# Configuration File - Nginx Server Configs # https://nginx.org/en/docs/ # Run as a unique, less privileged user for security reasons. # Default: nobody nobody # https://nginx.org/en/docs/ngx_core_module.html#user # https://en.wikipedia.org/wiki/Principle_of_least_privilege user www-data; # Sets the worker threads to the number of CPU cores available in the system for best performance. # Should be > the number of CPU cores. # Maximum number of connections = worker_processes * worker_connections # Default: 1 # https://nginx.org/en/docs/ngx_core_module.html#worker_processes worker_processes auto; # Maximum number of open files per worker process. # Should be > worker_connections. # Default: no limit # https://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile worker_rlimit_nofile 8192; # Provides the configuration file context in which the directives # that affect connection processing are specified. # https://nginx.org/en/docs/ngx_core_module.html#events events { # If you need more connections than this, you start optimizing your OS. # That's probably the point at which you hire people who are smarter than you as this is *a lot* of requests. # Should be < worker_rlimit_nofile. # Default: 512 # https://nginx.org/en/docs/ngx_core_module.html#worker_connections worker_connections 8000; } # Log errors and warnings to this file # This is only used when you don't override it on a server{} level # Default: logs/error.log error # https://nginx.org/en/docs/ngx_core_module.html#error_log error_log /var/log/nginx/error.log warn; # The file storing the process ID of the main process # Default: logs/nginx.pid # https://nginx.org/en/docs/ngx_core_module.html#pid pid /var/run/nginx.pid; http { # Hide nginx version information. include h5bp/security/server_software_information.conf; # Specify MIME types for files. include h5bp/media_types/media_types.conf; # Set character encodings. include h5bp/media_types/character_encodings.conf; # Include $http_x_forwarded_for within default format used in log files # https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; # Log access to this file # This is only used when you don't override it on a server{} level # Default: logs/access.log combined # https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log access_log /var/log/nginx/access.log main; # How long to allow each connection to stay idle. # Longer values are better for each individual client, particularly for SSL, # but means that worker connections are tied up longer. # Default: 75s # https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout keepalive_timeout 20s; # Speed up file transfers by using sendfile() to copy directly # between descriptors rather than using read()/write(). # For performance reasons, on FreeBSD systems w/ ZFS # this option should be disabled as ZFS's ARC caches # frequently used files in RAM by default. # Default: off # https://nginx.org/en/docs/http/ngx_http_core_module.html#sendfile sendfile on; # Don't send out partial frames; this increases throughput # since TCP frames are filled up before being sent out. # Default: off # https://nginx.org/en/docs/http/ngx_http_core_module.html#tcp_nopush tcp_nopush on; # Enable gzip compression. include h5bp/web_performance/compression.conf; # Specify file cache expiration. include h5bp/web_performance/cache_expiration.conf; # Add X-XSS-Protection for HTML documents. # h5bp/security/x-xss-protection.conf map $sent_http_content_type $x_xss_protection { # (1) (2) text/html "1; mode=block"; } # Add X-Frame-Options for HTML documents. # h5bp/security/x-frame-options.conf map $sent_http_content_type $x_frame_options { text/html DENY; } # Add Content-Security-Policy for HTML documents. # h5bp/security/content-security-policy.conf map $sent_http_content_type $content_security_policy { text/html "script-src 'self'; object-src 'self'"; } # Add Referrer-Policy for HTML documents. # h5bp/security/referrer-policy.conf.conf map $sent_http_content_type $referrer_policy { text/html "no-referrer-when-downgrade"; } # Add X-UA-Compatible for HTML documents. # h5bp/internet_explorer/x-ua-compatible.conf map $sent_http_content_type $x_ua_compatible { text/html "IE=edge"; } # Add Access-Control-Allow-Origin. # h5bp/cross-origin/requests.conf map $sent_http_content_type $cors { # Images image/bmp "*"; image/gif "*"; image/jpeg "*"; image/png "*"; image/svg+xml "*"; image/webp "*"; image/x-icon "*"; # Web fonts font/collection "*"; application/vnd.ms-fontobject "*"; font/eot "*"; font/opentype "*"; font/otf "*"; application/x-font-ttf "*"; font/ttf "*"; application/font-woff "*"; application/x-font-woff "*"; font/woff "*"; application/font-woff2 "*"; font/woff2 "*"; } # Include files in the conf.d folder. # server{} configuration files should be placed in the conf.d folder. # The configurations should be disabled by prefixing files with a dot. include conf.d/*.conf; }