Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ###_ IMPLEMENT
- ###_ 1. Enable clickjacking protection. Disabled by default.
- # nginx.conf
- user www-data;
- ## If you're using an Nginx version below 1.3.8 or 1.2. then uncomment
- ## the line below and set it to the number of cores of the
- ## server. Otherwise nginx will determine it automatically.
- #worker_processes 4;
- error_log /var/log/nginx/error.log;
- pid /var/run/nginx.pid;
- worker_rlimit_nofile 8192;
- events {
- worker_connections 4096;
- ## Accept as many connections as possible.
- multi_accept on;
- }
- http {
- ## MIME types.
- include mime.types;
- default_type application/octet-stream;
- ## FastCGI.
- include fastcgi.conf;
- ## Default log and error files.
- access_log /var/log/nginx/access.log;
- error_log /var/log/nginx/error.log;
- ## Use sendfile() syscall to speed up I/O operations and speed up
- ## static file serving.
- sendfile on;
- ## Handling of IPs in proxied and load balancing situations.
- set_real_ip_from 0.0.0.0/32; # all addresses get a real IP.
- real_ip_header X-Forwarded-For; # the ip is forwarded from the load balancer/proxy
- ## Define a zone for limiting the number of simultaneous
- ## connections nginx accepts. 1m means 32000 simultaneous
- ## sessions. We need to define for each server the limit_conn
- ## value refering to this or other zones.
- limit_conn_zone $binary_remote_addr zone=arbeit:10m;
- ## Timeouts.
- client_body_timeout 60;
- client_header_timeout 60;
- keepalive_timeout 10 10;
- send_timeout 60;
- ## Reset lingering timed out connections. Deflect DDoS.
- reset_timedout_connection on;
- ## Body size.
- client_max_body_size 10m;
- ## TCP options.
- tcp_nodelay on;
- ## Optimization of socket handling when using sendfile.
- tcp_nopush on;
- ## Compression.
- gzip on;
- gzip_buffers 16 8k;
- gzip_comp_level 1;
- gzip_http_version 1.1;
- gzip_min_length 10;
- gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/x-icon application/vnd.ms-fontobject font/opentype application/x-font-ttf;
- gzip_vary on;
- gzip_proxied any; # Compression for all requests.
- ## No need for regexps. See
- ## http://wiki.nginx.org/NginxHttpGzipModule#gzip_disable
- gzip_disable msie6;
- ## Serve already compressed files directly, bypassing on-the-fly
- ## compression.
- ##
- # Usually you don't make much use of this. It's better to just
- # enable gzip_static on the locations you need it.
- # gzip_static on;
- ## Hide the Nginx version number.
- server_tokens off;
- ## Use a SSL/TLS cache for SSL session resume. This needs to be
- ## here (in this context, for session resumption to work. See this
- ## thread on the Nginx mailing list:
- ## http://nginx.org/pipermail/nginx/2010-November/023736.html.
- ssl_session_cache shared:SSL:30m;
- ssl_session_timeout 1d;
- ## The server dictates the choice of cipher suites.
- ssl_prefer_server_ciphers on;
- ## Use only Perfect Forward Secrecy Ciphers. Fallback on non ECDH
- ## for crufty clients.
- ssl_ciphers ECDH+aRSA+AESGCM:ECDH+aRSA+SHA384:ECDH+aRSA+SHA256:ECDH:EDH+CAMELLIA:EDH+aRSA:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA;
- ## No SSL2 support. Legacy support of SSLv3.
- ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
- ## Pregenerated Diffie-Hellman parameters.
- ssl_dhparam /etc/nginx/dh_param.pem;
- ## Curve to use for ECDH.
- ssl_ecdh_curve secp521r1;
- ## Enable OCSP stapling. A better way to revocate server certificates.
- ssl_stapling on;
- ## Fill in with your own resolver.
- resolver 8.8.8.8;
- ## Uncomment to increase map_hash_bucket_size. If start getting
- ## [emerg]: could not build the map_hash, you should increase
- ## map_hash_bucket_size: 64 in your
- ## logs. Cf. http://wiki.nginx.org/NginxOptimizations.
- ## See http://wiki.nginx.org/HttpMapModule#map_hash_bucket_size
- #map_hash_bucket_size 192;
- ## Uncomment to increase variables_hash_max_size if you start getting
- ## [emerg] could not build the variables_hash, you should increase
- ## either variables_hash_max_size: 512 or
- ## variables_hash_bucket_size: 64
- ## You only need to increase one. I chose to increase
- ## variables_hash_max_size to 1024 as this was recommended
- ## in nginx forum by developers.
- ## See this forum topic and responses
- ## http://forum.nginx.org/read.php?2,192277,192286#msg-192286
- ## See http://wiki.nginx.org/HttpCoreModule#variables_hash_bucket_size
- ## variables_hash_bucket_size was added for completeness but not
- ## changed from default.
- #variables_hash_max_size 1024; # default 512
- #variables_hash_bucket_size 64; # default is 64
- ## For the filefield_nginx_progress module to work. From the
- ## README. Reserve 1MB under the name 'uploads' to track uploads.
- upload_progress uploads 1m;
- ## Enable the builtin cross-site scripting (XSS) filter available
- ## in modern browsers. Usually enabled by default we just
- ## reinstate in case it has been somehow disabled for this
- ## particular server instance.
- ## https://www.owasp.org/index.php/List_of_useful_HTTP_headers.
- add_header X-XSS-Protection '1; mode=block';
- ## Enable clickjacking protection in modern browsers. Available in
- ## IE8 also. See
- ## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
- ## This may conflict with pseudo streaming (at least with Nginx version 1.0.12).
- ## Uncomment the line below if you're not using media streaming.
- ## For sites *using* frames uncomment the line below.
- #add_header X-Frame-Options SAMEORIGIN;
- ## For sites *not* using frames uncomment the line below.
- #add_header X-Frame-Options DENY;
- ## Block MIME type sniffing on IE.
- add_header X-Content-Options nosniff;
- ## Include the upstream servers for PHP FastCGI handling
- ## configuration. This setup uses UNIX sockets for talking with the
- ## upstream.
- include upstream_phpcgi_unix.conf;
- ## Include the map to block HTTP methods.
- include map_block_http_methods.conf;
- ## Include the php-fpm status allowed hosts configuration block.
- ## Uncomment to enable if you're running php-fpm.
- include php_fpm_status_allowed_hosts.conf;
- ## Include the Nginx stub status allowed hosts configuration block.
- include nginx_status_allowed_hosts.conf;
- ## Include blacklist for bad bot and referer blocking.
- include blacklist.conf;
- ## Include the caching setup. Needed for using Drupal with an external cache.
- include apps/drupal/map_cache.conf;
- ## Microcache zone definition for FastCGI.
- #include fastcgi_microcache_zone.conf;
- ## Include all vhosts.
- include sites-enabled/*;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement