server-configs-nginx/nginx.conf

151 lines
5.1 KiB
Nginx Configuration File
Raw Normal View History

2016-01-23 14:45:07 +01:00
# Configuration File - Nginx Server Configs
2018-11-25 22:07:01 +01:00
# https://nginx.org/en/docs/
2016-01-23 14:45:07 +01:00
# Run as a unique, less privileged user for security reasons.
# Default: nobody nobody
# https://nginx.org/en/docs/ngx_core_module.html#user
# https://en.wikipedia.org/wiki/Principle_of_least_privilege
user www-data;
2016-01-23 14:45:07 +01:00
# Sets the worker threads to the number of CPU cores available in the system for best performance.
# Should be > the number of CPU cores.
# Maximum number of connections = worker_processes * worker_connections
# Default: 1
# https://nginx.org/en/docs/ngx_core_module.html#worker_processes
2015-08-30 03:05:56 +02:00
worker_processes auto;
2016-01-23 14:45:07 +01:00
# Maximum number of open files per worker process.
# Should be > worker_connections.
# Default: no limit
# https://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile
worker_rlimit_nofile 8192;
# Provides the configuration file context in which the directives
# that affect connection processing are specified.
# https://nginx.org/en/docs/ngx_core_module.html#events
events {
2016-01-23 14:45:07 +01:00
# If you need more connections than this, you start optimizing your OS.
2016-03-22 16:23:52 +01:00
# That's probably the point at which you hire people who are smarter than you as this is *a lot* of requests.
2016-01-23 14:45:07 +01:00
# Should be < worker_rlimit_nofile.
# Default: 512
# https://nginx.org/en/docs/ngx_core_module.html#worker_connections
2013-01-12 21:16:02 +01:00
worker_connections 8000;
}
2016-01-23 14:45:07 +01:00
# Log errors and warnings to this file
# This is only used when you don't override it on a server{} level
# Default: logs/error.log error
# https://nginx.org/en/docs/ngx_core_module.html#error_log
error_log /var/log/nginx/error.log warn;
2016-01-23 14:45:07 +01:00
# The file storing the process ID of the main process
# Default: logs/nginx.pid
# https://nginx.org/en/docs/ngx_core_module.html#pid
pid /var/run/nginx.pid;
http {
# Hide nginx version information.
include h5bp/security/server_software_information.conf;
2016-01-23 14:45:07 +01:00
# Specify MIME types for files.
include h5bp/media_types/media_types.conf;
# Set character encodings.
include h5bp/media_types/character_encodings.conf;
2016-01-23 14:45:07 +01:00
# Include $http_x_forwarded_for within default format used in log files
# https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
2016-01-23 14:45:07 +01:00
# Log access to this file
# This is only used when you don't override it on a server{} level
# Default: logs/access.log combined
# https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log
access_log /var/log/nginx/access.log main;
2016-01-23 14:45:07 +01:00
# How long to allow each connection to stay idle.
# Longer values are better for each individual client, particularly for SSL,
# but means that worker connections are tied up longer.
# Default: 75s
# https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
keepalive_timeout 20s;
# Speed up file transfers by using sendfile() to copy directly
# between descriptors rather than using read()/write().
# For performance reasons, on FreeBSD systems w/ ZFS
# this option should be disabled as ZFS's ARC caches
# frequently used files in RAM by default.
# Default: off
# https://nginx.org/en/docs/http/ngx_http_core_module.html#sendfile
sendfile on;
2016-01-23 14:45:07 +01:00
# Don't send out partial frames; this increases throughput
# since TCP frames are filled up before being sent out.
# Default: off
# https://nginx.org/en/docs/http/ngx_http_core_module.html#tcp_nopush
tcp_nopush on;
2016-01-23 14:45:07 +01:00
# Enable gzip compression.
include h5bp/web_performance/compression.conf;
# Specify file cache expiration.
include h5bp/web_performance/cache_expiration.conf;
# Add X-XSS-Protection for HTML documents.
# h5bp/security/x-xss-protection.conf
map $sent_http_content_type $x_xss_protection {
2019-03-09 02:44:10 +01:00
# (1) (2)
~*text/html "1; mode=block";
}
# Add X-Frame-Options for HTML documents.
# h5bp/security/x-frame-options.conf
map $sent_http_content_type $x_frame_options {
2019-03-09 02:44:10 +01:00
~*text/html DENY;
}
# Add Content-Security-Policy for HTML documents.
# h5bp/security/content-security-policy.conf
map $sent_http_content_type $content_security_policy {
2019-03-09 02:44:10 +01:00
~*text/html "script-src 'self'; object-src 'self'";
}
# Add Referrer-Policy for HTML documents.
# h5bp/security/referrer-policy.conf.conf
map $sent_http_content_type $referrer_policy {
2019-03-09 02:44:10 +01:00
~*text/html "no-referrer-when-downgrade";
}
# Add X-UA-Compatible for HTML documents.
# h5bp/internet_explorer/x-ua-compatible.conf
map $sent_http_content_type $x_ua_compatible {
2019-03-09 02:44:10 +01:00
~*text/html "IE=edge";
}
# Add Access-Control-Allow-Origin.
# h5bp/cross-origin/requests.conf
map $sent_http_content_type $cors {
# Images
2019-03-09 02:44:10 +01:00
~*image/ "*";
# Web fonts
2019-03-09 02:44:10 +01:00
~*font/ "*";
~*application/vnd.ms-fontobject "*";
~*application/x-font-ttf "*";
~*application/font-woff "*";
~*application/x-font-woff "*";
~*application/font-woff2 "*";
}
# Include files in the conf.d folder.
# server{} configuration files should be placed in the conf.d folder.
# The configurations should be disabled by prefixing files with a dot.
include conf.d/*.conf;
}