From 4aed43b0cdc89ce6418d32793d6a9d33614d92b2 Mon Sep 17 00:00:00 2001 From: VirtuBox Date: Mon, 5 Mar 2018 20:35:09 +0100 Subject: [PATCH] add intermediate configuration and cleanup code --- etc/nginx/conf.d/fastcgi.conf | 6 + etc/nginx/nginx-intermediate.conf | 240 ++++++++++++++-------------- etc/nginx/nginx.conf | 251 ++++++++++++++++-------------- 3 files changed, 262 insertions(+), 235 deletions(-) diff --git a/etc/nginx/conf.d/fastcgi.conf b/etc/nginx/conf.d/fastcgi.conf index dff039a..3fda8f0 100644 --- a/etc/nginx/conf.d/fastcgi.conf +++ b/etc/nginx/conf.d/fastcgi.conf @@ -11,3 +11,9 @@ fastcgi_temp_file_write_size 512K; fastcgi_param SERVER_NAME $http_host; fastcgi_ignore_headers Cache-Control Expires Set-Cookie; fastcgi_keep_conn on; + +#Others +open_file_cache max=2000 inactive=20s; +open_file_cache_valid 60s; +open_file_cache_min_uses 5; +open_file_cache_errors off; \ No newline at end of file diff --git a/etc/nginx/nginx-intermediate.conf b/etc/nginx/nginx-intermediate.conf index 07eae25..012201b 100644 --- a/etc/nginx/nginx-intermediate.conf +++ b/etc/nginx/nginx-intermediate.conf @@ -4,145 +4,153 @@ worker_cpu_affinity auto; worker_rlimit_nofile 100000; pid /run/nginx.pid; -events { - worker_connections 16384; - multi_accept on; - use epoll; +events +{ + worker_connections 16384; + multi_accept on; + use epoll; } -http { - ## - # EasyEngine Settings - ## +http +{ + ## + # EasyEngine Settings + ## - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 30; - types_hash_max_size 2048; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 30; + types_hash_max_size 2048; - server_tokens off; - reset_timedout_connection on; - add_header X-Powered-By "EasyEngine v3.7.5 - Optimized by VirtuBox"; - add_header rt-Fastcgi-Cache $upstream_cache_status; + server_tokens off; + reset_timedout_connection on; + add_header X-Powered-By "EasyEngine v3.7.5 - Optimized by VirtuBox"; + add_header rt-Fastcgi-Cache $upstream_cache_status; - # Limit Request - limit_req_status 403; - limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; - - #Simple DOS mitigation - ##Max c/s by ip - limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m; - limit_conn limit_per_ip 40; + # Limit Request + limit_req_status 403; + limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; - ##Max rq/s by ip - limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s; - limit_req zone=allips burst=400 nodelay; + #Simple DOS mitigation + ##Max c/s by ip + limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m; + limit_conn limit_per_ip 40; - # Proxy Settings - # set_real_ip_from proxy-server-ip; - # real_ip_header X-Forwarded-For; + ##Max rq/s by ip + limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s; + limit_req zone=allips burst=400 nodelay; - fastcgi_read_timeout 300; - client_max_body_size 100m; - - #See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/ - aio threads; - - ## - # GeoIP module configuration, before removing comments - # read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840 - ## - #geoip_country /usr/share/GeoIP/GeoIP.dat; - #geoip_city /usr/share/GeoIP/GeoIPCity.dat; + # Proxy Settings + # set_real_ip_from proxy-server-ip; + # real_ip_header X-Forwarded-For; - ## - # SSL Settings - ## - # intermediate configuration. tweak to your needs. + fastcgi_read_timeout 300; + client_max_body_size 100m; + + #See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/ + aio threads; + + ## + # GeoIP module configuration, before removing comments + # read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840 + ## + #geoip_country /usr/share/GeoIP/GeoIP.dat; + #geoip_city /usr/share/GeoIP/GeoIPCity.dat; + + ## + # SSL Settings + ## + # intermediate configuration. tweak to your needs. ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:50m; - ssl_session_timeout 1d; - ssl_session_tickets off; + ssl_session_timeout 1d; + ssl_session_tickets off; ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1; - - ##Common headers for security - more_set_headers "X-Frame-Options : SAMEORIGIN"; - more_set_headers "X-Xss-Protection : 1; mode=block"; - more_set_headers "X-Content-Type-Options : nosniff"; - more_set_headers "Referrer-Policy : strict-origin-when-cross-origin"; - - ## - # Basic Settings - ## - # server_names_hash_bucket_size 64; - # server_name_in_redirect off; - include /etc/nginx/mime.types; - default_type application/octet-stream; + ##OCSP settings + ssl_stapling on; + ssl_stapling_verify on; + #ssl_trusted_certificate /etc/ssl/private/ocsp-certs.pem; # <- Add signing certs here + resolver 8.8.4.4 8.8.8.8 valid=300s; + resolver_timeout 5s; - ## - # Logging Settings - # access_log disabled for performance - ## + ##Common headers for security + more_set_headers "X-Frame-Options : SAMEORIGIN"; + more_set_headers "X-Xss-Protection : 1; mode=block"; + more_set_headers "X-Content-Type-Options : nosniff"; + more_set_headers "Referrer-Policy : strict-origin-when-cross-origin"; - access_log off; - error_log /var/log/nginx/error.log; + ## + # Basic Settings + ## + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; - # Log format Settings - log_format rt_cache '$remote_addr $upstream_response_time $upstream_cache_status [$time_local] ' - '$http_host "$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent"'; + include /etc/nginx/mime.types; + default_type application/octet-stream; - ## - # Gzip Settings - ## + ## + # Logging Settings + # access_log disabled for performance + ## - gzip on; - gzip_disable "msie6"; + access_log off; + error_log /var/log/nginx/error.log; - gzip_vary on; - gzip_proxied any; - gzip_comp_level 6; - gzip_buffers 16 8k; - gzip_http_version 1.1; - gzip_types - application/atom+xml - application/javascript - application/json - application/rss+xml - application/vnd.ms-fontobject - application/x-font-ttf - application/x-web-app-manifest+json - application/xhtml+xml - application/xml - font/opentype - image/svg+xml - image/x-icon - text/css - text/plain - text/x-component - text/xml - text/javascript; - - ## - # Brotli Settings - ## + # Log format Settings + log_format rt_cache '$remote_addr $upstream_response_time $upstream_cache_status [$time_local] ' + '$http_host "$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; - brotli on; - brotli_static on; - brotli_buffers 16 8k; - brotli_comp_level 6; - brotli_types *; + ## + # Gzip Settings + ## + + gzip on; + gzip_disable "msie6"; + + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types + application/atom+xml + application/javascript + application/json + application/rss+xml + application/vnd.ms-fontobject + application/x-font-ttf + application/x-web-app-manifest+json + application/xhtml+xml + application/xml + font/opentype + image/svg+xml + image/x-icon + text/css + text/plain + text/x-component + text/xml + text/javascript; + + ## + # Brotli Settings + ## + + brotli on; + brotli_static on; + brotli_buffers 16 8k; + brotli_comp_level 6; + brotli_types *; - ## - # Virtual Host Configs - ## - - include /etc/nginx/conf.d/*.conf; - include /etc/nginx/sites-enabled/*; + ## + # Virtual Host Configs + ## + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; } diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf index 39a7db2..bbcbeb7 100644 --- a/etc/nginx/nginx.conf +++ b/etc/nginx/nginx.conf @@ -4,140 +4,153 @@ worker_cpu_affinity auto; worker_rlimit_nofile 100000; pid /run/nginx.pid; -events { - worker_connections 16384; - multi_accept on; - use epoll; +events +{ + worker_connections 16384; + multi_accept on; + use epoll; } -http { - ## - # EasyEngine Settings - ## +http +{ + ## + # EasyEngine Settings + ## - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 30; - types_hash_max_size 2048; + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 30; + types_hash_max_size 2048; - server_tokens off; - reset_timedout_connection on; - add_header X-Powered-By "EasyEngine v3.7.5 - Optimized by VirtuBox"; - add_header rt-Fastcgi-Cache $upstream_cache_status; + server_tokens off; + reset_timedout_connection on; + add_header X-Powered-By "EasyEngine v3.7.5 - Optimized by VirtuBox"; + add_header rt-Fastcgi-Cache $upstream_cache_status; - # Limit Request - limit_req_status 403; - limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; - - #Simple DOS mitigation - ##Max c/s by ip - limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m; - limit_conn limit_per_ip 40; + # Limit Request + limit_req_status 403; + limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; - ##Max rq/s by ip - limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s; - limit_req zone=allips burst=400 nodelay; + #Simple DOS mitigation + ##Max c/s by ip + limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m; + limit_conn limit_per_ip 40; - # Proxy Settings - # set_real_ip_from proxy-server-ip; - # real_ip_header X-Forwarded-For; + ##Max rq/s by ip + limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s; + limit_req zone=allips burst=400 nodelay; - fastcgi_read_timeout 300; - client_max_body_size 100m; - - #See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/ - aio threads; - - ## - # GeoIP module configuration, before removing comments - # read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840 - ## - #geoip_country /usr/share/GeoIP/GeoIP.dat; - #geoip_city /usr/share/GeoIP/GeoIPCity.dat; + # Proxy Settings + # set_real_ip_from proxy-server-ip; + # real_ip_header X-Forwarded-For; - ## - # SSL Settings - ## + fastcgi_read_timeout 120s; + client_max_body_size 100m; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:EECDH+CHACHA20:EECDH+AESGCM'; - ssl_prefer_server_ciphers on; - ssl_session_cache shared:SSL:20m; - ssl_session_timeout 15m; - ssl_session_tickets off; - ssl_ecdh_curve X25519:P-256:P-384:P-521; - - ## - # Basic Settings - ## - # server_names_hash_bucket_size 64; - # server_name_in_redirect off; + #See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/ + aio threads; - include /etc/nginx/mime.types; - default_type application/octet-stream; + ## + # GeoIP module configuration, before removing comments + # read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840 + ## + #geoip_country /usr/share/GeoIP/GeoIP.dat; + #geoip_city /usr/share/GeoIP/GeoIPCity.dat; - ## - # Logging Settings - # access_log disabled for performance - ## + ## + # SSL Settings + ## + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:EECDH+CHACHA20:EECDH+AESGCM'; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:20m; + ssl_session_timeout 15m; + ssl_session_tickets off; + ssl_ecdh_curve X25519:P-256:P-384:P-521; - access_log off; - error_log /var/log/nginx/error.log; - - # Log format Settings - log_format rt_cache '$remote_addr $upstream_response_time $upstream_cache_status [$time_local] ' - '$http_host "$request" $status $body_bytes_sent ' - '"$http_referer" "$http_user_agent"'; - - ## - # Gzip Settings - ## - - gzip on; - gzip_disable "msie6"; - - gzip_vary on; - gzip_proxied any; - gzip_comp_level 6; - gzip_buffers 16 8k; - gzip_http_version 1.1; - gzip_types - application/atom+xml - application/javascript - application/json - application/rss+xml - application/vnd.ms-fontobject - application/x-font-ttf - application/x-web-app-manifest+json - application/xhtml+xml - application/xml - font/opentype - image/svg+xml - image/x-icon - text/css - text/plain - text/x-component - text/xml - text/javascript; - - ## - # Brotli Settings - ## - - brotli on; - brotli_static on; - brotli_buffers 16 8k; - brotli_comp_level 6; - brotli_types *; + ##OCSP settings + ssl_stapling on; + ssl_stapling_verify on; + #ssl_trusted_certificate /etc/ssl/private/ocsp-certs.pem; # <- Add signing certs here + resolver 8.8.4.4 8.8.8.8 valid=300s; + resolver_timeout 5s; - ## - # Virtual Host Configs - ## + ##Common headers for security + more_set_headers "X-Frame-Options : SAMEORIGIN"; + more_set_headers "X-Xss-Protection : 1; mode=block"; + more_set_headers "X-Content-Type-Options : nosniff"; + more_set_headers "Referrer-Policy : strict-origin-when-cross-origin"; + ## + # Basic Settings + ## + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; - include /etc/nginx/conf.d/*.conf; - include /etc/nginx/sites-enabled/*; + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # Logging Settings + # access_log disabled for performance + ## + + access_log off; + error_log /var/log/nginx/error.log; + + # Log format Settings + log_format rt_cache '$remote_addr $upstream_response_time $upstream_cache_status [$time_local] ' + '$http_host "$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + + ## + # Gzip Settings + ## + + gzip on; + gzip_disable "msie6"; + + gzip_vary on; + gzip_proxied any; + gzip_comp_level 6; + gzip_buffers 16 8k; + gzip_http_version 1.1; + gzip_types + application/atom+xml + application/javascript + application/json + application/rss+xml + application/vnd.ms-fontobject + application/x-font-ttf + application/x-web-app-manifest+json + application/xhtml+xml + application/xml + font/opentype + image/svg+xml + image/x-icon + text/css + text/plain + text/x-component + text/xml + text/javascript; + + ## + # Brotli Settings + ## + + brotli on; + brotli_static on; + brotli_buffers 16 8k; + brotli_comp_level 6; + brotli_types *; + + + ## + # Virtual Host Configs + ## + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; } @@ -160,4 +173,4 @@ http { # protocol imap; # proxy on; # } -#} +#} \ No newline at end of file