/etc/nginx/nginx.conf

1. user nginx;
2. worker_processes auto;
3. worker_cpu_affinity auto;
4. worker_rlimit_nofile 30000;
5. pid /var/run/nginx.pid;
6. pcre_jit on;
7.  
8. events {
9. worker_connections 8192;
10. multi_accept on;
11. }
12.  
13. http {
14.  
15. # Basic #######################
16.  
17. sendfile on;
18. tcp_nopush on;
19. tcp_nodelay on;
20. reset_timedout_connection on;
21. keepalive_timeout 120;
22. keepalive_requests 1000;
23. types_hash_max_size 2048;
24. server_tokens off;
25. send_timeout 30;
26. client_body_timeout 30;
27. client_header_timeout 30;
28. server_names_hash_max_size 4096;
29.  
30. # Limits ######################
31.  
32. client_max_body_size 10m;
33. client_body_buffer_size 128k;
34. client_body_temp_path /var/cache/nginx/client_temp;
35.  
36. proxy_connect_timeout 60;
37. proxy_send_timeout 60;
38. proxy_read_timeout 60;
39. proxy_buffer_size 4k;
40. proxy_buffers 8 16k;
41. proxy_busy_buffers_size 64k;
42. proxy_temp_file_write_size 64k;
43. proxy_temp_path /var/cache/nginx/proxy_temp;
44.  
45. include /etc/nginx/mime.types;
46. default_type application/octet-stream;
47.  
48. # Logs ########################
49.  
50. log_format main '$remote_addr - $host [$time_local] "$request" '
51. '$status $body_bytes_sent "$http_referer" '
52. '"$http_user_agent" "$http_x_forwarded_for"'
53. 'rt=$request_time ut=$upstream_response_time '
54. 'cs=$upstream_cache_status';
55. log_format full '$remote_addr - $host [$time_local] "$request" '
56. 'request_length=$request_length '
57. 'status=$status bytes_sent=$bytes_sent '
58. 'body_bytes_sent=$body_bytes_sent '
59. 'referer=$http_referer '
60. 'user_agent="$http_user_agent" '
61. 'upstream_status=$upstream_status '
62. 'request_time=$request_time '
63. 'upstream_response_time=$upstream_response_time '
64. 'upstream_connect_time=$upstream_connect_time '
65. 'upstream_header_time=$upstream_header_time';
66.  
67. access_log /var/log/nginx/access.log main;
68. error_log /var/log/nginx/error.log;
69.  
70. # Gzip ########################
71.  
72. gzip on;
73. gzip_static on;
74. gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/x-icon image/svg+xml application/x-font-ttf;
75. gzip_comp_level 9;
76. gzip_proxied any;
77. gzip_min_length 1000;
78. gzip_disable "msie6";
79. gzip_vary on;
80.  
81. etag off;
82.  
83. # Cache #######################
84.  
85. #proxy_cache_valid 1m;
86. #proxy_cache_key $scheme$proxy_host$request_uri$cookie_US;
87. #proxy_cache_path /web/sites/nginx_cache levels=1:2 keys_zone=main:1000m;
88.  
89. # Zone limits ################
90.  
91. limit_conn_zone $binary_remote_addr zone=perip:10m;
92. limit_req_zone $binary_remote_addr zone=lim_5r:10m rate=5r/s; # lim for dynamic page
93. limit_req_zone $binary_remote_addr zone=lim_1r:10m rate=1r/s; # lim for search page
94. limit_req_zone $binary_remote_addr zone=lim_10r:10m rate=10r/s;
95.  
96. # SSL #########################
97.  
98. ssl_session_cache shared:SSL:50m;
99. ssl_session_timeout 1d;
100. ssl_session_tickets on;
101. ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
102. ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:ECDHE:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
103. ssl_prefer_server_ciphers on;
104. ssl_dhparam /etc/ssl/certs/dhparam.pem;
105. ssl_stapling on;
106. ssl_stapling_verify on;
107. add_header Strict-Transport-Security max-age=15768000;
108. resolver 8.8.8.8;
109.  
110. include /etc/nginx/conf.d/*.conf;
111.  
112. # For monitoring ###########
113.  
114. server {
115. listen 127.0.0.1:80;
116. server_name status.localhost;
117. keepalive_timeout 0;
118. allow 127.0.0.1;
119. deny all;
120. access_log off;
121.  
122. location /server-status {
123. stub_status on;
124. }
125.  
126. location /status {
127. access_log off;
128. allow 127.0.0.1;
129. deny all;
130. include fastcgi_params;
131. fastcgi_pass unix:/run/php-fpm/www.sock;
132. fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
133. }
134. }
135. }