Created
April 19, 2024 07:35
-
-
Save VirtuBox/94dd463a109c8f04417bc3d4d50ca215 to your computer and use it in GitHub Desktop.
optimized nginx.conf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| user www-data; | |
| # # The special value auto allows binding worker processes automatically to available CPUs: | |
| worker_processes auto; | |
| worker_cpu_affinity auto; | |
| # # Changes the limit on the maximum number of open files (RLIMIT_NOFILE) for worker processes | |
| worker_rlimit_nofile 100000; | |
| pid /run/nginx.pid; | |
| # # PCRE JIT can speed up processing of regular expressions significantly. | |
| pcre_jit on; | |
| events { | |
| # autoriser les workers à process plusieurs connections | |
| multi_accept on; | |
| # augmenter le nombre de connexion max | |
| worker_connections 50000; | |
| # force les workers à accepter les connections par tour et évite le gaspillage de ressources | |
| accept_mutex on; | |
| # défini la méthode de process des connections sur une version moderne (kernel 2.6+) | |
| use epoll; | |
| } | |
| http { | |
| keepalive_timeout 8; | |
| # Nginx AIO : See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/ | |
| # http://nginx.org/en/docs/http/ngx_http_core_module.html#aio | |
| aio threads; | |
| server_tokens off; | |
| # This helps avoid keeping an already closed socket with filled buffers in a FIN_WAIT1 state for a long time. | |
| reset_timedout_connection on; | |
| # Proxy Settings | |
| # set_real_ip_from proxy-server-ip; | |
| # real_ip_header X-Forwarded-For; | |
| fastcgi_read_timeout 300; | |
| client_max_body_size 100m; | |
| # Enables the use of the O_DIRECT flag t can be useful for serving large files | |
| directio 4m; | |
| directio_alignment 512; | |
| large_client_header_buffers 8 64k; | |
| # If possible, the transmission of client data will be postponed until nginx has at least size bytes of data to send | |
| postpone_output 1460; | |
| # When buffering is disabled, the response is passed to a client synchronously | |
| proxy_buffers 8 32k; | |
| proxy_buffer_size 64k; | |
| # sendfile() is called with the SF_NODISKIO flag which causes it not to block on disk I/O | |
| sendfile on; | |
| sendfile_max_chunk 512k; | |
| # sending the response header and the beginning of a file in one packet, on Linux | |
| tcp_nopush on; | |
| # The option is enabled when a connection is transitioned into the keep-alive state | |
| tcp_nodelay on; | |
| # Closing connections periodically is necessary to free per-connection memory allocations | |
| keepalive_requests 500; | |
| keepalive_disable msie6; | |
| # specifies the maximum time during which nginx will process (read and ignore) additional data coming from a client. After that, the connection will be closed | |
| lingering_time 20s; | |
| lingering_timeout 5s; | |
| # Configures a cache that can store, open file descriptors, information on existence of directories and file lookup errors | |
| open_file_cache max=50000 inactive=60s; | |
| open_file_cache_errors off; | |
| open_file_cache_min_uses 2; | |
| open_file_cache_valid 120s; | |
| open_log_file_cache max=10000 inactive=30s min_uses=2; | |
| ## | |
| # SSL Settings | |
| ## | |
| # Enable 0-RTT support for TLS 1.3 | |
| proxy_set_header Early-Data $ssl_early_data; | |
| ssl_early_data on; | |
| ssl_session_timeout 1d; | |
| ssl_session_cache shared:SSL:50m; | |
| ssl_session_tickets off; | |
| ssl_prefer_server_ciphers on; | |
| ssl_ciphers 'TLS13+AESGCM+AES256:TLS13+AESGCM+AES128:TLS13+CHACHA20:EECDH+AESGCM:EECDH+CHACHA20'; | |
| ssl_protocols TLSv1.2 TLSv1.3; | |
| ssl_ecdh_curve X25519:P-521:P-384:P-256; | |
| # Common security headers | |
| # require more_set_headers module | |
| more_set_headers "X-Frame-Options : SAMEORIGIN"; | |
| more_set_headers "X-Content-Type-Options : nosniff"; | |
| more_set_headers "Referrer-Policy : strict-origin-when-cross-origin"; | |
| # oscp settings | |
| resolver 8.8.8.8 1.1.1.1 8.8.4.4 1.0.0.1 valid=300s; | |
| resolver_timeout 10; | |
| ssl_stapling on; | |
| ## | |
| # Basic Settings | |
| ## | |
| # server_names_hash_bucket_size 64; | |
| # server_name_in_redirect off; | |
| include /etc/nginx/mime.types; | |
| default_type application/octet-stream; | |
| ## | |
| # Logging Settings | |
| ## | |
| access_log off; | |
| error_log /var/log/nginx/error.log; | |
| # Log format Settings | |
| log_format rt_cache '$remote_addr $upstream_response_time $upstream_cache_status [$time_local] ' | |
| '$http_host "$request" $status $body_bytes_sent ' | |
| '"$http_referer" "$http_user_agent" "$server_protocol"'; | |
| ## | |
| # Virtual Host Configs | |
| ## | |
| include /etc/nginx/conf.d/*.conf; | |
| include /etc/nginx/sites-enabled/*; | |
| } | |
| #mail { | |
| # # See sample authentication script at: | |
| # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript | |
| # | |
| # # auth_http localhost/auth.php; | |
| # # pop3_capabilities "TOP" "USER"; | |
| # # imap_capabilities "IMAP4rev1" "UIDPLUS"; | |
| # | |
| # server { | |
| # listen localhost:110; | |
| # protocol pop3; | |
| # proxy on; | |
| # } | |
| # | |
| # server { | |
| # listen localhost:143; | |
| # protocol imap; | |
| # proxy on; | |
| # } | |
| #} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment