user www-data;pid /run/nginx.pid;worker_processes auto;worker_rlimit_nofil

1. user www-data;
2. pid /run/nginx.pid;
3. worker_processes auto;
4. worker_rlimit_nofile 409600;
5.  
6. events {
7.     worker_connections 4096;
8.     multi_accept on;
9. }
10.  
11. http {
12.     charset utf-8;
13.     sendfile on;
14.     tcp_nopush on;
15.     tcp_nodelay on;
16.     server_tokens off;
17.     log_not_found off;
18.     types_hash_max_size 2048;
19.     client_max_body_size 16M;
20.  
21.     # MIME
22.     include mime.types;
23.     default_type application/octet-stream;
24.  
25.     # logging
26.     access_log /var/log/nginx/access.log;
27.     error_log /var/log/nginx/error.log warn;
28.  
29.     # load configs
30.     include /etc/nginx/conf.d/*.conf;
31.  
32.     # bot.remu.re
33.     server {
34.         listen 80;
35.         listen [::]:80;
36.    
37.         server_name bot.remu.re;
38.         set $base /var/www/bot;
39.         root $base/;
40.    
41.         # $uri, index.html
42.         location / {
43.             try_files $uri $uri/ /index.html;
44.         }
45.    
46.         # security headers
47.         add_header X-Frame-Options "SAMEORIGIN" always;
48.         add_header X-XSS-Protection "1; mode=block" always;
49.         add_header X-Content-Type-Options "nosniff" always;
50.         add_header Referrer-Policy "no-referrer-when-downgrade" always;
51.         add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
52.        
53.         # . files
54.         location ~ /\. {
55.             deny all;
56.         }
57.        
58.         # assets, media
59.         location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
60.             expires 7d;
61.             access_log off;
62.         }
63.        
64.         # svg, fonts
65.         location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff|woff2)$ {
66.             add_header Access-Control-Allow-Origin "*";
67.             expires 7d;
68.             access_log off;
69.         }
70.        
71.         # gzip
72.         gzip on;
73.         gzip_vary on;
74.         gzip_proxied any;
75.         gzip_comp_level 6;
76.         gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;
77.    
78.         # handle .php
79.         location ~ \.php$ {
80.             try_files $uri =404;
81.            
82.             # fastcgi
83.             fastcgi_pass                unix:/var/run/php/php7.2-fpm.sock;
84.             fastcgi_index               index.php;
85.             fastcgi_split_path_info     ^(.+\.php)(/.+)$;
86.             fastcgi_param               SCRIPT_FILENAME $document_root$fastcgi_script_name;
87.             fastcgi_param               PHP_ADMIN_VALUE open_basedir=$base/:/usr/lib/php/:/tmp/;
88.             fastcgi_intercept_errors    off;
89.            
90.             fastcgi_buffer_size             128k;
91.             fastcgi_buffers                 256 16k;
92.             fastcgi_busy_buffers_size       256k;
93.             fastcgi_temp_file_write_size    256k;
94.            
95.             # default fastcgi_params
96.             include fastcgi_params;
97.         }
98.     }
99.     # api.bot.remu.re
100.     server {
101.         listen 80;
102.         listen [::]:80;
103.    
104.         server_name api.bot.remu.re;
105.         set $base /var/www/bot_data;
106.         root $base/;
107.    
108.         # $uri, index.html
109.         location / {
110.             try_files $uri $uri/ /index.html;
111.         }
112.    
113.         # security headers
114.         add_header X-Frame-Options "SAMEORIGIN" always;
115.         add_header X-XSS-Protection "1; mode=block" always;
116.         add_header X-Content-Type-Options "nosniff" always;
117.         add_header Referrer-Policy "no-referrer-when-downgrade" always;
118.         add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
119.        
120.         # . files
121.         location ~ /\. {
122.             deny all;
123.         }
124.        
125.         # assets, media
126.         location ~* \.(?:css(\.map)?|js(\.map)?|jpe?g|png|gif|ico|cur|heic|webp|tiff?|mp3|m4a|aac|ogg|midi?|wav|mp4|mov|webm|mpe?g|avi|ogv|flv|wmv)$ {
127.             expires 7d;
128.             access_log off;
129.         }
130.        
131.         # svg, fonts
132.         location ~* \.(?:svgz?|ttf|ttc|otf|eot|woff|woff2)$ {
133.             add_header Access-Control-Allow-Origin "*";
134.             expires 7d;
135.             access_log off;
136.         }
137.        
138.         # gzip
139.         gzip on;
140.         gzip_vary on;
141.         gzip_proxied any;
142.         gzip_comp_level 6;
143.         gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;
144.    
145.         # handle .php
146.         location ~ \.php$ {
147.             try_files $uri =404;
148.            
149.             # fastcgi
150.             fastcgi_pass                unix:/var/run/php/php7.2-fpm.sock;
151.             fastcgi_index               index.php;
152.             fastcgi_split_path_info     ^(.+\.php)(/.+)$;
153.             fastcgi_param               SCRIPT_FILENAME $document_root$fastcgi_script_name;
154.             fastcgi_param               PHP_ADMIN_VALUE open_basedir=$base/:/usr/lib/php/:/tmp/;
155.             fastcgi_intercept_errors    off;
156.            
157.             fastcgi_buffer_size             128k;
158.             fastcgi_buffers                 256 16k;
159.             fastcgi_busy_buffers_size       256k;
160.             fastcgi_temp_file_write_size    256k;
161.            
162.             # default fastcgi_params
163.             include fastcgi_params;
164.         }
165.     }
166. }