/etc/nginx/nginx.conf

1. ###_ IMPLEMENT
2. ###_ 1. Enable clickjacking protection.  Disabled by default.
3.  
4. # nginx.conf
5. user www-data;
6.  
7. ## If you're using an Nginx version below 1.3.8 or 1.2. then uncomment
8. ## the line below and set it to the number of cores of the
9. ## server. Otherwise nginx will determine it automatically.
10. #worker_processes 4;
11.  
12. error_log /var/log/nginx/error.log;
13. pid /var/run/nginx.pid;
14.  
15. worker_rlimit_nofile 8192;
16.  
17. events {
18.     worker_connections 4096;
19.     ## Accept as many connections as possible.
20.     multi_accept on;
21. }
22.  
23. http {
24.     ## MIME types.
25.     include mime.types;
26.     default_type application/octet-stream;
27.  
28.     ## FastCGI.
29.     include fastcgi.conf;
30.  
31.     ## Default log and error files.
32.     access_log /var/log/nginx/access.log;
33.     error_log /var/log/nginx/error.log;
34.  
35.     ## Use sendfile() syscall to speed up I/O operations and speed up
36.     ## static file serving.
37.     sendfile on;
38.     ## Handling of IPs in proxied and load balancing situations.
39.     set_real_ip_from 0.0.0.0/32; # all addresses get a real IP.
40.     real_ip_header X-Forwarded-For; # the ip is forwarded from the load balancer/proxy
41.  
42.     ## Define a zone for limiting the number of simultaneous
43.     ## connections nginx accepts. 1m means 32000 simultaneous
44.     ## sessions. We need to define for each server the limit_conn
45.     ## value refering to this or other zones.
46.     limit_conn_zone $binary_remote_addr zone=arbeit:10m;
47.  
48.     ## Timeouts.
49.     client_body_timeout 60;
50.     client_header_timeout 60;
51.     keepalive_timeout 10 10;
52.     send_timeout 60;
53.  
54.     ## Reset lingering timed out connections. Deflect DDoS.
55.     reset_timedout_connection on;
56.  
57.     ## Body size.
58.     client_max_body_size 10m;
59.  
60.     ## TCP options.
61.     tcp_nodelay on;
62.     ## Optimization of socket handling when using sendfile.
63.     tcp_nopush on;
64.  
65.     ## Compression.
66.     gzip on;
67.     gzip_buffers 16 8k;
68.     gzip_comp_level 1;
69.     gzip_http_version 1.1;
70.     gzip_min_length 10;
71.     gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/x-icon application/vnd.ms-fontobject font/opentype application/x-font-ttf;
72.     gzip_vary on;
73.     gzip_proxied any; # Compression for all requests.
74.     ## No need for regexps. See
75.     ## http://wiki.nginx.org/NginxHttpGzipModule#gzip_disable
76.     gzip_disable msie6;
77.  
78.     ## Serve already compressed files directly, bypassing on-the-fly
79.     ## compression.
80.     ##
81.     # Usually you don't make much use of this. It's better to just
82.     # enable gzip_static on the locations you need it.
83.     # gzip_static on;
84.  
85.     ## Hide the Nginx version number.
86.     server_tokens off;
87.  
88.     ## Use a SSL/TLS cache for SSL session resume. This needs to be
89.     ## here (in this context, for session resumption to work. See this
90.     ## thread on the Nginx mailing list:
91.     ## http://nginx.org/pipermail/nginx/2010-November/023736.html.
92.     ssl_session_cache shared:SSL:30m;
93.     ssl_session_timeout 1d;
94.  
95.     ## The server dictates the choice of cipher suites.
96.     ssl_prefer_server_ciphers on;
97.  
98.     ## Use only Perfect Forward Secrecy Ciphers. Fallback on non ECDH
99.     ## for crufty clients.
100.     ssl_ciphers ECDH+aRSA+AESGCM:ECDH+aRSA+SHA384:ECDH+aRSA+SHA256:ECDH:EDH+CAMELLIA:EDH+aRSA:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA;
101.  
102.     ## No SSL2 support. Legacy support of SSLv3.
103.     ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
104.  
105.     ## Pregenerated Diffie-Hellman parameters.
106.     ssl_dhparam /etc/nginx/dh_param.pem;
107.  
108.     ## Curve to use for ECDH.
109.     ssl_ecdh_curve secp521r1;
110.  
111.     ## Enable OCSP stapling. A better way to revocate server certificates.
112.     ssl_stapling on;
113.     ## Fill in with your own resolver.
114.     resolver 8.8.8.8;
115.  
116.     ## Uncomment to increase map_hash_bucket_size. If start getting
117.     ## [emerg]: could not build the map_hash, you should increase
118.     ## map_hash_bucket_size: 64 in your
119.     ## logs. Cf. http://wiki.nginx.org/NginxOptimizations.
120.     ## See http://wiki.nginx.org/HttpMapModule#map_hash_bucket_size
121.     #map_hash_bucket_size 192;
122.  
123.     ## Uncomment to increase variables_hash_max_size if you start getting
124.     ## [emerg] could not build the variables_hash, you should increase
125.     ## either variables_hash_max_size: 512 or
126.     ## variables_hash_bucket_size: 64
127.     ## You only need to increase one. I chose to increase
128.     ## variables_hash_max_size to 1024 as this was recommended
129.     ## in nginx forum by developers.
130.     ## See this forum topic and responses
131.     ## http://forum.nginx.org/read.php?2,192277,192286#msg-192286
132.     ## See http://wiki.nginx.org/HttpCoreModule#variables_hash_bucket_size
133.     ## variables_hash_bucket_size was added for completeness but not
134.     ## changed from default.
135.     #variables_hash_max_size 1024; # default 512
136.     #variables_hash_bucket_size 64; # default is 64
137.  
138.  
139.     ## For the filefield_nginx_progress module to work. From the
140.     ## README. Reserve 1MB under the name 'uploads' to track uploads.
141.     upload_progress uploads 1m;
142.  
143.     ## Enable the builtin cross-site scripting (XSS) filter available
144.     ## in modern browsers.  Usually enabled by default we just
145.     ## reinstate in case it has been somehow disabled for this
146.     ## particular server instance.
147.     ## https://www.owasp.org/index.php/List_of_useful_HTTP_headers.
148.     add_header X-XSS-Protection '1; mode=block';
149.  
150.     ## Enable clickjacking protection in modern browsers. Available in
151.     ## IE8 also. See
152.     ## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
153.     ## This may conflict with pseudo streaming (at least with Nginx version 1.0.12).
154.     ## Uncomment the line below if you're not using media streaming.
155.     ## For sites *using* frames uncomment the line below.
156.     #add_header X-Frame-Options SAMEORIGIN;
157.     ## For sites *not* using frames uncomment the line below.
158.     #add_header X-Frame-Options DENY;
159.  
160.     ## Block MIME type sniffing on IE.
161.     add_header X-Content-Options nosniff;
162.  
163.     ## Include the upstream servers for PHP FastCGI handling
164.     ## configuration. This setup uses UNIX sockets for talking with the
165.     ## upstream.
166.     include upstream_phpcgi_unix.conf;
167.  
168.     ## Include the map to block HTTP methods.
169.     include map_block_http_methods.conf;
170.  
171.     ## Include the php-fpm status allowed hosts configuration block.
172.     ## Uncomment to enable if you're running php-fpm.
173.     include php_fpm_status_allowed_hosts.conf;
174.  
175.     ## Include the Nginx stub status allowed hosts configuration block.
176.     include nginx_status_allowed_hosts.conf;
177.  
178.     ## Include blacklist for bad bot and referer blocking.
179.     include blacklist.conf;
180.  
181.     ## Include the caching setup. Needed for using Drupal with an external cache.
182.     include apps/drupal/map_cache.conf;
183.  
184.     ## Microcache zone definition for FastCGI.
185.     #include fastcgi_microcache_zone.conf;
186.  
187.     ## Include all vhosts.
188.     include sites-enabled/*;
189. }