103 lines
3.6 KiB
Nginx Configuration File
Executable file
103 lines
3.6 KiB
Nginx Configuration File
Executable file
worker_processes auto;
|
|
worker_rlimit_nofile 65535;
|
|
|
|
# Include Modules
|
|
include /etc/nginx/modules-enabled/*.conf;
|
|
#load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
|
|
load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so; # for compressing responses on-the-fly
|
|
load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; # for serving pre-compressed files
|
|
|
|
#Include external config
|
|
include /etc/nginx/conf.d/*.conf;
|
|
|
|
events {
|
|
multi_accept on;
|
|
worker_connections 65535;
|
|
}
|
|
|
|
stream {
|
|
include /etc/nginx/streams/*;
|
|
}
|
|
|
|
http {
|
|
|
|
# Basic Settings
|
|
charset utf-8;
|
|
sendfile on;
|
|
tcp_nopush on;
|
|
tcp_nodelay on;
|
|
server_tokens off;
|
|
log_not_found off;
|
|
types_hash_max_size 4096;
|
|
types_hash_bucket_size 64;
|
|
|
|
# Virtual Host Configs
|
|
include /etc/nginx/sites-enabled/*.conf;
|
|
|
|
# MIME
|
|
include mime.types;
|
|
default_type application/octet-stream;
|
|
|
|
# SSL
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
|
|
ssl_prefer_server_ciphers off;
|
|
#
|
|
ssl_session_timeout 1d;
|
|
ssl_session_cache shared:MozSSL:10m;
|
|
ssl_session_tickets off;
|
|
|
|
# Diffie-Hellman parameter for DHE ciphersuites
|
|
ssl_dhparam /etc/nginx/dhparam.pem;
|
|
|
|
# HTTP2 Settings
|
|
http2_max_field_size 64k;
|
|
http2_max_header_size 512k;
|
|
|
|
# DDOS Protection
|
|
limit_conn_zone $binary_remote_addr zone=perip:10m;
|
|
limit_conn perip 100;
|
|
|
|
limit_req_zone $binary_remote_addr zone=engine:10m rate=2r/s;
|
|
limit_req_zone $binary_remote_addr zone=static:10m rate=100r/s;
|
|
|
|
# reset timed out connections freeing ram
|
|
reset_timedout_connection on;
|
|
# maximum time between packets the client can pause when sending nginx any data
|
|
client_body_timeout 10s;
|
|
# maximum time the client has to send the entire header to nginx
|
|
client_header_timeout 10s;
|
|
# timeout which a single keep-alive client connection will stay open
|
|
keepalive_timeout 65s;
|
|
# maximum time between packets nginx is allowed to pause when sending the client data
|
|
send_timeout 10s;
|
|
|
|
# Connection header for WebSocket reverse proxy
|
|
map $http_upgrade $connection_upgrade {
|
|
default upgrade;
|
|
"" close;
|
|
}
|
|
|
|
map $remote_addr $proxy_forwarded_elem {
|
|
|
|
# IPv4 addresses can be sent as-is
|
|
~^[0-9.]+$ "for=$remote_addr";
|
|
|
|
# IPv6 addresses need to be bracketed and quoted
|
|
~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
|
|
|
|
# Unix domain socket names cannot be represented in RFC 7239 syntax
|
|
default "for=unknown";
|
|
}
|
|
|
|
map $http_forwarded $proxy_add_forwarded {
|
|
|
|
# If the incoming Forwarded header is syntactically valid, append to it
|
|
"~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
|
|
|
|
# Otherwise, replace it
|
|
default "$proxy_forwarded_elem";
|
|
}
|
|
|
|
}
|
|
|