uzbekdev1 · April 7, 2021 22:50
diff --git a/nginx.conf.j2 b/nginx.conf.j2
 # {{ ansible_managed }}

 # nginx Configuration File
 # http://wiki.nginx.org/Configuration

 # Run as a less privileged user for security reasons.
 user {{ nginx_user }};

 # How many worker threads to run;
 # "auto" sets it to the number of CPU cores available in the system, and
 # offers the best performance. Don't set it higher than the number of CPU
 # cores if changing this parameter.

 # The maximum number of connections for Nginx is calculated by:
 # max_clients = worker_processes * worker_connections
 worker_processes auto;

 # Maximum open file descriptors per process;
 # should be > worker_connections.
 worker_rlimit_nofile 8192;

 events {
  # When you need > 8000 * cpu_cores connections, you start optimizing your OS,
  # and this is probably the point at which you hire people who are smarter than
  # you, as this is *a lot* of requests.
  worker_connections 8000;
 }

 # Default error log file
 # (this is only used when you don't override error_log on a server{} level)
 error_log  {{ nginx_logs_root }}/error.log warn;
 pid        /run/nginx.pid;

 http {
  # Hide nginx version information.
  server_tokens off;
  
  # Cloudflare set real IP - Keep these values updated from time to time
  # https://www.cloudflare.com/ips-v4
  # https://www.cloudflare.com/ips-v6
  set_real_ip_from 103.21.244.0/22;
  set_real_ip_from 103.22.200.0/22;
  set_real_ip_from 103.31.4.0/22;
  set_real_ip_from 104.16.0.0/12;
  set_real_ip_from 108.162.192.0/18;
  set_real_ip_from 131.0.72.0/22;
  set_real_ip_from 141.101.64.0/18;
  set_real_ip_from 162.158.0.0/15;
  set_real_ip_from 172.64.0.0/13;
  set_real_ip_from 173.245.48.0/20;
  set_real_ip_from 188.114.96.0/20;
  set_real_ip_from 190.93.240.0/20;
  set_real_ip_from 197.234.240.0/22;
  set_real_ip_from 198.41.128.0/17;
  set_real_ip_from 199.27.128.0/21;
  set_real_ip_from 2400:cb00::/32;
  set_real_ip_from 2606:4700::/32;
  set_real_ip_from 2803:f800::/32;
  set_real_ip_from 2405:b500::/32;
  set_real_ip_from 2405:8100::/32;
  set_real_ip_from 2c0f:f248::/32;
  set_real_ip_from 2a06:98c0::/29;

  # Use either of the following two
  #real_ip_header CF-Connecting-IP;
  real_ip_header X-Forwarded-For;

  # Setup the fastcgi cache.
  fastcgi_buffers {{ nginx_fastcgi_buffers }};
  fastcgi_buffer_size {{ nginx_fastcgi_buffer_size }};
  fastcgi_cache_path {{ nginx_cache_path }} levels=1:2 keys_zone=wordpress:{{ nginx_cache_key_storage_size }} max_size={{ nginx_cache_size }} inactive={{ nginx_cache_inactive }};
  fastcgi_cache_use_stale updating error timeout invalid_header http_500;
  fastcgi_cache_lock on;
  fastcgi_cache_key $realpath_root$scheme$host$request_uri$request_method;
  fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
  fastcgi_pass_header Set-Cookie;
  fastcgi_pass_header Cookie;

  # Define the MIME types for files.
  include       h5bp-server-configs/mime.types;
  default_type  application/octet-stream;

  # Update charset_types due to updated mime.types
  charset_types text/css text/plain text/vnd.wap.wml application/javascript application/json application/rss+xml application/xml;

  # Format to use in log files - Added Real IP first then CF's IP after
  log_format  main  '$http_x_forwarded_for - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$remote_addr"';

  # Default log file
  # (this is only used when you don't override access_log on a server{} level)
  access_log {{ nginx_logs_root }}/access.log main;

  # How long to allow each connection to stay idle; longer values are better
  # for each individual client, particularly for SSL, but means that worker
  # connections are tied up longer. (Default: 65)
  keepalive_timeout 20;

  # Speed up file transfers by using sendfile() to copy directly
  # between descriptors rather than using read()/write().
  sendfile        on;

  # Tell Nginx not to send out partial frames; this increases throughput
  # since TCP frames are filled up before being sent out. (adds TCP_CORK)
  tcp_nopush      on;

  # Compression

  # Enable Gzip compressed.
  gzip on;

  # Compression level (1-9).
  # 5 is a perfect compromise between size and cpu usage, offering about
  # 75% reduction for most ascii files (almost identical to level 9).
  gzip_comp_level    5;

  # Don't compress anything that's already small and unlikely to shrink much
  # if at all (the default is 20 bytes, which is bad as that usually leads to
  # larger files after gzipping).
  gzip_min_length    256;

  # Compress data even for clients that are connecting to us via proxies,
  # identified by the "Via" header (required for CloudFront).
  gzip_proxied       any;

  # Tell proxies to cache both the gzipped and regular version of a resource
  # whenever the client's Accept-Encoding capabilities header varies;
  # Avoids the issue where a non-gzip capable client (which is extremely rare
  # today) would display gibberish if their proxy gave them the gzipped version.
  gzip_vary          on;

  # Compress all output labeled with one of the following MIME-types.
  gzip_types
    application/atom+xml
    application/javascript
    application/json
    application/ld+json
    application/manifest+json
    application/rss+xml
    application/vnd.geo+json
    application/vnd.ms-fontobject
    application/x-font-ttf
    application/x-web-app-manifest+json
    application/xhtml+xml
    application/xml
    font/opentype
    image/bmp
    image/svg+xml
    image/x-icon
    text/cache-manifest
    text/css
    text/plain
    text/vcard
    text/vnd.rim.location.xloc
    text/vtt
    text/x-component
    text/x-cross-domain-policy;
  # text/html is always compressed by HttpGzipModule

  # This should be turned on if you are going to have pre-compressed copies (.gz) of
  # static files available. If not it should be left off as it will cause extra I/O
  # for the check. It is best if you enable this in a location{} block for
  # a specific directory, or on an individual server{} level.
  # gzip_static on;

  include sites-enabled/*;
 }
	# {{ ansible_managed }}

	# nginx Configuration File
	# http://wiki.nginx.org/Configuration

	# Run as a less privileged user for security reasons.
	user {{ nginx_user }};

	# How many worker threads to run;
	# "auto" sets it to the number of CPU cores available in the system, and
	# offers the best performance. Don't set it higher than the number of CPU
	# cores if changing this parameter.

	# The maximum number of connections for Nginx is calculated by:
	# max_clients = worker_processes * worker_connections
	worker_processes auto;

	# Maximum open file descriptors per process;
	# should be > worker_connections.
	worker_rlimit_nofile 8192;

	events {
	# When you need > 8000 * cpu_cores connections, you start optimizing your OS,
	# and this is probably the point at which you hire people who are smarter than
	# you, as this is a lot of requests.
	worker_connections 8000;
	}

	# Default error log file
	# (this is only used when you don't override error_log on a server{} level)
	error_log {{ nginx_logs_root }}/error.log warn;
	pid /run/nginx.pid;

	http {
	# Hide nginx version information.
	server_tokens off;

	# Cloudflare set real IP - Keep these values updated from time to time
	# https://www.cloudflare.com/ips-v4
	# https://www.cloudflare.com/ips-v6
	set_real_ip_from 103.21.244.0/22;
	set_real_ip_from 103.22.200.0/22;
	set_real_ip_from 103.31.4.0/22;
	set_real_ip_from 104.16.0.0/12;
	set_real_ip_from 108.162.192.0/18;
	set_real_ip_from 131.0.72.0/22;
	set_real_ip_from 141.101.64.0/18;
	set_real_ip_from 162.158.0.0/15;
	set_real_ip_from 172.64.0.0/13;
	set_real_ip_from 173.245.48.0/20;
	set_real_ip_from 188.114.96.0/20;
	set_real_ip_from 190.93.240.0/20;
	set_real_ip_from 197.234.240.0/22;
	set_real_ip_from 198.41.128.0/17;
	set_real_ip_from 199.27.128.0/21;
	set_real_ip_from 2400:cb00::/32;
	set_real_ip_from 2606:4700::/32;
	set_real_ip_from 2803:f800::/32;
	set_real_ip_from 2405:b500::/32;
	set_real_ip_from 2405:8100::/32;
	set_real_ip_from 2c0f:f248::/32;
	set_real_ip_from 2a06:98c0::/29;

	# Use either of the following two
	#real_ip_header CF-Connecting-IP;
	real_ip_header X-Forwarded-For;

	# Setup the fastcgi cache.
	fastcgi_buffers {{ nginx_fastcgi_buffers }};
	fastcgi_buffer_size {{ nginx_fastcgi_buffer_size }};
	fastcgi_cache_path {{ nginx_cache_path }} levels=1:2 keys_zone=wordpress:{{ nginx_cache_key_storage_size }} max_size={{ nginx_cache_size }} inactive={{ nginx_cache_inactive }};
	fastcgi_cache_use_stale updating error timeout invalid_header http_500;
	fastcgi_cache_lock on;
	fastcgi_cache_key $realpath_root$scheme$host$request_uri$request_method;
	fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
	fastcgi_pass_header Set-Cookie;
	fastcgi_pass_header Cookie;

	# Define the MIME types for files.
	include h5bp-server-configs/mime.types;
	default_type application/octet-stream;

	# Update charset_types due to updated mime.types
	charset_types text/css text/plain text/vnd.wap.wml application/javascript application/json application/rss+xml application/xml;

	# Format to use in log files - Added Real IP first then CF's IP after
	log_format main '$http_x_forwarded_for - $remote_user [$time_local] "$request" '
	'$status $body_bytes_sent "$http_referer" '
	'"$http_user_agent" "$remote_addr"';

	# Default log file
	# (this is only used when you don't override access_log on a server{} level)
	access_log {{ nginx_logs_root }}/access.log main;

	# How long to allow each connection to stay idle; longer values are better
	# for each individual client, particularly for SSL, but means that worker
	# connections are tied up longer. (Default: 65)
	keepalive_timeout 20;

	# Speed up file transfers by using sendfile() to copy directly
	# between descriptors rather than using read()/write().
	sendfile on;

	# Tell Nginx not to send out partial frames; this increases throughput
	# since TCP frames are filled up before being sent out. (adds TCP_CORK)
	tcp_nopush on;

	# Compression

	# Enable Gzip compressed.
	gzip on;

	# Compression level (1-9).
	# 5 is a perfect compromise between size and cpu usage, offering about
	# 75% reduction for most ascii files (almost identical to level 9).
	gzip_comp_level 5;

	# Don't compress anything that's already small and unlikely to shrink much
	# if at all (the default is 20 bytes, which is bad as that usually leads to
	# larger files after gzipping).
	gzip_min_length 256;

	# Compress data even for clients that are connecting to us via proxies,
	# identified by the "Via" header (required for CloudFront).
	gzip_proxied any;

	# Tell proxies to cache both the gzipped and regular version of a resource
	# whenever the client's Accept-Encoding capabilities header varies;
	# Avoids the issue where a non-gzip capable client (which is extremely rare
	# today) would display gibberish if their proxy gave them the gzipped version.
	gzip_vary on;

	# Compress all output labeled with one of the following MIME-types.
	gzip_types
	application/atom+xml
	application/javascript
	application/json
	application/ld+json
	application/manifest+json
	application/rss+xml
	application/vnd.geo+json
	application/vnd.ms-fontobject
	application/x-font-ttf
	application/x-web-app-manifest+json
	application/xhtml+xml
	application/xml
	font/opentype
	image/bmp
	image/svg+xml
	image/x-icon
	text/cache-manifest
	text/css
	text/plain
	text/vcard
	text/vnd.rim.location.xloc
	text/vtt
	text/x-component
	text/x-cross-domain-policy;
	# text/html is always compressed by HttpGzipModule

	# This should be turned on if you are going to have pre-compressed copies (.gz) of
	# static files available. If not it should be left off as it will cause extra I/O
	# for the check. It is best if you enable this in a location{} block for
	# a specific directory, or on an individual server{} level.
	# gzip_static on;

	include sites-enabled/*;
	}