Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- user nginx;
- worker_processes auto;
- error_log /var/log/nginx/error.log;
- pid /run/nginx.pid;
- events {
- worker_connections 1024;
- }
- http {
- log_format main '$remote_addr - $remote_user [$time_local] $upstream_cache_status "$request" '
- '$status $body_bytes_sent "$http_referer" '
- '"$http_user_agent" "$http_x_forwarded_for"';
- access_log /var/log/nginx/access.log main;
- sendfile on;
- tcp_nopush on;
- tcp_nodelay on;
- keepalive_timeout 65;
- types_hash_max_size 4096;
- include /etc/nginx/mime.types;
- default_type application/octet-stream;
- proxy_cache_path /var/cache/fdroid levels=1:2 keys_zone=fdroid_cache:10m max_size=12g
- inactive=24h use_temp_path=off;
- map $request_uri $max_age {
- default 600; # 10 min default (for html and the index files)
- ~^/assets/ 43200; # 12 hours for website assets
- ~^/js/ 43200;
- ~^/css/ 43200;
- ~^/FDroid.apk 86400; # 1 day for the F-Droid apk
- ~^/repo/icons.*\.\d+\.png 604800; # 1 week for repo files with version number in name
- ~^/repo/.*\.apk$ 604800;
- ~^/repo/.*\.apk.asc$ 604800;
- ~^/repo/.*\.tar.gz$ 604800;
- ~^/repo/.*/icon.png$ 86400; # 1 day for icons and screenshots without version number
- ~^/repo/.*/phoneScreenshots/ 86400;
- }
- server {
- listen 80 default_server;
- listen [::]:80 default_server;
- server_name fdroidmirror.net;
- root /usr/share/nginx/html;
- location / {return 301 https://$server_name$uri;}
- location /.well-known/ {default_type "text/plain";}
- }
- server {
- listen 443 ssl http2 default_server;
- listen [::]:443 ssl http2 default_server;
- server_name fdroidmirror.net;
- root /usr/share/nginx/html;
- ssl_certificate "/etc/acme/fdroidmirror.net/ec.crt";
- ssl_certificate_key "/etc/acme/fdroidmirror.net/ec.key";
- ssl_certificate "/etc/acme/fdroidmirror.net/rsa.crt";
- ssl_certificate_key "/etc/acme/fdroidmirror.net/rsa.key";
- # https://www.nginx.com/blog/nginx-caching-guide/
- ssl_session_cache shared:SSL:1m;
- ssl_session_timeout 10m;
- ssl_ciphers "HIGH+kECDHE:-SSLv3:-SHA256:-SHA384:DES-CBC3-SHA:@STRENGTH";
- ssl_prefer_server_ciphers on;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
- ssl_stapling on;
- ssl_stapling_verify on;
- ssl_early_data on;
- proxy_cache fdroid_cache;
- # Cache key is just the uri, without any arguments
- proxy_cache_key $uri;
- # Revalidation of expired cache items using conditional requests.
- proxy_cache_revalidate on;
- # May use stale response
- #proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
- proxy_cache_use_stale error timeout updating http_500 http_503;
- # Allows starting a background subrequest to update an expired cache item,
- # while a stale cached response is returned to the client.
- proxy_cache_background_update on;
- # Only one request at a time to origin server per element
- # Other request wait.
- proxy_cache_lock on;
- proxy_cache_lock_age 10s;
- proxy_cache_lock_timeout 20s;
- proxy_cache_valid 200 302 10m;
- proxy_cache_valid 301 1h;
- proxy_cache_valid 404 5m;
- proxy_cache_valid any 1m;
- autoindex off;
- # Strip arguments from request to reduce possible attack vectors.
- # We serve static content only, we do not want arguments.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement