings
|
|
sendfile on;
|
|
tcp_nopush on;
|
|
tcp_nodelay on;
|
|
# aio threads; # Enable async I/O with threads
|
|
# directio 512; # Enable direct I/O for files > 512 bytes
|
|
|
|
# Timeout Settings
|
|
send_timeout 60; # Reduced to free resources faster
|
|
keepalive_timeout 65; # Optimal for most cases
|
|
keepalive_requests 2048; # Increased for better performance
|
|
|
|
# Client Request Settings
|
|
client_body_buffer_size 16k; # Increased for better performance
|
|
client_header_buffer_size 2k; # Increased slightly
|
|
large_client_header_buffers 4 8k; # Reduced buffer size
|
|
client_body_timeout 15; # Reduced for faster failure detection
|
|
client_header_timeout 15; # Reduced for faster failure detection
|
|
client_max_body_size 100M; # Increased to handle larger uploads
|
|
|
|
# Performance Settings
|
|
server_tokens off;
|
|
port_in_redirect off;
|
|
access_log off;
|
|
|
|
# File Cache Settings
|
|
open_file_cache max=500000 inactive=60s; # Increased cache size
|
|
open_file_cache_valid 120s; # Increased validity
|
|
open_file_cache_min_uses 2; # Reduced to cache more files
|
|
open_file_cache_errors on;
|
|
types_hash_max_size 4096; # Increased for more MIME types
|
|
|
|
map $scheme $fastcgi_https { ## Detect when HTTPS is used
|
|
default off;
|
|
https on;
|
|
}
|
|
|
|
include /etc/nginx/blocked_ips;
|
|
# include /etc/nginx/blocked_bots;
|
|
|
|
pagespeed off;
|
|
pagespeed XHeaderValue 1;
|
|
|
|
|
|
|
|
##
|
|
# SSL Settings - Hardened Configuration
|
|
##
|
|
|
|
ssl_conf_command Options KTLS; # Kernel TLS for better performance
|
|
|
|
# Strict ciphersuite selection - most secure TLS 1.3 ciphersuites only, prioritizing security
|
|
ssl_conf_command Ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256;
|
|
|
|
# TLS 1.3 only - no fallback to older versions
|
|
ssl_protocols TLSv1.3;
|
|
|
|
# Optimized session cache settings
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_timeout 4h;
|
|
ssl_session_tickets off;
|
|
|
|
# Use only the strongest curve
|
|
ssl_ecdh_curve secp384r1;
|
|
|
|
ssl_prefer_server_ciphers on;
|
|
|
|
# Use more reliable DNS resolvers with DNSSEC support
|
|
resolver 9.9.9.9 149.112.112.112 valid=3600s;
|
|
resolver_timeout 2s;
|
|
|
|
# OCSP Stapling
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
ssl_dhparam /etc/nginx/ssl/dhparams.pem;
|
|
|
|
# 0-RTT can be risky for some applications - disable if you handle sensitive data
|
|
ssl_early_data on;
|
|
|
|
# Strict security headers
|
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
|
|
# HTTP/3 support with strict settings
|
|
add_header alt-svc 'h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400';
|
|
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
|
|
##
|
|
# Logging Settings
|
|
##
|
|
|
|
access_log /var/log/nginx/access.log;
|
|
error_log /var/log/nginx/error.log;
|
|
|
|
|
|
##
|
|
# Limit the requests for php
|
|
##
|
|
limit_conn_zone $binary_remote_addr zone=perip:10m;
|
|
limit_req_zone $binary_remote_addr zone=limit:10m rate=1r/s;
|
|
|
|
##
|
|
# Gzip Settings
|
|
##
|
|
|
|
gzip on;
|
|
# gzip_static on;
|
|
gzip_min_length 1000;
|
|
gzip_http_version 1.1;
|
|
gzip_comp_level 5;
|
|
gzip_disable "MSIE [4-6]\.";
|
|
gzip_proxied any;
|
|
gzip_vary on;
|
|
gzip_types text/plain
|
|
text/xml
|
|
text/css
|
|
text/javascript
|
|
application/json
|
|
application/javascript
|
|
application/x-javascript
|
|
application/ecmascript
|
|
application/xml
|
|
application/rss+xml
|
|
application/atom+xml
|
|
application/rdf+xml
|
|
application/xml+rss
|
|
application/xhtml+xml
|
|
application/x-font-ttf
|
|
application/x-font-opentype
|
|
application/vnd.ms-fontobject
|
|
image/svg+xml
|
|
image/x-icon
|
|
application/atom_xml;
|
|
|
|
gzip_buffers 32 16k;
|
|
|
|
|
|
##
|
|
# Brotli Settings
|
|
##
|
|
|
|
brotli on;
|
|
brotli_comp_level 8;
|
|
brotli_static on;
|
|
brotli_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript image/png image/gif image/jpeg application/javascript image/svg+xml;
|
|
|
|
##
|
|
# Virtual Host Configs
|
|
##
|
|
include /etc/nginx/conf.d/*.conf;
|
|
include /etc/nginx/sites-enabled/*.conf;
|
|
} |