jflopezfernandez · September 22, 2020 19:43
diff --git a/nginx.conf b/nginx.conf
 # NGINX Main Configuration File
 #

 # Defines the user and group credentials used by worker
 # processes, respectively.
 #
 # If the group argument is omitted, the group with the same
 # name as the user argument is used.
 #
 user http http;

 # Defines the number of worker processes.
 #
 # The optimal value depends on many factors, including (but
 # not limited to) the number of CPU cores, the number of
 # hard disk drives that store data, and load pattern. When
 # one is in doubt, setting it to the number of available
 # CPU cores would be a good start (the value "auto" will try
 # to autodetect it).
 #
 worker_processes auto;

 # Configure the error log the server should write to.
 #
 # The second parameter defines the level of logging, and can
 # be one of the following:
 #
 #   - debug
 #   - info
 #   - notice
 #   - warn
 #   - error
 #   - crit
 #   - alert
 #   - emerg
 #
 # These log levels are listed in order of increasing
 # severity.
 #
 # Setting a certain logging level will cause all messages of
 # the specified and more severe levels to be logged.
 #
 error_log /var/log/nginx/error.log warn;

 # Enables or disables the use of "just-in-time compilation"
 # (PCRE JIT) for the regular expressions known by the time
 # of configuration parsing.
 #
 # This directive appeared in version 1.1.12.
 #
 pcre_jit on;

 events {

    # Specifies the connection processing method to use.
    #
    # There is normally no need to specify it explicitly,
    # as nginx will attempt to use the most efficient method
    # by default, but since we know our kernel has epoll
    # functionality, we specify it here just in case.
    #
    use epoll;
    
    # If multi-accept is disabled, a worker process will
    # accept one new connection at a time. Otherwise, a
    # worker process will accept all new connections at a
    # time.
    #
    multi_accept on;

    # Sets the maximum number of simultaneous connections
    # that can be opened by a worker process.
    #
    # Note that this number includes all connections (e.g.
    # connections with proxied servers, among others), not
    # just connections with clients.
    #
    # Another consideration is that the actual number of
    # simultaneous connections cannot exceed the current
    # limit on the maximum number of open files, which can
    # be changed via the worker_rlimit_nofile parameter.
    #
    worker_connections  1024;
 }

 # This directive provides the configuration file context in
 # which the HTTP server directives are specified.
 #
 http {

    # Adds the specified charset to the "Content-Type"
    # response header field. If this charset is different
    # from the charset specified in the 'source_charset'
    # directive, a conversion is performed.
    #
    charset utf-8;

    # Sets the maximum size of the MIME types hash table.
    types_hash_max_size 4096;

    # Sets the bucket size for the types hash table.
    types_hash_bucket_size 64;

    # Include the MIME types configuration file.
    include conf.d/mime-types.conf;

    # Defines the default MIME type of a response.
    #
    # Mapping of file name extensions to MIME types can be
    # set with the 'types' directive. In this configuration
    # file, all MIME type definitions and file extension
    # mappings are defined in the conf.d/mime-types.conf
    # file.
    #
    default_type text/html;

    # Include connection limits configuration file.
    include conf.d/connection-limits.conf;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    # Configure X-Frame-Options Header
    #
    # This is an HTTP header that controls how a site may be
    # framed within an iframe HTML element. Clickjacking is
    # a practical attack that allows malicious sites to
    # trick users into clicking links on a site even though
    # they may appear to not be on our site at all. As such,
    # the use of the X-Frame-Options header is mandatory for
    # all new websites, and all existing websites are
    # expected to add support for X-Frame-Options as soon as
    # possible.
    #
    # Note that this has been superseded by the
    # 'frame-ancestors' Content Security Policy directive,
    # which allows considerably more granular control over
    # the origins allowed to frame a site. However,
    # 'frame-ancestors' is not yet supported in IE11, among
    # others, and thus it is recommended that sites employ
    # both the X-Frame-Options header and CSP.
    #
    # https://infosec.mozilla.org/guidelines/web_security#x-frame-options
    #
    add_header X-Frame-Options "DENY" always;

    #

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    # Include site configurations.
    include sites-enabled/*;

    # Default Server
    #
    # This dummy server is meant to act as a low-effort
    # shield to filter all requests to the server by scripts
    # probing the server for vulnerabilities. These scripts
    # probe servers based on IP address a lot of times, so
    # this is simply an easy way of dealing with some of
    # that.
    #
    server {
        
        # Listen on the default HTTP port and name this
        # server as the default for any incoming requests
        # which do not match any server_name directives.
        #
        listen 80 default_server;
        
        # From the documentation, this server_name setting
        # isn't special in any way, nor does it function as
        # a wildcard in any way. The default_server
        # directive above already ensures this server
        # handles any requests that haven't been elsewhere
        # matched, so this name is simply one that won't
        # accidentally mask another, actually legitimate
        # server on this network.
        #
        # The server name is additionally set to an empty
        # string that will match requests without the "Host"
        # header field.
        # 
        server_name _ "";

        # A special NGINX non-standard code, 444, is
        # returned that closes the connection.
        #
        return 444;
    }
        
    # The 'server' directive sets the configuration for a
    # virtual server. There is no clear separation between
    # IP-based and name-based virtual servers. Instead, the
    # 'listen' directives describe all addresses and ports that
    # should accept connections for the server, and the
    # 'server_name' directive lists all server names.
    #
    server {
        
        # Listen on port 80 via IPv4;
        listen 80;
        
        # Listen on port 80 via IPv6;
        listen [::]:80;
        
        # Sets the names of this virtual server, where the first
        # parameter becomes the primary server name and all
        # other (optional) parameters are essentially aliases.
        #
        server_name localhost;

        location / {
            root /srv/http/sites/localhost;
            index index.html;
        
            # Enables or disables checking for the existence of
            # pre-compressed files.
            #
            # The following directives are also taken into
            # account:
            #
            #   - gzip_http_version
            #   - gzip_proxied
            #   - gzip_disable
            #   - gzip_vary
            #
            # Gzip compression can be enabled with either the
            # "on" or "always" settings. Using a value of
            # "always" will unconditionally send a compressed
            # version of the file, without bothering to check
            # whether the client supports it.
            #
            # The files can be compressed using the 'gzip'
            # command, or any other compatible one. It is
            # recommended that the modification date and time be
            # the same.
            #
            # Example command:
            #
            #   gzip --best --keep --name <filename>
            #
            gzip_static on;
        
            # Limit all methods except GET and HEAD on this URI
            # for every possible client address.
            #
            limit_except GET {
                deny all;
            }
        }
        
        # Respond to all favicon requests with an HTTP 204 No
        # Content header.
        #
        location ~ favicon\.ico {
            return 204;
        }
    }
 }
	# NGINX Main Configuration File
	#

	# Defines the user and group credentials used by worker
	# processes, respectively.
	#
	# If the group argument is omitted, the group with the same
	# name as the user argument is used.
	#
	user http http;

	# Defines the number of worker processes.
	#
	# The optimal value depends on many factors, including (but
	# not limited to) the number of CPU cores, the number of
	# hard disk drives that store data, and load pattern. When
	# one is in doubt, setting it to the number of available
	# CPU cores would be a good start (the value "auto" will try
	# to autodetect it).
	#
	worker_processes auto;

	# Configure the error log the server should write to.
	#
	# The second parameter defines the level of logging, and can
	# be one of the following:
	#
	# - debug
	# - info
	# - notice
	# - warn
	# - error
	# - crit
	# - alert
	# - emerg
	#
	# These log levels are listed in order of increasing
	# severity.
	#
	# Setting a certain logging level will cause all messages of
	# the specified and more severe levels to be logged.
	#
	error_log /var/log/nginx/error.log warn;

	# Enables or disables the use of "just-in-time compilation"
	# (PCRE JIT) for the regular expressions known by the time
	# of configuration parsing.
	#
	# This directive appeared in version 1.1.12.
	#
	pcre_jit on;

	events {

	# Specifies the connection processing method to use.
	#
	# There is normally no need to specify it explicitly,
	# as nginx will attempt to use the most efficient method
	# by default, but since we know our kernel has epoll
	# functionality, we specify it here just in case.
	#
	use epoll;

	# If multi-accept is disabled, a worker process will
	# accept one new connection at a time. Otherwise, a
	# worker process will accept all new connections at a
	# time.
	#
	multi_accept on;

	# Sets the maximum number of simultaneous connections
	# that can be opened by a worker process.
	#
	# Note that this number includes all connections (e.g.
	# connections with proxied servers, among others), not
	# just connections with clients.
	#
	# Another consideration is that the actual number of
	# simultaneous connections cannot exceed the current
	# limit on the maximum number of open files, which can
	# be changed via the worker_rlimit_nofile parameter.
	#
	worker_connections 1024;
	}

	# This directive provides the configuration file context in
	# which the HTTP server directives are specified.
	#
	http {

	# Adds the specified charset to the "Content-Type"
	# response header field. If this charset is different
	# from the charset specified in the 'source_charset'
	# directive, a conversion is performed.
	#
	charset utf-8;

	# Sets the maximum size of the MIME types hash table.
	types_hash_max_size 4096;

	# Sets the bucket size for the types hash table.
	types_hash_bucket_size 64;

	# Include the MIME types configuration file.
	include conf.d/mime-types.conf;

	# Defines the default MIME type of a response.
	#
	# Mapping of file name extensions to MIME types can be
	# set with the 'types' directive. In this configuration
	# file, all MIME type definitions and file extension
	# mappings are defined in the conf.d/mime-types.conf
	# file.
	#
	default_type text/html;

	# Include connection limits configuration file.
	include conf.d/connection-limits.conf;

	#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
	# '$status $body_bytes_sent "$http_referer" '
	# '"$http_user_agent" "$http_x_forwarded_for"';

	#access_log logs/access.log main;

	# Configure X-Frame-Options Header
	#
	# This is an HTTP header that controls how a site may be
	# framed within an iframe HTML element. Clickjacking is
	# a practical attack that allows malicious sites to
	# trick users into clicking links on a site even though
	# they may appear to not be on our site at all. As such,
	# the use of the X-Frame-Options header is mandatory for
	# all new websites, and all existing websites are
	# expected to add support for X-Frame-Options as soon as
	# possible.
	#
	# Note that this has been superseded by the
	# 'frame-ancestors' Content Security Policy directive,
	# which allows considerably more granular control over
	# the origins allowed to frame a site. However,
	# 'frame-ancestors' is not yet supported in IE11, among
	# others, and thus it is recommended that sites employ
	# both the X-Frame-Options header and CSP.
	#
	# https://infosec.mozilla.org/guidelines/web_security#x-frame-options
	#
	add_header X-Frame-Options "DENY" always;

	#

	sendfile on;
	#tcp_nopush on;

	#keepalive_timeout 0;
	keepalive_timeout 65;

	#gzip on;

	# Include site configurations.
	include sites-enabled/*;

	# Default Server
	#
	# This dummy server is meant to act as a low-effort
	# shield to filter all requests to the server by scripts
	# probing the server for vulnerabilities. These scripts
	# probe servers based on IP address a lot of times, so
	# this is simply an easy way of dealing with some of
	# that.
	#
	server {

	# Listen on the default HTTP port and name this
	# server as the default for any incoming requests
	# which do not match any server_name directives.
	#
	listen 80 default_server;

	# From the documentation, this server_name setting
	# isn't special in any way, nor does it function as
	# a wildcard in any way. The default_server
	# directive above already ensures this server
	# handles any requests that haven't been elsewhere
	# matched, so this name is simply one that won't
	# accidentally mask another, actually legitimate
	# server on this network.
	#
	# The server name is additionally set to an empty
	# string that will match requests without the "Host"
	# header field.
	#
	server_name _ "";

	# A special NGINX non-standard code, 444, is
	# returned that closes the connection.
	#
	return 444;
	}

	# The 'server' directive sets the configuration for a
	# virtual server. There is no clear separation between
	# IP-based and name-based virtual servers. Instead, the
	# 'listen' directives describe all addresses and ports that
	# should accept connections for the server, and the
	# 'server_name' directive lists all server names.
	#
	server {

	# Listen on port 80 via IPv4;
	listen 80;

	# Listen on port 80 via IPv6;
	listen [::]:80;

	# Sets the names of this virtual server, where the first
	# parameter becomes the primary server name and all
	# other (optional) parameters are essentially aliases.
	#
	server_name localhost;

	location / {
	root /srv/http/sites/localhost;
	index index.html;

	# Enables or disables checking for the existence of
	# pre-compressed files.
	#
	# The following directives are also taken into
	# account:
	#
	# - gzip_http_version
	# - gzip_proxied
	# - gzip_disable
	# - gzip_vary
	#
	# Gzip compression can be enabled with either the
	# "on" or "always" settings. Using a value of
	# "always" will unconditionally send a compressed
	# version of the file, without bothering to check
	# whether the client supports it.
	#
	# The files can be compressed using the 'gzip'
	# command, or any other compatible one. It is
	# recommended that the modification date and time be
	# the same.
	#
	# Example command:
	#
	# gzip --best --keep --name <filename>
	#
	gzip_static on;

	# Limit all methods except GET and HEAD on this URI
	# for every possible client address.
	#
	limit_except GET {
	deny all;
	}
	}

	# Respond to all favicon requests with an HTTP 204 No
	# Content header.
	#
	location ~ favicon\.ico {
	return 204;
	}
	}
	}