Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- user www-data;
- worker_processes auto;
- worker_cpu_affinity auto;
- worker_rlimit_nofile 65535;
- pid /var/run/nginx.pid;
- pcre_jit on;
- events {
- worker_connections 8192;
- multi_accept on;
- }
- http {
- # Basic #######################
- sendfile on;
- tcp_nopush on;
- tcp_nodelay on;
- reset_timedout_connection on;
- keepalive_timeout 10;
- keepalive_requests 1000;
- types_hash_max_size 2048;
- server_tokens off;
- send_timeout 10;
- client_body_timeout 10;
- client_header_timeout 10;
- server_names_hash_max_size 4096;
- server_names_hash_bucket_size 64;
- # Limits ######################
- client_max_body_size 32m;
- client_body_buffer_size 128k;
- client_body_temp_path /var/cache/nginx/client_temp;
- proxy_connect_timeout 5;
- proxy_send_timeout 10;
- proxy_read_timeout 10;
- proxy_buffer_size 4k;
- proxy_buffers 8 16k;
- proxy_busy_buffers_size 64k;
- proxy_temp_file_write_size 64k;
- proxy_temp_path /var/cache/nginx/proxy_temp;
- include /etc/nginx/mime.types;
- default_type application/octet-stream;
- # Logs ########################
- log_format main '$remote_addr - $host [$time_local] "$request" '
- '$status $body_bytes_sent "$http_referer" '
- '"$http_user_agent" "$http_x_forwarded_for"'
- 'rt=$request_time ut=$upstream_response_time '
- 'cs=$upstream_cache_status';
- log_format full '$remote_addr - $host [$time_local] "$request" '
- 'request_length=$request_length '
- 'status=$status bytes_sent=$bytes_sent '
- 'body_bytes_sent=$body_bytes_sent '
- 'referer=$http_referer '
- 'user_agent="$http_user_agent" '
- 'upstream_status=$upstream_status '
- 'request_time=$request_time '
- 'upstream_response_time=$upstream_response_time '
- 'upstream_connect_time=$upstream_connect_time '
- 'upstream_header_time=$upstream_header_time';
- access_log /var/log/nginx/access.log main;
- error_log /var/log/nginx/error.log;
- # Gzip ########################
- gzip on;
- gzip_static on;
- gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/x-icon image/svg+xml application/x-font-ttf;
- gzip_comp_level 9;
- gzip_proxied any;
- gzip_min_length 1000;
- gzip_disable "msie6";
- gzip_vary on;
- etag off;
- # If brotli module enabled
- #brotli_static on;
- #brotli on;
- #brotli_comp_level 6;
- #brotli_types text/plain text/css text/xml application/javascript image/x-icon image/svg+xml;
- # Cache #######################
- #proxy_cache_valid 1m;
- #proxy_cache_key $scheme$proxy_host$request_uri$cookie_US;
- #proxy_cache_path /web/sites/nginx_cache levels=1:2 keys_zone=main:1000m;
- # Zone limits ################
- limit_conn_zone $binary_remote_addr zone=perip:10m;
- limit_req_zone $binary_remote_addr zone=lim_5r:10m rate=5r/s; # lim for dynamic page
- limit_req_zone $binary_remote_addr zone=lim_1r:10m rate=1r/s; # lim for search page
- limit_req_zone $binary_remote_addr zone=lim_20r:10m rate=20r/s;
- # SSL #########################
- ssl_session_cache shared:SSL:10m;
- ssl_session_timeout 1d;
- ssl_session_tickets on;
- ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
- ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
- ssl_prefer_server_ciphers on;
- ssl_dhparam /etc/ssl/certs/dhparam.pem;
- ssl_stapling on;
- ssl_stapling_verify on;
- add_header Strict-Transport-Security max-age=15768000;
- resolver 1.1.1.1 8.8.8.8 1.0.0.1 8.8.4.4;
- include /etc/nginx/conf.d/*.conf;
- # 404 for nonexistent domains
- server {
- return 404;
- }
- # For monitoring Nginx and Php-fpm #######
- server {
- listen localhost;
- server_name localhost;
- keepalive_timeout 0;
- allow 127.0.0.1;
- allow ::1;
- deny all;
- access_log off;
- location /nginx-status {
- stub_status on;
- }
- location /phpfpm-status {
- include fastcgi_params;
- fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- }
- }
- # Example virthost
- server {
- listen 443 ssl http2;
- server_name example.com;
- root /web/sites/example.com/www/;
- ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
- ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
- location ~ /\.well-known\/acme-challenge {
- allow all;
- }
- location ~ /\. {
- deny all;
- return 404;
- }
- location = /favicon.ico {
- log_not_found off;
- access_log off;
- }
- location = /robots.txt {
- log_not_found off;
- access_log off;
- }
- location / {
- try_files $uri $uri/ /index.php?$query_string;
- }
- location ~ \.php$ {
- try_files $uri =404;
- fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
- include fastcgi_params;
- fastcgi_param HTTPS on;
- fastcgi_param DOCUMENT_ROOT $realpath_root;
- fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
- }
- }
- # HTTP redirect
- server {
- listen 80;
- server_name example.com;
- location ^~ /.well-known/acme-challenge/ {
- root /web/sites/_letsencrypt;
- }
- location / {
- return 301 https://example.com$request_uri;
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement