86 lines
2.9 KiB
Nginx Configuration File
Executable File
86 lines
2.9 KiB
Nginx Configuration File
Executable File
|
|
worker_processes auto;
|
|
worker_rlimit_nofile 65535;
|
|
|
|
# Include Modules
|
|
include /etc/nginx/modules-enabled/*.conf;
|
|
#load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
|
|
load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so; # for compressing responses on-the-fly
|
|
load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; # for serving pre-compressed files
|
|
|
|
# Include external config
|
|
include /etc/nginx/conf.d/*.conf;
|
|
|
|
events {
|
|
multi_accept on;
|
|
worker_connections 65535;
|
|
}
|
|
|
|
stream {
|
|
include /etc/nginx/streams/*.conf;
|
|
}
|
|
|
|
http {
|
|
|
|
charset utf-8;
|
|
sendfile on;
|
|
tcp_nopush on;
|
|
tcp_nodelay on;
|
|
server_tokens off;
|
|
log_not_found off;
|
|
types_hash_max_size 4096;
|
|
types_hash_bucket_size 64;
|
|
|
|
# MIME
|
|
include mime.types;
|
|
default_type application/octet-stream;
|
|
|
|
# SSL
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
|
|
ssl_prefer_server_ciphers off;
|
|
#
|
|
ssl_session_timeout 1d;
|
|
ssl_session_cache shared:MozSSL:10m;
|
|
ssl_session_tickets off;
|
|
|
|
# Diffie-Hellman parameter for DHE ciphersuites
|
|
ssl_dhparam /etc/nginx/dhparam.pem;
|
|
|
|
# OCSP Stapling
|
|
#ssl_stapling on;
|
|
#ssl_stapling_verify on;
|
|
|
|
# Connection header for WebSocket reverse proxy
|
|
map $http_upgrade $connection_upgrade {
|
|
default upgrade;
|
|
"" close;
|
|
}
|
|
|
|
map $remote_addr $proxy_forwarded_elem {
|
|
|
|
# IPv4 addresses can be sent as-is
|
|
~^[0-9.]+$ "for=$remote_addr";
|
|
|
|
# IPv6 addresses need to be bracketed and quoted
|
|
~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\"";
|
|
|
|
# Unix domain socket names cannot be represented in RFC 7239 syntax
|
|
default "for=unknown";
|
|
}
|
|
|
|
map $http_forwarded $proxy_add_forwarded {
|
|
|
|
# If the incoming Forwarded header is syntactically valid, append to it
|
|
"~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";
|
|
|
|
# Otherwise, replace it
|
|
default "$proxy_forwarded_elem";
|
|
}
|
|
|
|
# Include sites-enabled and config
|
|
# include /etc/nginx/conf.d/*.conf;
|
|
include /etc/nginx/sites-enabled/*;
|
|
|
|
}
|