138 lines
4.9 KiB
Nginx Configuration File
138 lines
4.9 KiB
Nginx Configuration File
# Configuration File - Nginx Server Configs
|
|
# https://nginx.org/en/docs/
|
|
|
|
# Run as a unique, less privileged user for security reasons.
|
|
# Default: nobody nobody
|
|
# https://nginx.org/en/docs/ngx_core_module.html#user
|
|
# https://en.wikipedia.org/wiki/Principle_of_least_privilege
|
|
user www-data;
|
|
|
|
# Sets the worker threads to the number of CPU cores available in the system for
|
|
# best performance. Should be > the number of CPU cores.
|
|
# Maximum number of connections = worker_processes * worker_connections
|
|
# Default: 1
|
|
# https://nginx.org/en/docs/ngx_core_module.html#worker_processes
|
|
worker_processes auto;
|
|
|
|
# Maximum number of open files per worker process.
|
|
# Should be > worker_connections.
|
|
# Default: no limit
|
|
# https://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile
|
|
worker_rlimit_nofile 8192;
|
|
|
|
# Provides the configuration file context in which the directives that affect
|
|
# connection processing are specified.
|
|
# https://nginx.org/en/docs/ngx_core_module.html#events
|
|
events {
|
|
|
|
# If you need more connections than this, you start optimizing your OS.
|
|
# That's probably the point at which you hire people who are smarter than you
|
|
# as this is *a lot* of requests.
|
|
# Should be < worker_rlimit_nofile.
|
|
# Default: 512
|
|
# https://nginx.org/en/docs/ngx_core_module.html#worker_connections
|
|
worker_connections 8000;
|
|
|
|
}
|
|
|
|
# Log errors and warnings to this file
|
|
# This is only used when you don't override it on a `server` level
|
|
# Default: logs/error.log error
|
|
# https://nginx.org/en/docs/ngx_core_module.html#error_log
|
|
error_log /var/log/nginx/error.log warn;
|
|
|
|
# The file storing the process ID of the main process
|
|
# Default: logs/nginx.pid
|
|
# https://nginx.org/en/docs/ngx_core_module.html#pid
|
|
pid /var/run/nginx.pid;
|
|
|
|
http {
|
|
|
|
# Hide Nginx version information.
|
|
include h5bp/security/server_software_information.conf;
|
|
|
|
# Specify media (MIME) types for files.
|
|
include h5bp/media_types/media_types.conf;
|
|
|
|
# Set character encodings.
|
|
include h5bp/media_types/character_encodings.conf;
|
|
|
|
# Include $http_x_forwarded_for within default format used in log files
|
|
# https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format
|
|
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
|
'$status $body_bytes_sent "$http_referer" '
|
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
|
|
|
# Log access to this file
|
|
# This is only used when you don't override it on a `server` level
|
|
# Default: logs/access.log combined
|
|
# https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log
|
|
access_log /var/log/nginx/access.log main;
|
|
|
|
# How long to allow each connection to stay idle.
|
|
# Longer values are better for each individual client, particularly for SSL,
|
|
# but means that worker connections are tied up longer.
|
|
# Default: 75s
|
|
# https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
|
|
keepalive_timeout 20s;
|
|
|
|
# Speed up file transfers by using `sendfile()` to copy directly between
|
|
# descriptors rather than using `read()`/`write()``.
|
|
# For performance reasons, on FreeBSD systems w/ ZFS this option should be
|
|
# disabled as ZFS's ARC caches frequently used files in RAM by default.
|
|
# Default: off
|
|
# https://nginx.org/en/docs/http/ngx_http_core_module.html#sendfile
|
|
sendfile on;
|
|
|
|
# Don't send out partial frames; this increases throughput since TCP frames
|
|
# are filled up before being sent out.
|
|
# Default: off
|
|
# https://nginx.org/en/docs/http/ngx_http_core_module.html#tcp_nopush
|
|
tcp_nopush on;
|
|
|
|
# Enable gzip compression.
|
|
include h5bp/web_performance/compression.conf;
|
|
|
|
# Specify file cache expiration.
|
|
include h5bp/web_performance/cache_expiration.conf;
|
|
|
|
# Add X-Frame-Options for HTML documents.
|
|
# h5bp/security/x-frame-options.conf
|
|
map $sent_http_content_type $x_frame_options {
|
|
~*text/html DENY;
|
|
}
|
|
|
|
# Add Content-Security-Policy for HTML documents.
|
|
# h5bp/security/content-security-policy.conf
|
|
map $sent_http_content_type $content_security_policy {
|
|
~*text/(html|javascript)|application/pdf|xml "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; object-src 'none'; upgrade-insecure-requests";
|
|
}
|
|
|
|
# Add Referrer-Policy for HTML documents.
|
|
# h5bp/security/referrer-policy.conf.conf
|
|
map $sent_http_content_type $referrer_policy {
|
|
~*text/(css|html|javascript)|application\/pdf|xml "strict-origin-when-cross-origin";
|
|
}
|
|
|
|
# Add Access-Control-Allow-Origin.
|
|
# h5bp/cross-origin/requests.conf
|
|
map $sent_http_content_type $cors {
|
|
# Images
|
|
~*image/ "*";
|
|
|
|
# Web fonts
|
|
~*font/ "*";
|
|
~*application/vnd.ms-fontobject "*";
|
|
~*application/x-font-ttf "*";
|
|
~*application/font-woff "*";
|
|
~*application/x-font-woff "*";
|
|
~*application/font-woff2 "*";
|
|
}
|
|
|
|
# Include files in the conf.d folder.
|
|
# `server` configuration files should be placed in the conf.d folder.
|
|
# The configurations should be disabled by prefixing files with a dot.
|
|
include conf.d/*.conf;
|
|
|
|
}
|