#-------------------------------- # General #-------------------------------- daemon off; error_log '{root_dir}/logs/{module_name}/error.log' {log_level}; # debug, info, notice, warn, error, crit, alert, emerg pcre_jit on; pid '{root_dir}/temp/{module_name}.pid'; worker_processes 1; events { multi_accept on; use poll; worker_connections 4096; } http { #-------------------------------- # GeoIP #-------------------------------- # geoip_country '{root_dir}/user/geo/GeoIPv6.dat'; # map $geoip_country_code $geoip_blacklisted_country { # default no; # AU yes; # } #-------------------------------- # GeoIP2 #-------------------------------- # geoip2 '{root_dir}/user/geo/dbip-country-lite.mmdb' { # auto_reload 15m; # $geoip2_metadata_country_build metadata build_epoch; # $geoip2_data_country_code default=— source=$remote_addr country iso_code; # $geoip2_data_country_name default=— source=$remote_addr country names en; # } # map $geoip2_data_country_code $geoip2_blacklisted_country { # default no; # AU yes; # } #-------------------------------- # Maps #-------------------------------- # map $request_uri $loggable { # default 1; # ~^/pictures/ 0; # } # map $status $log_not_found { # default 0; # 404 1; # } map $request_uri $request_uri_path { default $request_uri; '~^([^?]*)(\?.*)?$' $1; } map $http_upgrade $connection_upgrade { default upgrade; '' ''; } map $sent_http_content_type $expires { default 1d; ~*application/atom\+xml 1h; ~*application/rdf\+xml 1h; ~*application/rss\+xml 1h; ~*application/json epoch; ~*application/ld\+json epoch; ~*application/schema\+json epoch; ~*application/geo\+json epoch; ~*application/xml epoch; ~*text/calendar epoch; ~*text/html epoch; ~*text/plain epoch; ~*text/markdown epoch; } map $sent_http_content_type $x_frame_options { default ''; ~*text/html SAMEORIGIN; } map $sent_http_content_type $referrer_policy { default ''; ~*text/html 'strict-origin-when-cross-origin'; } map $sent_http_content_type $acao_policy { default '*'; } # map $sent_http_content_type $cs_policy { # default ''; # ~*text/(html|javascript)|application/pdf|xml "default-src 'self'; base-uri 'none'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; manifest-src 'self'; media-src 'self'; object-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests"; # } # map $sent_http_content_type $coe_policy { # default ''; # ~*text/html|application/(javascript|pdf)|xml 'require-corp'; # } # map $sent_http_content_type $coo_policy { # default ''; # ~*text/html|application/(javascript|pdf)|xml 'same-origin'; # } # map $sent_http_content_type $cor_policy { # default ''; # ~*text/html|application/(javascript|pdf)|xml 'same-origin'; # } # map $sent_http_content_type $perm_policy { # default ''; # ~*text/(html|javascript)|application/pdf|xml 'accelerometer=(),autoplay=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=()'; # } #-------------------------------- # Brotli #-------------------------------- brotli on; brotli_buffers 256 4k; brotli_comp_level 5; brotli_min_length 1024; brotli_types application/atom+xml application/json application/ld+json application/rss+xml application/geo+json application/xml application/rdf+xml application/javascript application/wasm application/manifest+json application/x-web-app-manifest+json text/cache-manifest image/svg+xml font/woff font/woff2 application/vnd.ms-fontobject font/ttf font/collection font/otf text/css text/csv text/plain text/x-component text/markdown text/calendar text/vcard text/vtt application/rtf application/pdf application/x-x509-ca-cert application/xhtml+xml application/xslt+xml application/schema+json; #-------------------------------- # Gzip #-------------------------------- gzip on; gzip_buffers 256 4k; gzip_comp_level 5; gzip_min_length 1024; gzip_proxied any; gzip_types application/atom+xml application/json application/ld+json application/rss+xml application/geo+json application/xml application/rdf+xml application/javascript application/wasm application/manifest+json application/x-web-app-manifest+json text/cache-manifest image/svg+xml font/woff font/woff2 application/vnd.ms-fontobject font/ttf font/collection font/otf text/css text/csv text/plain text/x-component text/markdown text/calendar text/vcard text/vtt application/rtf application/pdf application/x-x509-ca-cert application/xhtml+xml application/xslt+xml application/schema+json; gzip_vary on; #-------------------------------- # Headers #-------------------------------- expires $expires; add_header Access-Control-Allow-Origin $acao_policy always; add_header Referrer-Policy $referrer_policy always; add_header Timing-Allow-Origin '*' always; add_header X-Content-Type-Options nosniff always; add_header X-Frame-Options $x_frame_options always; # add_header Content-Security-Policy $cs_policy always; # add_header Cross-Origin-Embedder-Policy $coe_policy always; # add_header Cross-Origin-Opener-Policy $coo_policy always; # add_header Cross-Origin-Resource-Policy $cor_policy always; # add_header Permissions-Policy $perm_policy always; # add_header Strict-Transport-Security 'max-age=86400; includeSubDomains' always; #-------------------------------- # Logs #-------------------------------- log_format main '[$time_local] $host: $remote_addr "$http_x_forwarded_for" $status "$request" $body_bytes_sent "$http_referer" "$http_user_agent"'; # log_format post_log '[$time_local] $host: $remote_addr "$http_x_forwarded_for" $status "$request" $body_bytes_sent $request_body'; log_not_found on; log_subrequest off; access_log '{root_dir}/logs/{module_name}/access.log' main; #-------------------------------- # Options #-------------------------------- autoindex on; autoindex_localtime on; autoindex_exact_size off; include mime.types; charset utf-8; charset_types application/atom+xml application/json application/ld+json application/rss+xml application/geo+json application/xml application/rdf+xml application/javascript application/wasm application/manifest+json application/x-web-app-manifest+json text/cache-manifest text/css text/csv text/plain text/x-component text/markdown text/calendar text/vcard text/vtt application/rtf application/pdf application/x-x509-ca-cert application/xhtml+xml application/xslt+xml application/schema+json; client_body_buffer_size 64k; client_max_body_size 128m; default_type application/octet-stream; # ignore_invalid_headers off; index index.php index.html index.htm; # max_ranges 1; # open_file_cache max=1024; open_log_file_cache max=1024; reset_timedout_connection on; # resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 ipv6=off; resolver_timeout 15s; server_names_hash_bucket_size 64; server_names_hash_max_size 4096; server_tokens off; tcp_nodelay on; types_hash_bucket_size 64; types_hash_max_size 4096; variables_hash_bucket_size 64; variables_hash_max_size 4096; #-------------------------------- # PHP FastCGI #-------------------------------- fastcgi_buffering off; fastcgi_connect_timeout 15s; fastcgi_keep_conn on; fastcgi_ignore_client_abort off; fastcgi_index index.php; fastcgi_intercept_errors on; fastcgi_read_timeout 10m; fastcgi_send_timeout 10m; #-------------------------------- # Proxy #-------------------------------- proxy_buffering off; proxy_connect_timeout 15s; proxy_ignore_client_abort off; proxy_intercept_errors on; proxy_http_version 1.1; proxy_read_timeout 10m; proxy_send_timeout 10m; #-------------------------------- # SSL #-------------------------------- ssl_ciphers HIGH:!aNULL:!MD5:!CAMELLIA:!SHA1:!SHA256:!SHA384; ssl_dhparam '{root_dir}/user/ssl/dhparam.pem'; ssl_prefer_server_ciphers off; ssl_protocols TLSv1.2 TLSv1.3; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_session_timeout 1d; ssl_stapling off; ssl_stapling_verify off; ssl_trusted_certificate '{root_dir}/data/ssl/cacert.pem'; #-------------------------------- # Temp #-------------------------------- client_body_temp_path '{root_dir}/temp/{module_name}/{profile_name}/client_temp' 1 2; fastcgi_temp_path '{root_dir}/temp/{module_name}/{profile_name}/fastcgi_temp' 1 2; proxy_temp_path '{root_dir}/temp/{module_name}/{profile_name}/proxy_temp' 1 2; scgi_temp_path '{root_dir}/temp/{module_name}/{profile_name}/scgi_temp' 1 2; uwsgi_temp_path '{root_dir}/temp/{module_name}/{profile_name}/uwsgi_temp' 1 2; #-------------------------------- # Zones #-------------------------------- # limit_conn_log_level warn; # limit_conn_zone $binary_remote_addr zone=ip_zone:16m; # limit_conn_zone '$binary_remote_addr$request_uri_path' zone=ip_uri_zone:16m; # limit_req_log_level warn; # limit_req_zone $binary_remote_addr zone=ip_flood:16m rate=64r/s; # limit_req_zone '$binary_remote_addr$request_uri_path' zone=ip_uri_flood:16m rate=16r/s; #-------------------------------- # Virtual Hosts #-------------------------------- {nginx_hosts} }