You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
131 lines
6.3 KiB
131 lines
6.3 KiB
# Server globals
|
|
user apache;
|
|
worker_processes auto;
|
|
worker_rlimit_nofile 65535;
|
|
error_log /var/log/nginx/error.log;
|
|
pid /run/nginx.pid;
|
|
include /etc/nginx/conf.d/main/*.conf;
|
|
include /etc/nginx/modules-enabled/*.conf;
|
|
|
|
# Worker config
|
|
events {
|
|
worker_connections 1024;
|
|
use epoll;
|
|
multi_accept on;
|
|
}
|
|
|
|
http {
|
|
# Main settings
|
|
sendfile on;
|
|
tcp_nopush on;
|
|
tcp_nodelay on;
|
|
client_header_timeout 180s;
|
|
client_body_timeout 180s;
|
|
client_header_buffer_size 2k;
|
|
client_body_buffer_size 256k;
|
|
client_max_body_size 1024m;
|
|
large_client_header_buffers 4 8k;
|
|
send_timeout 60s;
|
|
keepalive_timeout 30s;
|
|
keepalive_requests 10000;
|
|
reset_timedout_connection on;
|
|
server_tokens off;
|
|
server_name_in_redirect off;
|
|
server_names_hash_max_size 512;
|
|
server_names_hash_bucket_size 512;
|
|
charset utf-8;
|
|
# FastCGI settings
|
|
fastcgi_buffers 512 4k;
|
|
fastcgi_buffer_size 256k;
|
|
fastcgi_busy_buffers_size 256k;
|
|
fastcgi_temp_file_write_size 256k;
|
|
fastcgi_connect_timeout 30s;
|
|
fastcgi_read_timeout 300s;
|
|
fastcgi_send_timeout 180s;
|
|
fastcgi_cache_lock on;
|
|
fastcgi_cache_lock_timeout 5s;
|
|
fastcgi_cache_background_update on;
|
|
fastcgi_cache_revalidate on;
|
|
# Proxy settings
|
|
proxy_redirect off;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header Early-Data $rfc_early_data;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_pass_header Set-Cookie;
|
|
proxy_buffers 256 4k;
|
|
proxy_buffer_size 32k;
|
|
proxy_busy_buffers_size 32k;
|
|
proxy_temp_file_write_size 256k;
|
|
proxy_connect_timeout 30s;
|
|
proxy_read_timeout 300s;
|
|
proxy_send_timeout 180s;
|
|
# Log format
|
|
log_format main '$remote_addr - $remote_user [$time_local] $request "$status" $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
|
|
log_format bytes '$body_bytes_sent';
|
|
log_not_found off;
|
|
access_log off;
|
|
# Mime settings
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
# Compression
|
|
gzip on;
|
|
gzip_vary on;
|
|
gzip_static on;
|
|
gzip_comp_level 6;
|
|
gzip_min_length 1024;
|
|
gzip_buffers 128 4k;
|
|
gzip_http_version 1.1;
|
|
gzip_types text/css text/javascript text/js text/plain text/richtext text/shtml text/x-component text/x-java-source text/x-markdown text/x-script text/xml image/bmp image/svg+xml image/vnd.microsoft.icon image/x-icon font/otf font/ttf font/x-woff multipart/bag multipart/mixed application/eot application/font application/font-sfnt application/font-woff application/javascript application/javascript-binast application/json application/ld+json application/manifest+json application/opentype application/otf application/rss+xml application/ttf application/truetype application/vnd.api+json application/vnd.ms-fontobject application/wasm application/xhtml+xml application/xml application/xml+rss application/x-httpd-cgi application/x-javascript application/x-opentype application/x-otf application/x-perl application/x-protobuf application/x-ttf;
|
|
gzip_proxied any;
|
|
# Cloudflare IPs
|
|
include /etc/nginx/conf.d/cloudflare.inc;
|
|
# SSL PCI compliance
|
|
ssl_buffer_size 1369;
|
|
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256";
|
|
ssl_dhparam /etc/pki/tls/dhparam.pem;
|
|
ssl_early_data on;
|
|
ssl_ecdh_curve auto;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_session_cache shared:SSL:20m;
|
|
ssl_session_tickets on;
|
|
ssl_session_timeout 7d;
|
|
resolver 1.0.0.1 8.8.4.4 1.1.1.1 8.8.8.8 valid=300s ipv6=off;
|
|
resolver_timeout 5s;
|
|
# Error pages
|
|
error_page 403 /error/404.html;
|
|
error_page 404 /error/404.html;
|
|
error_page 410 /error/410.html;
|
|
error_page 500 501 502 503 504 505 /error/50x.html;
|
|
# Proxy cache
|
|
proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;
|
|
proxy_cache_key "$scheme$request_method$host$request_uri";
|
|
proxy_temp_path /var/cache/nginx/temp;
|
|
proxy_ignore_headers Cache-Control Expires;
|
|
proxy_cache_use_stale error timeout invalid_header updating http_502;
|
|
proxy_cache_valid any 1d;
|
|
# FastCGI cache
|
|
fastcgi_cache_path /var/cache/nginx/micro levels=1:2 keys_zone=microcache:10m inactive=30m max_size=1024m;
|
|
fastcgi_cache_key "$scheme$request_method$host$request_uri";
|
|
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
|
|
fastcgi_cache_use_stale error timeout invalid_header updating http_500 http_503;
|
|
add_header X-FastCGI-Cache $upstream_cache_status;
|
|
|
|
# Cache bypass
|
|
map $http_cookie $no_cache {
|
|
default 0;
|
|
~SESS 1;
|
|
~wordpress_logged_in 1;
|
|
}
|
|
|
|
# File cache (static assets)
|
|
open_file_cache max=10000 inactive=30s;
|
|
open_file_cache_valid 60s;
|
|
open_file_cache_min_uses 2;
|
|
open_file_cache_errors off;
|
|
# Wildcard include
|
|
include /etc/nginx/conf.d/*.conf;
|
|
include /etc/nginx/conf.d/domains/*.conf;
|
|
}
|