-
-
Save linkimfly/c643c6d3458464e0c9974f8974e1d703 to your computer and use it in GitHub Desktop.
nginx config file template for Debian and Ubuntu
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# User and group used by worker processes | |
user www-data; | |
# Ideally # of worker processes = # of CPUs or cores | |
# Set to auto to autodetect | |
# max_clients = worker_processes * worker_connections | |
worker_processes auto; | |
pid /run/nginx.pid; | |
# Maximum number of open file descriptors per process | |
# should be > worker_connections | |
worker_rlimit_nofile 10240; | |
events { | |
# Use epoll on Linux 2.6+ | |
use epoll; | |
# Max number of simultaneous connections per worker process | |
worker_connections 2048; | |
# Accept all new connections at one time | |
multi_accept on; | |
} | |
http { | |
## | |
# Basic Settings | |
## | |
# Hide nginx version information | |
server_tokens off; | |
# Speed up file transfers by using sendfile() to copy directly | |
# between descriptors rather than using read()/write() | |
sendfile on; | |
# Tell Nginx not to send out partial frames; this increases throughput | |
# since TCP frames are filled up before being sent out (adds TCP_CORK) | |
# Send the response header and the beginning of a file in one packet | |
# Send a file in full packets | |
tcp_nopush on; | |
# Tell Nginx to enable the Nagle buffering algorithm for TCP packets | |
# which collates several smaller packets together into one larger packet | |
# thus saving bandwidth at the cost of a nearly imperceptible increase to latency | |
tcp_nodelay off; | |
send_timeout 30; | |
# How long to allow each connection to stay idle; | |
# Longer values are better for each individual client, especially SSL | |
# But means that worker connections are tied up longer.75 | |
keepalive_timeout 60; | |
keepalive_requests 200; | |
# client_header_timeout 20; | |
# client_body_timeout 20; | |
reset_timedout_connection on; | |
types_hash_max_size 2048; | |
server_names_hash_bucket_size 64; | |
# server_name_in_redirect off; | |
include /etc/nginx/mime.types; | |
# default_type application/octet-stream; | |
default_type text/html; | |
charset UTF-8; | |
## | |
# Logging Settings | |
## | |
access_log /var/log/nginx/access.log; | |
error_log /var/log/nginx/error.log; | |
## | |
# Gzip Settings | |
## | |
# Enable Gzip compression | |
gzip on; | |
# This should be turned on if pre-compressed copies (.gz) of static files exist | |
# If NOT it should be left off as it will cause extra I/O | |
# default: off | |
# gzip_static on; | |
# Do NOT compress anything smaller than 256 bytes | |
gzip_min_length 256; | |
# Fuck IE6 | |
gzip_disable "msie6"; | |
# Tell proxies to cache both the gzipped and regular version of a resource | |
# whenever the client's Accept-Encoding capabilities header varies; | |
# Avoids the issue where a non-gzip capable client (rare) | |
# would display gibberish if their proxy gave them the gzipped version. | |
# gzip_vary on; | |
# Compress data even for clients that are connecting via proxies | |
# Identified by the "Via" header | |
gzip_proxied any; | |
# Compression level (1-9) | |
# 5 is the perfect compromise between size and CPU usage | |
gzip_comp_level 5; | |
# gzip_buffers 16 8k; | |
# gzip_http_version 1.1; | |
gzip_types | |
text/plain | |
text/css | |
application/json | |
application/x-javascript | |
text/xml | |
application/xml | |
application/xml+rss | |
text/javascript; | |
# Cache open file descriptors, their sizes and mtime | |
# information on existence of directories | |
# file lookup error such as "file not found", "no read permission" and so on | |
# | |
# Pros: nginx can immediately begin sending data when a popular file is requested | |
# and will also immediately send a 404 if a file doesn't exist, and so on | |
# | |
# Cons: The server will NOT react immediately to changes on file system | |
# which may be undesirable | |
# | |
# Config: inactive files are released from the cache after 20 seconds | |
# whereas active (recently requested) files are re-validated every 30 seconds | |
# File descriptors will NOT be cached unless they are used at least twice in 20s (inactive) | |
# | |
# A maximum of the 1000 most recently used file descriptors will be cached at any time | |
# | |
# Production servers with stable file collections will definitely want to enable the cache | |
open_file_cache max=1000 inactive=20s; | |
open_file_cache_valid 30s; | |
open_file_cache_min_uses 2; | |
open_file_cache_errors on; | |
## | |
# nginx-naxsi config | |
## | |
# Uncomment it if you installed nginx-naxsi | |
## | |
#include /etc/nginx/naxsi_core.rules; | |
## | |
# nginx-passenger config | |
## | |
# Uncomment it if you installed nginx-passenger | |
## | |
#passenger_root /usr; | |
#passenger_ruby /usr/bin/ruby; | |
## | |
# Virtual Host Configs | |
## | |
include /etc/nginx/conf.d/*.conf; | |
include /etc/nginx/sites-enabled/*; | |
} | |
#mail { | |
# # See sample authentication script at: | |
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript | |
# | |
# # auth_http localhost/auth.php; | |
# # pop3_capabilities "TOP" "USER"; | |
# # imap_capabilities "IMAP4rev1" "UIDPLUS"; | |
# | |
# server { | |
# listen localhost:110; | |
# protocol pop3; | |
# proxy on; | |
# } | |
# | |
# server { | |
# listen localhost:143; | |
# protocol imap; | |
# proxy on; | |
# } | |
#} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
upstream php { | |
server unix:/run/php/php7.0-fpm.sock; | |
} | |
server { | |
listen 80; | |
# listen [::]:80 default ipv6only=on; | |
server_name terry.im www.terry.im; | |
# redirect all HTTP requests to HTTPS with a 301 Moved Permanently response | |
return 301 https://$host$request_uri; | |
} | |
server { | |
# listen 443 ssl; | |
listen 443 ssl http2; | |
server_name terry.im www.terry.im; | |
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate | |
ssl_certificate /etc/letsencrypt/live/terry.im/fullchain.pem; | |
ssl_certificate_key /etc/letsencrypt/live/terry.im/privkey.pem; | |
ssl_session_timeout 1d; | |
ssl_session_cache shared:SSL:50m; | |
ssl_session_tickets off; | |
# Diffie-Hellman parameter for DHE ciphersuites, recommended 4096 bits | |
# openssl dhparam -out /path/to/dhparams_4096.pem 4096 | |
ssl_dhparam /etc/ssl/private/dhparams_4096.pem; | |
# modern configuration, tweak to your needs | |
ssl_protocols TLSv1.2; | |
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; | |
ssl_prefer_server_ciphers on; | |
# intermediate configuration, tweak to your needs | |
# ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; | |
# ssl_prefer_server_ciphers on; | |
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) | |
# add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;"; | |
add_header Strict-Transport-Security "max-age=63072000; preload;"; | |
# OCSP Stapling --- | |
# fetch OCSP records from URL in ssl_certificate and cache them | |
ssl_stapling on; | |
ssl_stapling_verify on; | |
## verify chain of trust of OCSP response using Root CA and Intermediate certs | |
ssl_trusted_certificate /etc/letsencrypt/live/terry.im/fullchain.pem; | |
# resolver <IP DNS resolver> valid=300s; | |
# resolver_timeout 5s; | |
resolver 8.8.8.8 8.8.4.4 valid=30s ipv6=off; | |
resolver_timeout 5s; | |
root /var/www/terry.im; | |
index index.php index.html index.htm; | |
# rewrite ^(.*)$ $scheme://www.terry.im$1; | |
access_log /var/log/nginx/terry.im-access.log; | |
error_log /var/log/nginx/terry.im-error.log; | |
location / { | |
# First attempt to serve request as file, then | |
# as directory, then fall back to index.html | |
try_files $uri $uri/ /index.html; | |
} | |
location ~ \.php$ { | |
try_files $uri =404; | |
fastcgi_index index.php; | |
# include fastcgi_params; | |
# nginx 1.6.1 upstream change - use fastcgi.conf | |
include fastcgi.conf; | |
# fastcgi_pass unix:/var/run/php5-fpm.sock; | |
# Use upstream | |
fastcgi_pass php; | |
# proxy_set_header X-Real-IP $remote_addr; | |
# proxy_set_header X-Forwarded-For $remote_addr; | |
# proxy_set_header Host $host; | |
# proxy_pass http://127.0.0.1:8080; | |
# proxy_redirect off; | |
} | |
# tweetnest rewrite rules | |
location ~ /tweetnest { | |
rewrite ^/tweetnest/sort/?$ /tweetnest/sort.php last; | |
rewrite ^/tweetnest/favorites/?$ /tweetnest/favorites.php last; | |
rewrite ^/tweetnest/search/?$ /tweetnest/search.php last; | |
rewrite ^/tweetnest/([0-9]+)/([0-9]+)/?$ /tweetnest/month.php?y=$1&m=$2; | |
rewrite ^/tweetnest/([0-9]+)/([0-9]+)/([0-9]+)/?$ /tweetnest/day.php?y=$1&m=$2&d=$3; | |
} | |
location = /favicon.ico { | |
log_not_found off; | |
access_log off; | |
} | |
location = /robots.txt { | |
allow all; | |
log_not_found off; | |
access_log off; | |
} | |
location ~ /\. { | |
deny all; | |
} | |
location ~* (?:\.(?:bak|config|sql|fla|psd|ini|log|sh|inc|swp|dist)|~)$ { | |
deny all; | |
} | |
# Browser cache | |
location ~* ^.+\.(css|js|jpg|jpeg|gif|png|ico|gz|svg|svgz|ttf|otf|woff|eot|mp4|ogg|ogv|webm)$ { | |
expires 30d; | |
log_not_found off; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment