Jlabarca · August 18, 2017 13:52
diff --git a/gistfile1.sh b/gistfile1.sh
 # to generate your dhparam.pem file, run in the terminal
 openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
diff --git a/nginx.conf b/nginx.conf

 # you must set worker processes based on your CPU cores, nginx does not benefit from setting more than that
 worker_processes auto; #some last versions calculate it automatically

 # number of file descriptors used for nginx
 # the limit for the maximum FDs on the server is usually set by the OS.
 # if you don't set FD's then OS settings will be used which is by default 2000
 worker_rlimit_nofile 100000;

 # only log critical errors
 error_log logs/error.log crit;
 #error_log  logs/error.log;
 #error_log  logs/error.log  notice;
 #error_log  logs/error.log  info;

 #pid        logs/nginx.pid;


 events {
    # determines how much clients will be served per worker
    # max clients = worker_connections * worker_processes
    # max clients is also limited by the number of socket connections available on the system (~64k)
    worker_connections 4000;
 }




 http {
    include       mime.types;
    default_type  application/octet-stream;

    # cache informations about FDs, frequently accessed files
 	open_file_cache max=200000 inactive=20s; 
 	open_file_cache_valid 30s; 
 	open_file_cache_min_uses 2;
 	open_file_cache_errors on;

 	# to boost I/O on HDD we can disable access logs
 	access_log off;

 	# copies data between one FD and other from within the kernel
 	# faster then read() + write()
 	sendfile on;

 	# send headers in one peace, its better then sending them one by one 
 	tcp_nopush on;

 	# don't buffer data sent, good for small data bursts in real time
 	tcp_nodelay on;

 	# reduce the data that needs to be sent over network -- for testing environment
 	gzip on;
 	gzip_min_length 10240;
 	gzip_proxied expired no-cache no-store private auth;
 	gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/json application/xml;
 	gzip_disable msie6;

 	# allow the server to close connection on non responding client, this will free up memory
 	reset_timedout_connection on;

 	# request timed out -- default 60
 	client_body_timeout 10;

 	# if client stop responding, free up memory -- default 60
 	send_timeout 2;

 	# server will close connection after this time -- default 75
 	keepalive_timeout 30;

 	# number of requests client can make over keep-alive -- for testing environment
 	keepalive_requests 100000;


    server {
 	
        listen       80;
        server_name  localhost;
 		charset utf-8;
 		server_tokens off;
        #access_log  logs/host.access.log  main;
 		
 		#SECURITY
 		
 		# config to don't allow the browser to render the page inside an frame or iframe
 		# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
 		# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
 		# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
 		add_header X-Frame-Options SAMEORIGIN;
 		
 		# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
 		# to disable content-type sniffing on some browsers.
 		# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
 		# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
 		# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
 		# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
 		add_header X-Content-Type-Options nosniff;
 		
 		# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
 		# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for 
 		# this particular website if it was disabled by the user.
 		# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
 		add_header X-XSS-Protection "1; mode=block";
 		
 		#Backend Reverse Proxy				
 		location /api/ {
 			proxy_pass http://localhost:8080/;
 			proxy_set_header Host $host;
 		}
 		
        location / {
            root   html;
            index  index.html index.htm;
        }
 		

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }



 }
	# to generate your dhparam.pem file, run in the terminal
	openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

	# you must set worker processes based on your CPU cores, nginx does not benefit from setting more than that
	worker_processes auto; #some last versions calculate it automatically

	# number of file descriptors used for nginx
	# the limit for the maximum FDs on the server is usually set by the OS.
	# if you don't set FD's then OS settings will be used which is by default 2000
	worker_rlimit_nofile 100000;

	# only log critical errors
	error_log logs/error.log crit;
	#error_log logs/error.log;
	#error_log logs/error.log notice;
	#error_log logs/error.log info;

	#pid logs/nginx.pid;


	events {
	# determines how much clients will be served per worker
	# max clients = worker_connections * worker_processes
	# max clients is also limited by the number of socket connections available on the system (~64k)
	worker_connections 4000;
	}




	http {
	include mime.types;
	default_type application/octet-stream;

	# cache informations about FDs, frequently accessed files
	open_file_cache max=200000 inactive=20s;
	open_file_cache_valid 30s;
	open_file_cache_min_uses 2;
	open_file_cache_errors on;

	# to boost I/O on HDD we can disable access logs
	access_log off;

	# copies data between one FD and other from within the kernel
	# faster then read() + write()
	sendfile on;

	# send headers in one peace, its better then sending them one by one
	tcp_nopush on;

	# don't buffer data sent, good for small data bursts in real time
	tcp_nodelay on;

	# reduce the data that needs to be sent over network -- for testing environment
	gzip on;
	gzip_min_length 10240;
	gzip_proxied expired no-cache no-store private auth;
	gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/json application/xml;
	gzip_disable msie6;

	# allow the server to close connection on non responding client, this will free up memory
	reset_timedout_connection on;

	# request timed out -- default 60
	client_body_timeout 10;

	# if client stop responding, free up memory -- default 60
	send_timeout 2;

	# server will close connection after this time -- default 75
	keepalive_timeout 30;

	# number of requests client can make over keep-alive -- for testing environment
	keepalive_requests 100000;


	server {

	listen 80;
	server_name localhost;
	charset utf-8;
	server_tokens off;
	#access_log logs/host.access.log main;

	#SECURITY

	# config to don't allow the browser to render the page inside an frame or iframe
	# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
	# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
	# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
	add_header X-Frame-Options SAMEORIGIN;

	# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
	# to disable content-type sniffing on some browsers.
	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
	# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
	# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
	add_header X-Content-Type-Options nosniff;

	# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
	# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
	# this particular website if it was disabled by the user.
	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	add_header X-XSS-Protection "1; mode=block";

	#Backend Reverse Proxy
	location /api/ {
	proxy_pass http://localhost:8080/;
	proxy_set_header Host $host;
	}

	location / {
	root html;
	index index.html index.htm;
	}


	#error_page 404 /404.html;

	# redirect server error pages to the static page /50x.html
	#
	error_page 500 502 503 504 /50x.html;
	location = /50x.html {
	root html;
	}

	# proxy the PHP scripts to Apache listening on 127.0.0.1:80
	#
	#location ~ \.php$ {
	# proxy_pass http://127.0.0.1;
	#}

	# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
	#
	#location ~ \.php$ {
	# root html;
	# fastcgi_pass 127.0.0.1:9000;
	# fastcgi_index index.php;
	# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
	# include fastcgi_params;
	#}

	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	#location ~ /\.ht {
	# deny all;
	#}
	}



	}