Last active
December 12, 2024 09:53
-
-
Save serverok/862716a6df020e38966744fd79950320 to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Server globals | |
| user www-data; | |
| worker_processes auto; | |
| worker_rlimit_nofile 65535; | |
| error_log /var/log/nginx/error.log; | |
| pid /run/nginx.pid; | |
| include /etc/nginx/conf.d/main/*.conf; | |
| include /etc/nginx/modules-enabled/*.conf; | |
| # Worker config | |
| events { | |
| worker_connections 1024; | |
| use epoll; | |
| multi_accept on; | |
| } | |
| http { | |
| # Main settings | |
| sendfile on; | |
| tcp_nopush on; | |
| tcp_nodelay on; | |
| client_header_timeout 180s; | |
| client_body_timeout 1d; | |
| client_header_buffer_size 2k; | |
| client_body_buffer_size 256k; | |
| client_max_body_size 1024m; | |
| large_client_header_buffers 4 8k; | |
| send_timeout 1d; | |
| keepalive_timeout 65s; | |
| keepalive_requests 1000; | |
| reset_timedout_connection on; | |
| server_tokens off; | |
| server_name_in_redirect off; | |
| server_names_hash_max_size 512; | |
| server_names_hash_bucket_size 512; | |
| charset utf-8; | |
| # FastCGI settings | |
| fastcgi_buffers 512 4k; | |
| fastcgi_buffer_size 256k; | |
| fastcgi_busy_buffers_size 256k; | |
| fastcgi_temp_file_write_size 256k; | |
| fastcgi_connect_timeout 30s; | |
| fastcgi_read_timeout 1d; | |
| fastcgi_send_timeout 1d; | |
| fastcgi_cache_lock on; | |
| fastcgi_cache_lock_timeout 5s; | |
| fastcgi_cache_background_update on; | |
| fastcgi_cache_revalidate on; | |
| # Proxy settings | |
| proxy_redirect off; | |
| proxy_set_header Host $host; | |
| proxy_set_header Early-Data $rfc_early_data; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_pass_header Set-Cookie; | |
| proxy_buffers 256 4k; | |
| proxy_buffer_size 32k; | |
| proxy_busy_buffers_size 32k; | |
| proxy_temp_file_write_size 256k; | |
| proxy_connect_timeout 30s; | |
| proxy_read_timeout 1d; | |
| proxy_send_timeout 180s; | |
| # Log format | |
| log_format main '$remote_addr - $remote_user [$time_local] $request "$status" $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"'; | |
| log_format bytes '$body_bytes_sent'; | |
| log_not_found off; | |
| access_log off; | |
| # Mime settings | |
| include /etc/nginx/mime.types; | |
| default_type application/octet-stream; | |
| # Compression | |
| gzip on; | |
| gzip_vary on; | |
| gzip_static on; | |
| gzip_comp_level 6; | |
| gzip_min_length 1024; | |
| gzip_buffers 128 4k; | |
| gzip_http_version 1.1; | |
| gzip_types text/css text/javascript text/js text/plain text/richtext text/shtml text/x-component text/x-java-source text/x-markdown text/x-script text/xml image/bmp image/svg+xml image/vnd.microsoft.icon image/x-icon font/otf font/ttf font/x-woff multipart/bag multipart/mixed application/eot application/font application/font-sfnt application/font-woff application/javascript application/javascript-binast application/json application/ld+json application/manifest+json application/opentype application/otf application/rss+xml application/ttf application/truetype application/vnd.api+json application/vnd.ms-fontobject application/wasm application/xhtml+xml application/xml application/xml+rss application/x-httpd-cgi application/x-javascript application/x-opentype application/x-otf application/x-perl application/x-protobuf application/x-ttf; | |
| gzip_proxied any; | |
| # Cloudflare IPs | |
| include /etc/nginx/conf.d/cloudflare.inc; | |
| # SSL PCI compliance | |
| ssl_buffer_size 1369; | |
| ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256"; | |
| ssl_dhparam /etc/ssl/dhparam.pem; | |
| ssl_early_data on; | |
| ssl_ecdh_curve auto; | |
| ssl_prefer_server_ciphers on; | |
| ssl_protocols TLSv1.2 TLSv1.3; | |
| ssl_session_cache shared:SSL:20m; | |
| ssl_session_tickets on; | |
| ssl_session_timeout 7d; | |
| resolver 127.0.0.53 valid=300s ipv6=off; | |
| resolver_timeout 5s; | |
| # Error pages | |
| error_page 403 /error/404.html; | |
| error_page 404 /error/404.html; | |
| error_page 410 /error/410.html; | |
| error_page 500 501 502 503 504 505 /error/50x.html; | |
| # Proxy cache | |
| proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m; | |
| proxy_cache_key "$scheme$request_method$host$request_uri"; | |
| proxy_temp_path /var/cache/nginx/temp; | |
| proxy_ignore_headers Cache-Control Expires; | |
| proxy_cache_use_stale error timeout invalid_header updating http_502; | |
| proxy_cache_valid any 1d; | |
| # FastCGI cache | |
| fastcgi_cache_path /var/cache/nginx/micro levels=1:2 keys_zone=microcache:10m inactive=30m max_size=1024m; | |
| fastcgi_cache_key "$scheme$request_method$host$request_uri"; | |
| fastcgi_ignore_headers Cache-Control Expires Set-Cookie; | |
| fastcgi_cache_use_stale error timeout invalid_header updating http_500 http_503; | |
| add_header X-FastCGI-Cache $upstream_cache_status; | |
| # Cache bypass | |
| map $http_cookie $no_cache { | |
| default 0; | |
| ~SESS 1; | |
| ~wordpress_logged_in 1; | |
| } | |
| # File cache (static assets) | |
| open_file_cache max=10000 inactive=30s; | |
| open_file_cache_valid 60s; | |
| open_file_cache_min_uses 2; | |
| open_file_cache_errors off; | |
| # Wildcard include | |
| include /etc/nginx/conf.d/*.conf; | |
| include /etc/nginx/sites-enabled/*.conf; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment