-
Notifications
You must be signed in to change notification settings - Fork 1
/
nginx.conf
173 lines (133 loc) · 8.27 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
#=============================
# Optimized NGINX main config
#=============================
#
# Maing config for NGINX with optimizations.
#
#Copyright (c) 2013 Nikita Solovyev
#All rights reserved.
#
#Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
#
#1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
#
#2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer
#in the documentation and/or other materials provided with the distribution.
#
#3. Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived
#from this software without specific prior written permission.
#
#THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
#BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
#THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
#(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
#HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
#ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
#User with with whose permissions the server will run, sometimes 'www-data'
user nginx;
#Where to place the pid file
pid /var/run/nginx.pid;
#Where to write main nginx log
error_log /var/log/nginx/error.log;
#error_log /var/log/nginx/error.log notice;
#error_log /var/log/nginx/error.log info;
#Worker processes, recommended to be equal to available CPU cores number
worker_processes 1;
#Number of connections per worker processes
#worker_connections X worker_processes = number of simultaneous clients served
events {
worker_connections 1024;
}
#Common server settings
http {
#Include standard NGINX distributed mapping of file extensions to MIME types for responses
include /etc/nginx/mime.types;
#Set defaul type to the value corresponding to binary data for safe processing of any unknown data type
default_type application/octet-stream;
#Specify custom log format, sometimes required to emulate Apache log format to allow log parsing of side tools
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#Where to write requests log and apply custom log format
access_log /var/log/nginx/access.log main;
#Enable the use of sendfile() kernel function, which optimizes memory access
sendfile on;
#Enables non-blocking disk access (Asynchronous file I/O)
aio on;
#Enables direct access for files larger then specified size
#On Linux this directive is required in order for AIO to be used
#for files with size below this setting 'sendfile' is used, above - 'aio' is used
directio 2m;
#Prevents sending too small packets, which optimizes network usage, works only with sendfile enabled
tcp_nopush on;
#Prevents waiting for packet size to reach certain size before sending for connection in keepalive state, instead send whenever ther's any data available
tcp_nodelay on;
#'tcp_nodelay' and 'tcp_nopush' work together in a smart way allowing for maximum performance depending on packet size
#Time to wait for data from the client before closing the connection, improves performance in case of stale connections and lowers the chances of DoS
client_body_timeout 10;
client_header_timeout 10;
#Time to wait for receiving confirmation from the client between subqequent response writes, if no response received for this time connection is closed
#improves performance in case of stale connections and lowers the chances of DoS
send_timeout 10;
#Time to keep inactive connection alive, allows to save time on recreating connection for every request, increasing performance
#first value for server, second value for clien (set via response header)
keepalive_timeout 20 15;
#Disables displaying NGINX version number in certain cases, a small "secutiry through obscurity" measure
server_tokens off;
#Disable listing directory contents on requests ending with '/' by default, affects security
#if needed could be enabled in location block
autoindex off;
#Enable file descriptor caching
#max - maximum number of records, inactive - time after last access to wait before removing the record
open_file_cache max=5000 inactive=20s;
#Time between cache record validation
open_file_cache_valid 30s;
#Minimum number of accesses to file during 'inactive' time countdown required to not to remove the record form the cache
open_file_cache_min_uses 2;
#Enables caching of file access errors
open_file_cache_errors on;
#Enable gzip compression to lessen the amount of data for transfer
gzip on;
#Enable adding "Vary: Accept-Encoding" header to responses, so that any caching done will consider the fact the response is compressed
#if not done, this may affect clients that don't support compression
gzip_vary on;
#Minimum response data length to apply compression, smaller responses won't be compressed
gzip_min_length 1024;
#Minimum required request http version to enable compression
#older client might not support compression, so by default it's enabled for HTTP 1.1 and newer
gzip_http_version 1.0;
#MIME types to apply compression, by default only text/html is compressed
gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript text/x-js application/javascript application/json;
#Compression level 1(default) to 9, the higher the compression the less data to transfer, but more CPU load to calculate compressed data
gzip_comp_level 6;
#Regex to match User-Agent header against, if match successful then compression is not applied to response for this request
#important for older client, which don't support compression
gzip_disable "MSIE [1-6].(?!.*SV1)";
#Response compression allows to transfer less data and therefore do it faster, but at the cost of more calculations - higher CPU load and longer calculation time
#so to achieve the best effect 'gzip_min_length' and 'gzip_comp_level' have to be set so that the overhead introduced is worth the win in data size
#A hack to make PHP scripts work correctly with HTTPS
#maps $scheme variable to $fastcgi_https variable in a way that by default (for http) the latter equals 'off', but if https is in request, the latter equals 'on'
map $scheme $fastcgi_https {
default off;
https on;
}
#Enable caching for SSL session parameters
#use 'shared' cache, that is accessible by all workers
#name it 'SSL' to refer to it in virtual hosts configurations
#size 10 Megabytes, acording to documentation 1M roughtly stores 4000 sessions
ssl_session_cache shared:SSL:10M;
#Session cache timeout - time to keep parameters in cache for reuse
ssl_session_timeout 10m;
#Other SSL settings are made per virtual host
#Create connection limiting zone to limit the number of active connections from single IP address, this allows to lessen the chances of DoS
#create limiting zone based on client IP addresses in binary form
#name it 'limitzone' to refer to it in virtual hosts configurations
#size 1M, one key (IP address) record with the data occupies 32 bytes for 32-bit systems and 64 bytes for 64-bit systems, when the available zone memory is fully used, any new connections will be dropped
limit_conn_zone $binary_remote_addr zone=limitzone:1M;
# Load config files from the /etc/nginx/conf.d directory
# The default server config is in conf.d/default.conf
include /etc/nginx/conf.d/*.conf;
}