mierda
This commit is contained in:
parent
42c2c835c4
commit
f62080468d
|
@ -7,12 +7,9 @@ include /etc/nginx/modules-enabled/*.conf;
|
||||||
load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so; # for compressing responses on-the-fly
|
load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so; # for compressing responses on-the-fly
|
||||||
load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; # for serving pre-compressed files
|
load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; # for serving pre-compressed files
|
||||||
|
|
||||||
# This is where we load NJS modules
|
#Include external config
|
||||||
#load_module /usr/lib/nginx/modules/ngx_http_js_module.so;
|
include /etc/nginx/conf.d/*.conf;
|
||||||
#load_module /usr/lib/nginx/modules/ngx_stream_js_module.so;
|
|
||||||
|
|
||||||
# Include external config
|
|
||||||
#include /etc/nginx/conf.d/*.conf;
|
|
||||||
events {
|
events {
|
||||||
multi_accept on;
|
multi_accept on;
|
||||||
worker_connections 65535;
|
worker_connections 65535;
|
||||||
|
@ -24,6 +21,7 @@ stream {
|
||||||
|
|
||||||
http {
|
http {
|
||||||
|
|
||||||
|
# Basic Settings
|
||||||
charset utf-8;
|
charset utf-8;
|
||||||
sendfile on;
|
sendfile on;
|
||||||
tcp_nopush on;
|
tcp_nopush on;
|
||||||
|
@ -32,8 +30,9 @@ http {
|
||||||
log_not_found off;
|
log_not_found off;
|
||||||
types_hash_max_size 4096;
|
types_hash_max_size 4096;
|
||||||
types_hash_bucket_size 64;
|
types_hash_bucket_size 64;
|
||||||
client_max_body_size 16M;
|
|
||||||
|
|
||||||
|
# Virtual Host Configs
|
||||||
|
include /etc/nginx/sites-enabled/*.conf;
|
||||||
|
|
||||||
# MIME
|
# MIME
|
||||||
include mime.types;
|
include mime.types;
|
||||||
|
@ -41,43 +40,54 @@ http {
|
||||||
|
|
||||||
# SSL
|
# SSL
|
||||||
ssl_protocols TLSv1.2 TLSv1.3;
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
|
||||||
ssl_prefer_server_ciphers off;
|
ssl_prefer_server_ciphers off;
|
||||||
#
|
#
|
||||||
ssl_session_timeout 1d;
|
ssl_session_timeout 1d;
|
||||||
ssl_session_cache shared:MozSSL:10m;
|
ssl_session_cache shared:MozSSL:10m;
|
||||||
ssl_session_tickets off;
|
ssl_session_tickets off;
|
||||||
|
|
||||||
# Diffie-Hellman parameter for DHE ciphersuites
|
# Diffie-Hellman parameter for DHE ciphersuites
|
||||||
ssl_dhparam /etc/nginx/dhparam.pem;
|
ssl_dhparam /etc/nginx/dhparam.pem;
|
||||||
|
|
||||||
# OCSP Stapling
|
# HTTP2 Settings
|
||||||
#ssl_stapling on;
|
http2_max_field_size 64k;
|
||||||
#ssl_stapling_verify on;
|
http2_max_header_size 512k;
|
||||||
|
|
||||||
# Logging
|
# DDOS Protection
|
||||||
#access_log /var/log/nginx/access.log;
|
limit_conn_zone $binary_remote_addr zone=perip:10m;
|
||||||
#error_log /var/log/nginx/error.log warn;
|
limit_conn perip 100;
|
||||||
|
|
||||||
# General configs, include in every sites-enabled site
|
limit_req_zone $binary_remote_addr zone=engine:10m rate=2r/s;
|
||||||
#include configs/general.conf;
|
limit_req_zone $binary_remote_addr zone=static:10m rate=100r/s;
|
||||||
|
|
||||||
# Connection header for WebSocket reverse proxy
|
# reset timed out connections freeing ram
|
||||||
|
reset_timedout_connection on;
|
||||||
|
# maximum time between packets the client can pause when sending nginx any data
|
||||||
|
client_body_timeout 10s;
|
||||||
|
# maximum time the client has to send the entire header to nginx
|
||||||
|
client_header_timeout 10s;
|
||||||
|
# timeout which a single keep-alive client connection will stay open
|
||||||
|
keepalive_timeout 65s;
|
||||||
|
# maximum time between packets nginx is allowed to pause when sending the client data
|
||||||
|
send_timeout 10s;
|
||||||
|
|
||||||
|
# Connection header for WebSocket reverse proxy
|
||||||
map $http_upgrade $connection_upgrade {
|
map $http_upgrade $connection_upgrade {
|
||||||
default upgrade;
|
default upgrade;
|
||||||
"" close;
|
"" close;
|
||||||
}
|
}
|
||||||
|
|
||||||
map $remote_addr $proxy_forwarded_elem {
|
map $remote_addr $proxy_forwarded_elem {
|
||||||
|
|
||||||
# IPv4 addresses can be sent as-is
|
# IPv4 addresses can be sent as-is
|
||||||
~^[0-9.]+$ "for=$remote_addr";
|
~^[0-9.]+$ "for=$remote_addr";
|
||||||
|
|
||||||
# IPv6 addresses need to be bracketed and quoted
|
# IPv6 addresses need to be bracketed and quoted
|
||||||
~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
|
~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
|
||||||
|
|
||||||
# Unix domain socket names cannot be represented in RFC 7239 syntax
|
# Unix domain socket names cannot be represented in RFC 7239 syntax
|
||||||
default "for=unknown";
|
default "for=unknown";
|
||||||
}
|
}
|
||||||
|
|
||||||
map $http_forwarded $proxy_add_forwarded {
|
map $http_forwarded $proxy_add_forwarded {
|
||||||
|
@ -89,9 +99,5 @@ http {
|
||||||
default "$proxy_forwarded_elem";
|
default "$proxy_forwarded_elem";
|
||||||
}
|
}
|
||||||
|
|
||||||
# Include sites-enabled
|
|
||||||
include /etc/nginx/conf.d/*.conf;
|
|
||||||
include /etc/nginx/sites-enabled/*;
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -11,8 +11,6 @@ server {
|
||||||
include configs/proxyheaders.conf;
|
include configs/proxyheaders.conf;
|
||||||
}
|
}
|
||||||
|
|
||||||
#add_header Content-Security-Policy "default-src 'self'; script-src 'report-sample' 'self'; style-src 'report-sample' 'self'; object-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self'; manifest-src 'self'; media-src 'self'; worker-src 'none';";
|
|
||||||
|
|
||||||
# QUIC
|
# QUIC
|
||||||
add_header Alt-Svc 'h3=":443"; ma=86400';
|
add_header Alt-Svc 'h3=":443"; ma=86400';
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue