Proxy

1. user abc;
2. worker_processes 4;
3. pid /run/nginx.pid;
4.  
5. events {
6. worker_connections 768;
7. # multi_accept on;
8. }
9.  
10. http {
11. # Geoblock non-US IPs
12. geoip_country /usr/share/GeoIP/GeoIP.dat;
13. map $geoip_country_code $allowed_country {
14. default no;
15. # Allow US IPs only
16. US yes;
17. }
18. # Whitelist IPs
19. geo $exclusion {
20. default 0;
21.  
22. # Qualys SSL Labs
23. 64.41.200.0/24 1;
24. # Securityheaders
25. 192.241.216.219 1;
26. }
27.  
28. ##
29. # Basic Settings
30. ##
31.  
32. sendfile on;
33. tcp_nopush on;
34. tcp_nodelay on;
35. keepalive_timeout 65;
36. types_hash_max_size 2048;
37. server_tokens off;
38.  
39. client_max_body_size 0;
40.  
41. include /etc/nginx/mime.types;
42. default_type application/octet-stream;
43.  
44. ##
45. # Logging Settings
46. ##
47.  
48. access_log /config/log/nginx/access.log;
49. error_log /config/log/nginx/error.log;
50.  
51. ##
52. # Gzip Settings
53. ##
54.  
55. gzip on;
56. gzip_disable "msie6";
57.  
58. gzip_vary on;
59. gzip_proxied any;
60. gzip_comp_level 6;
61. gzip_buffers 16 8k;
62. gzip_min_length 1100;
63. # gzip_http_version 1.1;
64. gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
65.  
66. ##
67. # Virtual Host Configs
68. ##
69. include /etc/nginx/conf.d/*.conf;
70. include /config/nginx/site-confs/*;
71.  
72. ssl_protocols TLSv1.2;
73. ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA;
74. ssl_prefer_server_ciphers on;
75. ssl_session_cache shared:SSL:10m;
76. add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
77. add_header X-Frame-Options SAMEORIGIN;
78. add_header X-Content-Type-Options nosniff;
79. add_header X-XSS-Protection "1; mode=block";
80. add_header X-Robots-Tag none;
81. ssl_stapling on; # Requires nginx >= 1.3.7
82. ssl_stapling_verify on; # Requires nginx => 1.3.7
83.  
84. }
85.  
86. daemon off;