272 lines
11 KiB
Nginx Configuration File
272 lines
11 KiB
Nginx Configuration File
#--------------------------------
|
|
# General
|
|
#--------------------------------
|
|
|
|
daemon off;
|
|
error_log '{root_dir}/logs/{module_name}/error.log' {log_level}; # debug, info, notice, warn, error, crit, alert, emerg
|
|
pcre_jit on;
|
|
pid '{root_dir}/temp/{module_name}.pid';
|
|
worker_processes 1;
|
|
|
|
events {
|
|
multi_accept on;
|
|
use poll;
|
|
worker_connections 4096;
|
|
}
|
|
|
|
http {
|
|
|
|
#--------------------------------
|
|
# GeoIP
|
|
#--------------------------------
|
|
|
|
# geoip_country '{root_dir}/user/geo/GeoIPv6.dat';
|
|
# map $geoip_country_code $geoip_blacklisted_country {
|
|
# default no;
|
|
# AU yes;
|
|
# }
|
|
|
|
#--------------------------------
|
|
# GeoIP2
|
|
#--------------------------------
|
|
|
|
# geoip2 '{root_dir}/user/geo/dbip-country-lite.mmdb' {
|
|
# auto_reload 15m;
|
|
# $geoip2_metadata_country_build metadata build_epoch;
|
|
# $geoip2_data_country_code default=— source=$remote_addr country iso_code;
|
|
# $geoip2_data_country_name default=— source=$remote_addr country names en;
|
|
# }
|
|
# map $geoip2_data_country_code $geoip2_blacklisted_country {
|
|
# default no;
|
|
# AU yes;
|
|
# }
|
|
|
|
#--------------------------------
|
|
# Maps
|
|
#--------------------------------
|
|
|
|
# map $request_uri $loggable {
|
|
# default 1;
|
|
# ~^/pictures/ 0;
|
|
# }
|
|
|
|
# map $status $log_not_found {
|
|
# default 0;
|
|
# 404 1;
|
|
# }
|
|
|
|
map $request_uri $request_uri_path {
|
|
default $request_uri;
|
|
'~^([^?]*)(\?.*)?$' $1;
|
|
}
|
|
|
|
map $http_upgrade $connection_upgrade {
|
|
default upgrade;
|
|
'' '';
|
|
}
|
|
|
|
map $sent_http_content_type $expires {
|
|
default 1d;
|
|
~*application/atom\+xml 1h;
|
|
~*application/rdf\+xml 1h;
|
|
~*application/rss\+xml 1h;
|
|
~*application/json epoch;
|
|
~*application/ld\+json epoch;
|
|
~*application/schema\+json epoch;
|
|
~*application/geo\+json epoch;
|
|
~*application/xml epoch;
|
|
~*text/calendar epoch;
|
|
~*text/html epoch;
|
|
~*text/plain epoch;
|
|
~*text/markdown epoch;
|
|
}
|
|
|
|
map $sent_http_content_type $x_frame_options {
|
|
default '';
|
|
~*text/html SAMEORIGIN;
|
|
}
|
|
|
|
map $sent_http_content_type $referrer_policy {
|
|
default '';
|
|
~*text/html 'strict-origin-when-cross-origin';
|
|
}
|
|
|
|
map $sent_http_content_type $acao_policy {
|
|
default '*';
|
|
}
|
|
|
|
# map $sent_http_content_type $cs_policy {
|
|
# default '';
|
|
# ~*text/(html|javascript)|application/pdf|xml "default-src 'self'; base-uri 'none'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; manifest-src 'self'; media-src 'self'; object-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests";
|
|
# }
|
|
|
|
# map $sent_http_content_type $coe_policy {
|
|
# default '';
|
|
# ~*text/html|application/(javascript|pdf)|xml 'require-corp';
|
|
# }
|
|
|
|
# map $sent_http_content_type $coo_policy {
|
|
# default '';
|
|
# ~*text/html|application/(javascript|pdf)|xml 'same-origin';
|
|
# }
|
|
|
|
# map $sent_http_content_type $cor_policy {
|
|
# default '';
|
|
# ~*text/html|application/(javascript|pdf)|xml 'same-origin';
|
|
# }
|
|
|
|
# map $sent_http_content_type $perm_policy {
|
|
# default '';
|
|
# ~*text/(html|javascript)|application/pdf|xml 'accelerometer=(),autoplay=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=()';
|
|
# }
|
|
|
|
#--------------------------------
|
|
# Brotli
|
|
#--------------------------------
|
|
|
|
brotli on;
|
|
brotli_buffers 256 4k;
|
|
brotli_comp_level 5;
|
|
brotli_min_length 1024;
|
|
brotli_types application/atom+xml application/json application/ld+json application/rss+xml application/geo+json application/xml application/rdf+xml application/javascript application/wasm application/manifest+json application/x-web-app-manifest+json text/cache-manifest image/svg+xml font/woff font/woff2 application/vnd.ms-fontobject font/ttf font/collection font/otf text/css text/csv text/plain text/x-component text/markdown text/calendar text/vcard text/vtt application/rtf application/pdf application/x-x509-ca-cert application/xhtml+xml application/xslt+xml application/schema+json;
|
|
|
|
#--------------------------------
|
|
# Gzip
|
|
#--------------------------------
|
|
|
|
gzip on;
|
|
gzip_buffers 256 4k;
|
|
gzip_comp_level 5;
|
|
gzip_min_length 1024;
|
|
gzip_proxied any;
|
|
gzip_types application/atom+xml application/json application/ld+json application/rss+xml application/geo+json application/xml application/rdf+xml application/javascript application/wasm application/manifest+json application/x-web-app-manifest+json text/cache-manifest image/svg+xml font/woff font/woff2 application/vnd.ms-fontobject font/ttf font/collection font/otf text/css text/csv text/plain text/x-component text/markdown text/calendar text/vcard text/vtt application/rtf application/pdf application/x-x509-ca-cert application/xhtml+xml application/xslt+xml application/schema+json;
|
|
gzip_vary on;
|
|
|
|
#--------------------------------
|
|
# Headers
|
|
#--------------------------------
|
|
|
|
expires $expires;
|
|
|
|
add_header Access-Control-Allow-Origin $acao_policy always;
|
|
add_header Referrer-Policy $referrer_policy always;
|
|
add_header Timing-Allow-Origin '*' always;
|
|
add_header X-Content-Type-Options nosniff always;
|
|
add_header X-Frame-Options $x_frame_options always;
|
|
|
|
# add_header Content-Security-Policy $cs_policy always;
|
|
# add_header Cross-Origin-Embedder-Policy $coe_policy always;
|
|
# add_header Cross-Origin-Opener-Policy $coo_policy always;
|
|
# add_header Cross-Origin-Resource-Policy $cor_policy always;
|
|
# add_header Permissions-Policy $perm_policy always;
|
|
# add_header Strict-Transport-Security 'max-age=86400; includeSubDomains' always;
|
|
|
|
#--------------------------------
|
|
# Logs
|
|
#--------------------------------
|
|
|
|
log_format main '[$time_local] $host: $remote_addr "$http_x_forwarded_for" $status "$request" $body_bytes_sent "$http_referer" "$http_user_agent"';
|
|
# log_format post_log '[$time_local] $host: $remote_addr "$http_x_forwarded_for" $status "$request" $body_bytes_sent $request_body';
|
|
log_not_found on;
|
|
log_subrequest off;
|
|
access_log '{root_dir}/logs/{module_name}/access.log' main;
|
|
|
|
#--------------------------------
|
|
# Options
|
|
#--------------------------------
|
|
|
|
autoindex on;
|
|
autoindex_localtime on;
|
|
autoindex_exact_size off;
|
|
include mime.types;
|
|
charset utf-8;
|
|
charset_types application/atom+xml application/json application/ld+json application/rss+xml application/geo+json application/xml application/rdf+xml application/javascript application/wasm application/manifest+json application/x-web-app-manifest+json text/cache-manifest text/css text/csv text/plain text/x-component text/markdown text/calendar text/vcard text/vtt application/rtf application/pdf application/x-x509-ca-cert application/xhtml+xml application/xslt+xml application/schema+json;
|
|
client_body_buffer_size 64k;
|
|
client_max_body_size 128m;
|
|
default_type application/octet-stream;
|
|
# ignore_invalid_headers off;
|
|
index index.php index.html index.htm;
|
|
# max_ranges 1;
|
|
# open_file_cache max=1024;
|
|
open_log_file_cache max=1024;
|
|
reset_timedout_connection on;
|
|
# resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 ipv6=off;
|
|
resolver_timeout 15s;
|
|
server_names_hash_bucket_size 64;
|
|
server_names_hash_max_size 4096;
|
|
server_tokens off;
|
|
tcp_nodelay on;
|
|
types_hash_bucket_size 64;
|
|
types_hash_max_size 4096;
|
|
variables_hash_bucket_size 64;
|
|
variables_hash_max_size 4096;
|
|
|
|
#--------------------------------
|
|
# PHP FastCGI
|
|
#--------------------------------
|
|
|
|
fastcgi_buffering off;
|
|
fastcgi_connect_timeout 15s;
|
|
fastcgi_keep_conn on;
|
|
fastcgi_ignore_client_abort off;
|
|
fastcgi_index index.php;
|
|
fastcgi_intercept_errors on;
|
|
fastcgi_read_timeout 10m;
|
|
fastcgi_send_timeout 10m;
|
|
|
|
#--------------------------------
|
|
# Proxy
|
|
#--------------------------------
|
|
|
|
proxy_buffering off;
|
|
proxy_connect_timeout 15s;
|
|
proxy_ignore_client_abort off;
|
|
proxy_intercept_errors on;
|
|
proxy_http_version 1.1;
|
|
proxy_read_timeout 10m;
|
|
proxy_send_timeout 10m;
|
|
|
|
#--------------------------------
|
|
# SSL
|
|
#--------------------------------
|
|
|
|
ssl_ciphers HIGH:!aNULL:!MD5:!CAMELLIA:!SHA1:!SHA256:!SHA384;
|
|
ssl_dhparam '{root_dir}/user/ssl/dhparam.pem';
|
|
ssl_prefer_server_ciphers off;
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_tickets off;
|
|
ssl_session_timeout 1d;
|
|
ssl_stapling off;
|
|
ssl_stapling_verify off;
|
|
ssl_trusted_certificate '{root_dir}/data/ssl/cacert.pem';
|
|
|
|
#--------------------------------
|
|
# Temp
|
|
#--------------------------------
|
|
|
|
client_body_temp_path '{root_dir}/temp/{module_name}/{profile_name}/client_temp' 1 2;
|
|
fastcgi_temp_path '{root_dir}/temp/{module_name}/{profile_name}/fastcgi_temp' 1 2;
|
|
proxy_temp_path '{root_dir}/temp/{module_name}/{profile_name}/proxy_temp' 1 2;
|
|
scgi_temp_path '{root_dir}/temp/{module_name}/{profile_name}/scgi_temp' 1 2;
|
|
uwsgi_temp_path '{root_dir}/temp/{module_name}/{profile_name}/uwsgi_temp' 1 2;
|
|
|
|
#--------------------------------
|
|
# Zones
|
|
#--------------------------------
|
|
|
|
# limit_conn_log_level warn;
|
|
# limit_conn_zone $binary_remote_addr zone=ip_zone:16m;
|
|
# limit_conn_zone '$binary_remote_addr$request_uri_path' zone=ip_uri_zone:16m;
|
|
|
|
# limit_req_log_level warn;
|
|
# limit_req_zone $binary_remote_addr zone=ip_flood:16m rate=64r/s;
|
|
# limit_req_zone '$binary_remote_addr$request_uri_path' zone=ip_uri_flood:16m rate=16r/s;
|
|
|
|
#--------------------------------
|
|
# Virtual Hosts
|
|
#--------------------------------
|
|
|
|
{nginx_hosts}
|
|
|
|
} |