From 5054d718cfe10469bc03a968037b37fd674a64ca Mon Sep 17 00:00:00 2001 From: Daniel Micay Date: Wed, 20 Mar 2024 19:28:05 -0400 Subject: [PATCH] disable keepalive by default No need for keepalive for the internal socket. --- nginx/nginx.conf | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/nginx/nginx.conf b/nginx/nginx.conf index 66e8788..1ee4560 100644 --- a/nginx/nginx.conf +++ b/nginx/nginx.conf @@ -26,7 +26,7 @@ http { sendfile_max_chunk 256k; tcp_nopush on; keepalive_requests 256; - keepalive_timeout 3m; + keepalive_timeout 0; server_tokens off; msie_padding off; @@ -97,8 +97,6 @@ http { listen 80 default_server backlog=4096; listen [::]:80 default_server backlog=4096; - keepalive_timeout 0; - # https://trac.nginx.org/nginx/ticket/2012 location / { return 404; @@ -110,8 +108,6 @@ http { listen [::]:80; server_name matrix.grapheneos.org element.grapheneos.org; - keepalive_timeout 0; - location /.well-known/acme-challenge/ { root /srv/certbot; } @@ -126,8 +122,6 @@ http { listen [::]:443 default_server ssl http2 backlog=4096; ssl_reject_handshake on; - keepalive_timeout 0; - # https://trac.nginx.org/nginx/ticket/2012 location / { return 404; @@ -139,6 +133,8 @@ http { listen [::]:443 ssl http2; server_name matrix.grapheneos.org; + keepalive_timeout 3m; + include snippets/security-headers.conf; add_header Cross-Origin-Resource-Policy "same-origin" always; add_header Content-Security-Policy "font-src 'none'; manifest-src 'none'; object-src 'none'; script-src 'none'; style-src 'none'; frame-ancestors 'none'" always; @@ -184,6 +180,8 @@ http { include root_element.grapheneos.org.conf; + keepalive_timeout 3m; + include snippets/security-headers.conf; add_header Cross-Origin-Resource-Policy "cross-origin" always; add_header Content-Security-Policy "font-src 'self'; manifest-src 'self'; object-src 'none'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'" always;