add intermediate configuration and cleanup code

This commit is contained in:
VirtuBox 2018-03-05 20:35:09 +01:00
parent 486f5f88cb
commit 4aed43b0cd
3 changed files with 262 additions and 235 deletions

View File

@ -11,3 +11,9 @@ fastcgi_temp_file_write_size 512K;
fastcgi_param SERVER_NAME $http_host; fastcgi_param SERVER_NAME $http_host;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie; fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
fastcgi_keep_conn on; fastcgi_keep_conn on;
#Others
open_file_cache max=2000 inactive=20s;
open_file_cache_valid 60s;
open_file_cache_min_uses 5;
open_file_cache_errors off;

View File

@ -4,145 +4,153 @@ worker_cpu_affinity auto;
worker_rlimit_nofile 100000; worker_rlimit_nofile 100000;
pid /run/nginx.pid; pid /run/nginx.pid;
events { events
worker_connections 16384; {
multi_accept on; worker_connections 16384;
use epoll; multi_accept on;
use epoll;
} }
http { http
## {
# EasyEngine Settings ##
## # EasyEngine Settings
##
sendfile on; sendfile on;
tcp_nopush on; tcp_nopush on;
tcp_nodelay on; tcp_nodelay on;
keepalive_timeout 30; keepalive_timeout 30;
types_hash_max_size 2048; types_hash_max_size 2048;
server_tokens off; server_tokens off;
reset_timedout_connection on; reset_timedout_connection on;
add_header X-Powered-By "EasyEngine v3.7.5 - Optimized by VirtuBox"; add_header X-Powered-By "EasyEngine v3.7.5 - Optimized by VirtuBox";
add_header rt-Fastcgi-Cache $upstream_cache_status; add_header rt-Fastcgi-Cache $upstream_cache_status;
# Limit Request # Limit Request
limit_req_status 403; limit_req_status 403;
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
#Simple DOS mitigation
##Max c/s by ip
limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
limit_conn limit_per_ip 40;
##Max rq/s by ip #Simple DOS mitigation
limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s; ##Max c/s by ip
limit_req zone=allips burst=400 nodelay; limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
limit_conn limit_per_ip 40;
# Proxy Settings ##Max rq/s by ip
# set_real_ip_from proxy-server-ip; limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
# real_ip_header X-Forwarded-For; limit_req zone=allips burst=400 nodelay;
fastcgi_read_timeout 300; # Proxy Settings
client_max_body_size 100m; # set_real_ip_from proxy-server-ip;
# real_ip_header X-Forwarded-For;
#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
aio threads;
##
# GeoIP module configuration, before removing comments
# read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
##
#geoip_country /usr/share/GeoIP/GeoIP.dat;
#geoip_city /usr/share/GeoIP/GeoIPCity.dat;
## fastcgi_read_timeout 300;
# SSL Settings client_max_body_size 100m;
##
# intermediate configuration. tweak to your needs. #See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
aio threads;
##
# GeoIP module configuration, before removing comments
# read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
##
#geoip_country /usr/share/GeoIP/GeoIP.dat;
#geoip_city /usr/share/GeoIP/GeoIPCity.dat;
##
# SSL Settings
##
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m; ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d; ssl_session_timeout 1d;
ssl_session_tickets off; ssl_session_tickets off;
ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1; ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;
##Common headers for security
more_set_headers "X-Frame-Options : SAMEORIGIN";
more_set_headers "X-Xss-Protection : 1; mode=block";
more_set_headers "X-Content-Type-Options : nosniff";
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
##
# Basic Settings
##
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types; ##OCSP settings
default_type application/octet-stream; ssl_stapling on;
ssl_stapling_verify on;
#ssl_trusted_certificate /etc/ssl/private/ocsp-certs.pem; # <- Add signing certs here
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 5s;
## ##Common headers for security
# Logging Settings more_set_headers "X-Frame-Options : SAMEORIGIN";
# access_log disabled for performance more_set_headers "X-Xss-Protection : 1; mode=block";
## more_set_headers "X-Content-Type-Options : nosniff";
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
access_log off; ##
error_log /var/log/nginx/error.log; # Basic Settings
##
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
# Log format Settings include /etc/nginx/mime.types;
log_format rt_cache '$remote_addr $upstream_response_time $upstream_cache_status [$time_local] ' default_type application/octet-stream;
'$http_host "$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
## ##
# Gzip Settings # Logging Settings
## # access_log disabled for performance
##
gzip on; access_log off;
gzip_disable "msie6"; error_log /var/log/nginx/error.log;
gzip_vary on; # Log format Settings
gzip_proxied any; log_format rt_cache '$remote_addr $upstream_response_time $upstream_cache_status [$time_local] '
gzip_comp_level 6; '$http_host "$request" $status $body_bytes_sent '
gzip_buffers 16 8k; '"$http_referer" "$http_user_agent"';
gzip_http_version 1.1;
gzip_types
application/atom+xml
application/javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/svg+xml
image/x-icon
text/css
text/plain
text/x-component
text/xml
text/javascript;
##
# Brotli Settings
##
brotli on; ##
brotli_static on; # Gzip Settings
brotli_buffers 16 8k; ##
brotli_comp_level 6;
brotli_types *; gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types
application/atom+xml
application/javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/svg+xml
image/x-icon
text/css
text/plain
text/x-component
text/xml
text/javascript;
##
# Brotli Settings
##
brotli on;
brotli_static on;
brotli_buffers 16 8k;
brotli_comp_level 6;
brotli_types *;
## ##
# Virtual Host Configs # Virtual Host Configs
## ##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*;
include /etc/nginx/sites-enabled/*;
} }

View File

@ -4,140 +4,153 @@ worker_cpu_affinity auto;
worker_rlimit_nofile 100000; worker_rlimit_nofile 100000;
pid /run/nginx.pid; pid /run/nginx.pid;
events { events
worker_connections 16384; {
multi_accept on; worker_connections 16384;
use epoll; multi_accept on;
use epoll;
} }
http { http
## {
# EasyEngine Settings ##
## # EasyEngine Settings
##
sendfile on; sendfile on;
tcp_nopush on; tcp_nopush on;
tcp_nodelay on; tcp_nodelay on;
keepalive_timeout 30; keepalive_timeout 30;
types_hash_max_size 2048; types_hash_max_size 2048;
server_tokens off; server_tokens off;
reset_timedout_connection on; reset_timedout_connection on;
add_header X-Powered-By "EasyEngine v3.7.5 - Optimized by VirtuBox"; add_header X-Powered-By "EasyEngine v3.7.5 - Optimized by VirtuBox";
add_header rt-Fastcgi-Cache $upstream_cache_status; add_header rt-Fastcgi-Cache $upstream_cache_status;
# Limit Request # Limit Request
limit_req_status 403; limit_req_status 403;
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
#Simple DOS mitigation
##Max c/s by ip
limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
limit_conn limit_per_ip 40;
##Max rq/s by ip #Simple DOS mitigation
limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s; ##Max c/s by ip
limit_req zone=allips burst=400 nodelay; limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
limit_conn limit_per_ip 40;
# Proxy Settings ##Max rq/s by ip
# set_real_ip_from proxy-server-ip; limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s;
# real_ip_header X-Forwarded-For; limit_req zone=allips burst=400 nodelay;
fastcgi_read_timeout 300; # Proxy Settings
client_max_body_size 100m; # set_real_ip_from proxy-server-ip;
# real_ip_header X-Forwarded-For;
#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
aio threads;
##
# GeoIP module configuration, before removing comments
# read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
##
#geoip_country /usr/share/GeoIP/GeoIP.dat;
#geoip_city /usr/share/GeoIP/GeoIPCity.dat;
## fastcgi_read_timeout 120s;
# SSL Settings client_max_body_size 100m;
##
ssl_protocols TLSv1.2 TLSv1.3; #See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:EECDH+CHACHA20:EECDH+AESGCM'; aio threads;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 15m;
ssl_session_tickets off;
ssl_ecdh_curve X25519:P-256:P-384:P-521;
##
# Basic Settings
##
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types; ##
default_type application/octet-stream; # GeoIP module configuration, before removing comments
# read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840
##
#geoip_country /usr/share/GeoIP/GeoIP.dat;
#geoip_city /usr/share/GeoIP/GeoIPCity.dat;
## ##
# Logging Settings # SSL Settings
# access_log disabled for performance ##
## ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:EECDH+CHACHA20:EECDH+AESGCM';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 15m;
ssl_session_tickets off;
ssl_ecdh_curve X25519:P-256:P-384:P-521;
access_log off; ##OCSP settings
error_log /var/log/nginx/error.log; ssl_stapling on;
ssl_stapling_verify on;
# Log format Settings #ssl_trusted_certificate /etc/ssl/private/ocsp-certs.pem; # <- Add signing certs here
log_format rt_cache '$remote_addr $upstream_response_time $upstream_cache_status [$time_local] ' resolver 8.8.4.4 8.8.8.8 valid=300s;
'$http_host "$request" $status $body_bytes_sent ' resolver_timeout 5s;
'"$http_referer" "$http_user_agent"';
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types
application/atom+xml
application/javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/svg+xml
image/x-icon
text/css
text/plain
text/x-component
text/xml
text/javascript;
##
# Brotli Settings
##
brotli on;
brotli_static on;
brotli_buffers 16 8k;
brotli_comp_level 6;
brotli_types *;
## ##Common headers for security
# Virtual Host Configs more_set_headers "X-Frame-Options : SAMEORIGIN";
## more_set_headers "X-Xss-Protection : 1; mode=block";
more_set_headers "X-Content-Type-Options : nosniff";
more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
##
# Basic Settings
##
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/conf.d/*.conf; include /etc/nginx/mime.types;
include /etc/nginx/sites-enabled/*; default_type application/octet-stream;
##
# Logging Settings
# access_log disabled for performance
##
access_log off;
error_log /var/log/nginx/error.log;
# Log format Settings
log_format rt_cache '$remote_addr $upstream_response_time $upstream_cache_status [$time_local] '
'$http_host "$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent"';
##
# Gzip Settings
##
gzip on;
gzip_disable "msie6";
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types
application/atom+xml
application/javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/svg+xml
image/x-icon
text/css
text/plain
text/x-component
text/xml
text/javascript;
##
# Brotli Settings
##
brotli on;
brotli_static on;
brotli_buffers 16 8k;
brotli_comp_level 6;
brotli_types *;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
} }
@ -160,4 +173,4 @@ http {
# protocol imap; # protocol imap;
# proxy on; # proxy on;
# } # }
#} #}