forked from littlebizzy/slickstack
-
Notifications
You must be signed in to change notification settings - Fork 0
/
nginx-conf.txt
336 lines (279 loc) · 19 KB
/
nginx-conf.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
####################################################################################################
#### author: SlickStack ############################################################################
#### link: https://slickstack.io ###################################################################
#### mirror: https://mirrors.slickstack.io/modules/nginx/nginx-conf.txt ############################
#### path: n/a (boilerplate) #######################################################################
#### destination: /etc/nginx/nginx.conf (after install) ############################################
#### purpose: Nginx main configuration file (server block configuration file is separate) ##########
#### module version: Nginx 1.18.x ##################################################################
#### sourced by: n/a ###############################################################################
#### bash aliases: n/a #############################################################################
####################################################################################################
## NGINX OPTIMIZED FOR CLOUDFLARE AND TRAFFIC SCALING (NON-CLUSTERED HIGH TRAFFIC) ##
## FASTCGI CACHE AND SSL SETTINGS ARE ALSO INCLUDED IN THIS BOILERPLATE ##
####################################################################################################
#### Nginx.conf: General Settings ##################################################################
####################################################################################################
## for stability and simplicity Nginx always runs as www-data with auto worker processes ##
## worker_rlimit_nofile should be tuned in relevance to worker_connections (etc) ##
user www-data;
worker_processes auto;
worker_rlimit_nofile @NGINX_WORKER_RLIMIT_NOFILE;
pid /run/nginx.pid;
## include Nginx modules ##
include /etc/nginx/modules-enabled/*.conf;
####################################################################################################
#### Nginx.conf: Event Handling Settings ###########################################################
####################################################################################################
## virtually no Linux server should not use epoll or multi_accept thus they are hardcoded ##
## worker_connections should be tuned in relevance to worker_rlimit_nofile (etc) ##
events {
worker_connections @NGINX_WORKER_CONNECTIONS;
multi_accept on;
use epoll;
}
####################################################################################################
#### Nginx.conf: Miscellaneous Settings ############################################################
####################################################################################################
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
server_name_in_redirect off;
server_names_hash_bucket_size @NGINX_SERVER_NAMES_HASH_BUCKET_SIZE;
server_names_hash_max_size @NGINX_SERVER_NAMES_MAX_HASH_SIZE;
types_hash_max_size @NGINX_TYPES_MAX_HASH_SIZE;
####################################################################################################
#### Nginx.conf: FastCGI Cache (Page Cache) Settings ###############################################
####################################################################################################
## FastCGI Cache is arguably the most powerful Nginx feature for scaling high-traffic sites ##
## whenever possible maintain aggressive (higher) settings to improve performance ##
fastcgi_cache_path /var/www/cache/nginx levels=1:2 keys_zone=WORDPRESS:@FCGI_CACHE_MEMORY inactive=@FCGI_CACHE_INACTIVE max_size=@FCGI_CACHE_MAX_SIZE;
fastcgi_cache_key "$scheme$request_method$host$request_uri$rt_session";
fastcgi_cache_use_stale error timeout invalid_header updating http_500;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
fastcgi_cache_lock on;
fastcgi_connect_timeout @FCGI_CONNECT_TIMEOUT;
fastcgi_read_timeout @FCGI_READ_TIMEOUT;
fastcgi_send_timeout @FCGI_SEND_TIMEOUT;
fastcgi_buffering on;
# fastcgi_buffers @FCGI_BUFFERS;
# fastcgi_buffer_size @FCGI_BUFFER_SIZE;
# fastcgi_busy_buffers_size @FCGI_BUSY_BUFFERS_SIZE;
# fastcgi_temp_file_write_size @FCGI_TEMP_FILE_WRITE_SIZE;
####################################################################################################
#### Nginx.conf: Open File Cache Settings ##########################################################
####################################################################################################
## Open File Cache is one of the most effective (and underrated) features to scale Nginx ##
## tuning this well in conjunction with FastCGI Cache will provide robust results ##
open_file_cache max=@OPEN_FILE_CACHE_MAX inactive=@OPEN_FILE_CACHE_INACTIVE;
open_file_cache_valid @OPEN_FILE_CACHE_VALID;
open_file_cache_min_uses @OPEN_FILE_CACHE_MIN_USES;
open_file_cache_errors @OPEN_FILE_CACHE_ERRORS;
####################################################################################################
#### Nginx.conf: Various Buffer Settings ###########################################################
####################################################################################################
client_max_body_size @NGINX_CLIENT_MAX_BODY_SIZE;
client_body_buffer_size @NGINX_CLIENT_BODY_BUFFER_SIZE;
client_header_buffer_size @NGINX_CLIENT_HEADER_BUFFER_SIZE;
large_client_header_buffers @NGINX_LARGE_CLIENT_HEADER_BUFFERS;
####################################################################################################
#### Nginx.conf: Various Timeout + Keepalive Settings ##############################################
####################################################################################################
## when scaling high traffic websites it is important to keep timeouts relatively short ##
## reset_timedout_connection is hardcoded to improve stability (availability) ##
client_body_timeout @NGINX_CLIENT_BODY_TIMEOUT;
client_header_timeout @NGINX_CLIENT_HEADER_TIMEOUT;
keepalive_timeout @NGINX_KEEPALIVE_TIMEOUT;
keepalive_requests @NGINX_KEEPALIVE_REQUESTS;
send_timeout @NGINX_SEND_TIMEOUT;
reset_timedout_connection on;
####################################################################################################
#### Nginx.conf: HTTP Headers (Security Headers) Settings ##########################################
####################################################################################################
## several HTTP security headers are well-known best practices and are thus hardcoded ##
## to noindex your entire website, set SITE_NOINDEX to true in your ss-config ##
add_header X-Powered-By "@NGINX_HEADER_POWERED_BY";
add_header Strict-Transport-Security "@NGINX_HEADER_STRICT_TRANSPORT_SECURITY" always; ## 180 days
add_header X-FastCGI-Cache $upstream_cache_status;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "@NGINX_HEADER_REFERRER_POLICY";
add_header Permissions-Policy "@NGINX_HEADER_PERMISSIONS_POLICY";
# add_header Feature-Policy "@NGINX_HEADER_FEATURE_POLICY";
#@NOINDEX# ## noindex the entire site ##
#@NOINDEX# add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
## hide Nginx version ##
server_tokens off;
## enforce Unicode encoding ##
charset utf-8;
####################################################################################################
#### Nginx.conf: HTTP Caching Headers Settings (Browser Cache) #####################################
####################################################################################################
## Pragma and Expires are outdated cache headers that conflict with Cache-Control header ##
## moreover CDNs set CC headers on static files and it is not relevant for HTML ##
more_clear_headers "Pragma";
more_clear_headers "Expires";
more_clear_headers "Cache-Control";
####################################################################################################
#### Nginx.conf: SSL Settings (Self-Signed OpenSSL + CA-Signed Lets Encrypt) #######################
####################################################################################################
## default OpenSSL certs below will be replaced if Certbot is enabled in your ss-config ##
## SSL session tickets (and IDs) are deprecated in TLS 1.3, keep timeouts > 1 day ##
## /etc/nginx/conf.d/openssl.conf included if OpenSSL enabled
## /etc/nginx/conf.d/letsencrypt.conf included if Lets Encrypt enabled
####################################################################################################
#### Nginx.conf: Include MIME File Types Settings ##################################################
####################################################################################################
include /etc/nginx/mime.types;
default_type application/octet-stream;
####################################################################################################
#### Nginx.conf: Logging Settings ##################################################################
####################################################################################################
## to improve scalability access_log is hardcode disabled to reduce CPU and disk usage ##
## error_log is hardcoded in conjunction with SlickStack error handling settings ##
access_log off;
error_log /var/www/logs/nginx.log crit;
log_not_found off;
####################################################################################################
#### Nginx.conf: Gzip Compression Settings #########################################################
####################################################################################################
## Gzip is powerful but is known to have diminishing returns when setup too aggressively ##
## keep in mind that CloudFlare will overwrite gzip_vary and Brotli compression ##
gzip on;
gzip_vary off; ## CloudFlare converts if browser requests it (rare)
gzip_proxied any;
gzip_comp_level 4;
gzip_min_length 1024;
gzip_buffers 4 32k; ## better than 8 16k
gzip_http_version 1.1;
gzip_types
application/atom+xml
application/javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/svg+xml
image/x-icon
text/css
text/plain
text/x-component
text/xml
text/javascript;
####################################################################################################
#### Nginx.conf: Rate-Limiting Settings ############################################################
####################################################################################################
## basic rate limiting helps protect the server from small DDOS or brute force attacks ##
## it is useful for common targets but an external WAF firewall is recommended ##
limit_req_zone $binary_remote_addr zone=wplogin:10m rate=1r/s;
limit_req_zone $binary_remote_addr zone=adminer:10m rate=100r/s;
limit_req_zone $binary_remote_addr zone=phpmyadmin:10m rate=100r/s;
limit_req_status 444;
####################################################################################################
#### Nginx.conf: Indexing + Public Directory Settings ##############################################
####################################################################################################
## for security and stability reasons we disable autoindexing and default to PHP indexes ##
## because SlickStack supports only a single domain the web root is hardcoded ##
autoindex off;
index index.php;
# root /var/www/html;
####################################################################################################
#### Nginx.conf: Include Nginx Sub-Config Files + Server Blocks ####################################
####################################################################################################
## here we include the conditional sub-config files and server blocks for SlickStack ##
## these lines absolutely must appear at the very end of this nginx.conf file ##
## include sub-config ##
include /etc/nginx/conf.d/*.conf;
## include blocks ##
include /var/www/sites/*;
}
####################################################################################################
#### SlickStack: External References Used To Improve This Script (Thanks, Interwebz) ###############
####################################################################################################
## Future: attempt to invalidate cookies: tk_ai, tk_ni, tk_qs (Jetpack)
## Ref: https://librenepal.com/article/remove-specific-cookies-with-nginx/
## Ref: https://stackoverflow.com/questions/5285940/correct-way-to-delete-cookies-server-side
## Ref: http://nginx.org/en/docs/http/ngx_http_core_module.html
## Ref: https://gist.github.com/muhammadghazali/6c2b8c80d5528e3118613746e0041263
## Ref: http://bitsandpieces.it/nginx-by-examples-the-basics
## Ref: https://gist.github.com/denji/8359866
## Ref: https://serverfault.com/a/791055/144798
## Ref: https://gist.github.com/v0lkan/90fcb83c86918732b894#gistcomment-2832040
## Ref: https://www.programering.com/a/MDM2YTNwATk.html
## Ref: https://hstspreload.org
## Ref: https://easyengine.io/tutorials/nginx/optimization
## Ref: https://www.nginx.com/blog/tuning-nginx/
## Ref: https://www.freshblurbs.com/blog/2015/11/28/high-load-nginx-config.html
## Ref: https://www.slashroot.in/nginx-web-server-performance-tuning-how-to-do-it
## Ref: https://www.infoq.com/presentations/nvme-cache/
## Ref: https://serverfault.com/a/707963/144798
## Ref: https://www.scalescale.com/tips/nginx/nginx-configuration-example/
## Ref: https://haydenjames.io/nginx-tuning-tips-tls-ssl-https-ttfb-latency/
## Ref: http://nginx.org/en/docs/http/ngx_http_fastcgi_module.html
## Ref: https://www.scalescale.com/tips/nginx/configure-nginx-fastcgi-cache/
## Ref: https://gist.github.com/ikennaokpala/5792a71cfae6818035eedc8abd9ae7b4
## Ref: https://geekbacon.com/2018/12/26/fastest-wordpress-5-0-nginx-fastcgi-cache-php-7-3-mysql-8-0-and-redis/
## Ref: https://websiteforstudents.com/improve-wordpress-performance-with-nginx-fastcgi-and-php-7-2-fpm-on-ubuntu-16-04-18-04-lts/
## Ref: https://easyengine.io/tutorials/nginx/tweaking-fastcgi-buffers/
## Ref: https://kb.virtubox.net/knowledgebase/improve-nginx-cache-performance-with-tmpfs/
## Ref: https://stackoverflow.com/questions/19160737/nginx-fastcgi-cache-performance-disk-cached-vs-tmpfs-cached-vs-static-file
## Ref: https://easyengine.io/wordpress-nginx/tutorials/single-site/fastcgi-cache-with-purging/
## Ref: http://nginx.org/en/docs/http/ngx_http_ssl_module.html
## Ref: https://ssl-config.mozilla.org
## Ref: https://gist.github.com/cecilemuller/a26737699a7e70a7093d4dc115915de8
## Ref: https://tecadmin.net/enable-tls-with-nginx/
## Ref: https://medium.com/codavel-blog/measuring-tls-1-3-performance-ee301b1e8774
## Ref: https://github.com/mozilla/server-side-tls/issues/135
## Ref: https://scotthelme.co.uk/https-cheat-sheet/
## Ref: https://gist.github.com/plentz/6737338
## Ref: https://gist.github.com/konklone/6532544
## Ref: https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
## Ref: http://nginx.org/en/docs/http/ngx_http_core_module.html
## Ref: https://www.ruby-forum.com/t/why-set-keepalive-timeout-to-a-short-period-when-nginx-is-great-at-handling-them/244810/6
## Ref: https://community.letsencrypt.org/t/certificate-default-name-changes/57498/2
## Ref: https://linuxize.com/post/secure-apache-with-let-s-encrypt-on-ubuntu-18-04/
## Ref: https://matthewlehner.net/lets-encrypt-with-nginx
## Ref: https://awhan.wordpress.com/2018/02/09/letsencrypt-fullchain-pem-is-cert-pem-chain-pem/
## Ref: https://community.letsencrypt.org/t/will-does-the-letsencrypt-client-create-a-cert-chain-usable-with-ocsp-stapling/2072
## Ref: https://nginx.org/en/docs/http/ngx_http_gzip_module.html
## Ref: https://www.maxcdn.com/blog/accept-encoding-its-vary-important/
## Ref: https://support.cloudflare.com/hc/en-us/articles/200168086-Does-CloudFlare-gzip-resources-
## Ref: https://security.stackexchange.com/questions/65625/current-state-of-breach-gzip-ssl-attack
## Ref: https://stackoverflow.com/a/37892065/1718491
## Ref: https://coderwall.com/p/b4nbtw/gzip-compression-performance
## Ref: https://royal.pingdom.com/can-gzip-compression-really-improve-web-performance/
## Ref: https://www.ruby-forum.com/t/why-set-keepalive-timeout-to-a-short-period-when-nginx-is-great-at-handling-them/244810/7
## Ref: https://developers.google.com/web/updates/2018/06/feature-policy
## Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy
## Ref: https://yoast.com/prevent-site-being-indexed/
## Ref: https://stackoverflow.com/questions/34077140/nginx-rule-to-add-x-robots-tag-header
## Ref: https://www.revsys.com/12days/nginx-tuning/
## Ref: https://medium.com/@mvuksano/how-to-properly-configure-your-nginx-for-tls-564651438fe0
## Ref: https://github.com/mozilla/server-side-tls/issues/260
## Ref: https://wiki.mozilla.org/Security/Server_Side_TLS
## Ref: https://gist.github.com/nrollr/9a39bb636a820fb97eec2ed85e473d38
## Ref: https://gist.github.com/janikvonrotz/9408793
## Ref: https://stackoverflow.com/questions/41475604/hsts-should-be-minimum-180-days-why
## Ref: https://github.com/ssllabs/ssllabs-scan/issues/651
## Ref: https://medium.com/@superseb/get-your-certificate-chain-right-4b117a9c0fce
## Ref: https://community.letsencrypt.org/t/how-to-set-ssl-trusted-certificate-in-nginx-configuration-file/41898
## Ref: https://timtaubert.de/blog/2017/02/the-future-of-session-resumption/
## Ref: https://medium.com/@vanrijn/what-is-new-with-tls-1-3-e991df2caaac
## Ref: https://tls.mbed.org/discussions/generic/what-is-the-correct-way-to-use-session-tickets
## Ref: http://nginx.org/en/docs/http/configuring_https_servers.html#certificate_with_several_names
## Ref: https://github.com/certbot/certbot/blob/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf
## Ref: https://github.com/mozilla/server-side-tls/issues/198
## Ref: https://www.freecodecamp.org/news/nginx-rate-limiting-in-a-nutshell-128fe9e0126c/
## Ref: https://serverfault.com/questions/630157/nginx-what-is-the-meaning-to-define-burst-if-there-is-the-nodelay-option
## Ref: https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/
## Ref: https://www.w3.org/TR/permissions-policy-1/
## Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Feature-Policy#Directives
## Ref: https://easyengine.io/tutorials/nginx/open-file-cache/
## Ref: https://blog.actorsfit.com/a?ID=01000-1f0b5137-4f05-41de-8164-e688304d89f0
## SS_EOF