nexus166 · October 22, 2019 23:54
diff --git a/nginx.conf b/nginx.conf
 user					www-data;
 worker_processes			auto;
 pid					/run/nginx.pid;
 include					/etc/nginx/modules-enabled/*.conf;

 events {
 	worker_connections		768;
 }

 http {
 	sendfile			on;
 	tcp_nopush			on;
 	tcp_nodelay			on;
 	types_hash_max_size		2048;

 	client_body_buffer_size		128k;
 	client_header_buffer_size	3m;
 	large_client_header_buffers	4 256k;

 	client_body_timeout		10s;
 	client_header_timeout		10s;

 	reset_timedout_connection	on;
 	send_timeout			3;
 	keepalive_timeout		30;

 	server_tokens			off;

 	# server_names_hash_bucket_size	64;
 	# server_name_in_redirect	off;

 	include				/etc/nginx/mime.types;
 	default_type			application/octet-stream;

 	ssl_session_tickets		off;
 	ssl_session_cache		shared:SSL:3m;
 	ssl_session_timeout		5m;
 	ssl_ecdh_curve			secp384r1;
 	ssl_protocols			TLSv1.2 TLSv1.3;
 	ssl_prefer_server_ciphers	on;
 	ssl_ciphers			!ADH:!AECDH:!aNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!ECDHE-RSA-AES256-CBC-SHA384:!ECDHE-RSA-AES128-CBC-SHA256:!DHE-RSA-AES256-CBC-SHA256:!DHE-RSA-AES128-CBC-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
 	ssl_stapling			on;
 	ssl_stapling_verify		on;
 	resolver			1.1.1.1 1.0.0.1 valid=300s;
 	resolver_timeout		5s;

 	more_clear_headers		Server X-Page-Speed X-Powered-By X-CF-Powered-By;
 	add_header			Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
 	add_header			X-XSS-Protection "1; mode=block" always;
 	add_header			X-Content-Type-Options "nosniff" always;
 	add_header			X-Frame-Options "DENY" always;

 	gzip				on;
 	gzip_disable			"msie6";
 	gzip_vary			on;
 	gzip_min_length			10240;
 	gzip_proxied			expired no-cache no-store private auth;

 	access_log			/var/log/nginx/access.log;
 	error_log			/var/log/nginx/error.log;

 	limit_conn_zone			$binary_remote_addr zone=conn_limit_per_ip:10m;
 	limit_req_zone			$binary_remote_addr zone=req_limit_per_ip:10m rate=5r/s;

 	server {
 		set		$sni "example.com";

 		limit_conn	conn_limit_per_ip 2;
 		limit_req	zone=req_limit_per_ip burst=10 nodelay;

 		listen		80 default_server;
 		listen		[::]:80 default_server;
 		server_name	$sni;

 		if ($host !~ ^($sni)$ ) {
 			return	444;
 		}

 		return		301 https://$host$request_uri;
 	}


 	server {
 		set			$sni "example.com";

 		limit_conn		conn_limit_per_ip 10;
 		limit_req		zone=req_limit_per_ip burst=10 nodelay;
 	
 		server_name		$sni;
 		
 		if ($host !~ ^($sni)$ ) {
 			return		444;
 		}

 		if ($scheme != "https") {
 			return		301 https://$host$request_uri;
 		}
 	
 		if ( $request_method !~ ^(GET|HEAD|OPTIONS|POST)$ ) {
 			return		444;
 		}

 		listen			[::]:443 ssl http2;
 		listen			443 ssl http2;

 		ssl_dhparam		/etc/letsencrypt/ssl-dhparams.pem;

 		ssl_certificate		/etc/letsencrypt/live/example.com/fullchain.pem;
 		ssl_certificate_key	/etc/letsencrypt/live/example.com/privkey.pem;
 		ssl_trusted_certificate	/etc/letsencrypt/live/example.com/fullchain.pem;

 		sendfile		off;
 		proxy_buffer_size	128k;
 		proxy_buffers		4 256k;
 		proxy_busy_buffers_size	256k;

 		client_max_body_size	50m;
 		client_body_buffer_size	128k;

 		location / {
 			proxy_pass		http://127.0.0.1:8080;
 			proxy_set_header	Host $host;
 			proxy_set_header	X-Real-IP $remote_addr;
 		}
 	}	
 }
	user www-data;
	worker_processes auto;
	pid /run/nginx.pid;
	include /etc/nginx/modules-enabled/*.conf;

	events {
	worker_connections 768;
	}

	http {
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	types_hash_max_size 2048;

	client_body_buffer_size 128k;
	client_header_buffer_size 3m;
	large_client_header_buffers 4 256k;

	client_body_timeout 10s;
	client_header_timeout 10s;

	reset_timedout_connection on;
	send_timeout 3;
	keepalive_timeout 30;

	server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	ssl_session_tickets off;
	ssl_session_cache shared:SSL:3m;
	ssl_session_timeout 5m;
	ssl_ecdh_curve secp384r1;
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_prefer_server_ciphers on;
	ssl_ciphers !ADH:!AECDH:!aNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:!ECDHE-RSA-AES256-CBC-SHA384:!ECDHE-RSA-AES128-CBC-SHA256:!DHE-RSA-AES256-CBC-SHA256:!DHE-RSA-AES128-CBC-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 1.1.1.1 1.0.0.1 valid=300s;
	resolver_timeout 5s;

	more_clear_headers Server X-Page-Speed X-Powered-By X-CF-Powered-By;
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
	add_header X-XSS-Protection "1; mode=block" always;
	add_header X-Content-Type-Options "nosniff" always;
	add_header X-Frame-Options "DENY" always;

	gzip on;
	gzip_disable "msie6";
	gzip_vary on;
	gzip_min_length 10240;
	gzip_proxied expired no-cache no-store private auth;

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:10m;
	limit_req_zone $binary_remote_addr zone=req_limit_per_ip:10m rate=5r/s;

	server {
	set $sni "example.com";

	limit_conn conn_limit_per_ip 2;
	limit_req zone=req_limit_per_ip burst=10 nodelay;

	listen 80 default_server;
	listen [::]:80 default_server;
	server_name $sni;

	if ($host !~ ^($sni)$ ) {
	return 444;
	}

	return 301 https://$host$request_uri;
	}


	server {
	set $sni "example.com";

	limit_conn conn_limit_per_ip 10;
	limit_req zone=req_limit_per_ip burst=10 nodelay;

	server_name $sni;

	if ($host !~ ^($sni)$ ) {
	return 444;
	}

	if ($scheme != "https") {
	return 301 https://$host$request_uri;
	}

	if ( $request_method !~ ^(GET\|HEAD\|OPTIONS\|POST)$ ) {
	return 444;
	}

	listen [::]:443 ssl http2;
	listen 443 ssl http2;

	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

	ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
	ssl_trusted_certificate /etc/letsencrypt/live/example.com/fullchain.pem;

	sendfile off;
	proxy_buffer_size 128k;
	proxy_buffers 4 256k;
	proxy_busy_buffers_size 256k;

	client_max_body_size 50m;
	client_body_buffer_size 128k;

	location / {
	proxy_pass http://127.0.0.1:8080;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	}
	}
	}
No results found