forked from crossvale-inc/sokannonser-api
-
Notifications
You must be signed in to change notification settings - Fork 0
/
nginx.conf
170 lines (150 loc) · 9.02 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
daemon off;
pid /var/run/nginx/nginx.pid;
# Sets the worker threads to the number of CPU cores available in the system for best performance.
# Should be > the number of CPU cores.
# Maximum number of connections = worker_processes * worker_connections
# Default: 1
worker_processes auto;
# Maximum number of open files per worker process.
# Should be > worker_connections.
# Default: no limit
worker_rlimit_nofile 1100;
events {
# If you need more connections than this, you start optimizing your OS.
# That's probably the point at which you hire people who are smarter than you as this is *a lot* of requests.
# Should be < worker_rlimit_nofile.
# Default: 512
worker_connections 512;
# optmized to serve many clients with each thread, essential for linux -- for testing environment!
use epoll;
#worker process accepts one new connection at a time (the default). If on, a worker process accepts all new connections at once
multi_accept on;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format upstream_time '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"'
'rt=$request_time uct="$upstream_connect_time" uht="$upstream_header_time" urt="$upstream_response_time"';
access_log /var/log/nginx/access.log upstream_time;
error_log /var/log/nginx/error.log warn ;
sendfile on;
sendfile_max_chunk 1m;
#Use the tcp_nopush directive together with the sendfile on; directive.
#This enables NGINX to send HTTP response headers in one packet right after the chunk of data has been obtained by sendfile()
tcp_nopush on;
tcp_nodelay on;
charset utf-8;
# How long to allow each connection to stay idle.
# Longer values are better for each individual client, particularly for SSL,
# but means that worker connections are tied up longer.
# The first parameter assigns the timeout for keep-alive connections with the client. The server will close connections after
# this time. The optional second parameter assigns the time value in the header Keep-Alive: timeout=time of the response
# Default: 75s
keepalive_timeout 75;
# number of requests client can make over keep-alive
# Default: 100
keepalive_requests 100;
port_in_redirect off;
# don't send the nginx version number in error pages and Server header
server_tokens off;
# allow the server to close connection on non responding client, this will free up memory
# reset_timedout_connection on;
# request timed out -- default 60
client_body_timeout 120;
client_header_timeout 120;
# Directive assigns response timeout to client. Timeout is established not on entire transfer of answer, but only between two
# operations of reading, if after this time client will take nothing, then nginx is shutting down the connection.
send_timeout 120;
# Sets the maximum allowed size of the client request body, specified in the “Content-Length” request header field.
# If the size in a request exceeds the configured value, the 413 (Request Entity Too Large) error is returned to the client
# Default: 1m;
client_max_body_size 1m;
# if the request body size is more than the buffer size, then the entire (or partial)
# request body is written into a temporary file. Default 8k(32)/16k(64) (=two memory pages)
client_body_buffer_size 16k;
# headerbuffer size for the request header from client. Default 1k
client_header_buffer_size 1k;
# Sets the maximum number and size of buffers used for reading large client request header.
# A request line cannot exceed the size of one buffer, or the 414 (Request-URI Too Large) error is returned to the client.
# Default: large_client_header_buffers 4 8k;
large_client_header_buffers 4 8k;
ignore_invalid_headers on;
server {
listen 8081;
# tokens for loader.io
location ^~ /loaderio- {
root /app/loaderio_tokens;
}
# Directive describes the zone, in which the session states are stored i.e. store in slimits.
# 1m can handle 32000 sessions with 32 bytes/session, set to 5m x 32000 session
# limit_zone slimits $binary_remote_addr 5m;
# Control maximum number of simultaneous connections for one session i.e. restricts the amount of connections from a single ip
# limit_conn slimits 5;
location / {
include /etc/nginx/uwsgi_params;
uwsgi_pass unix:/tmp/uwsgi.sock;
uwsgi_buffers 256 16k;
# uwsgi_request_buffering off;
uwsgi_ssl_verify on;
# Prevent 504 Gateway Time-out
uwsgi_read_timeout 120s;
uwsgi_send_timeout 120s;
uwsgi_connect_timeout 120s;
uwsgi_socket_keepalive on;
if ($request_method = 'OPTIONS') {
# add_header 'Content-Length' 0;
add_header 'Access-Control-Allow-Headers' 'api-key';
add_header 'Access-Control-Allow-Methods' 'GET, HEAD, OPTIONS';
# Tell client that this pre-flight info is valid for 20 days
add_header 'Access-Control-Max-Age' 1728000;
add_header 'Access-Control-Allow-Origin' '*';
return 204;
}
# Deny certain User-Agents (case insensitive). ~* makes it case insensitive as opposed to just a ~
if ($http_user_agent ~* (msnbot|Purebot|Baiduspider|Lipperhey|scrapbot) ) {
return 403;
}
} # end of "location /"
# add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET,HEAD,OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'api-key, Content-Type, Accept, Cache-control' always;
add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
# config to don't allow the browser to render the page inside an frame or iframe
# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
add_header X-Frame-Options DENY always;
# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
# to disable content-type sniffing on some browsers.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
add_header X-Content-Type-Options nosniff always;
# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
# this particular website if it was disabled by the user.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
add_header X-XSS-Protection "1; mode=block" always;
# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
# you can tell the browser that it can only download content from the domains you explicitly allow
# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
# https://www.owasp.org/index.php/Content_Security_Policy
# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
# directives for css and js(if you have inline css or js, you will need to keep it too).
# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
set $CSP ""; # to split long string.
set $CSP "${CSP}default-src 'self'; script-src 'self' 'unsafe-inline'; ";
set $CSP "${CSP}style-src 'self'; img-src 'self' blob: data:; connect-src 'self'; form-action 'none'; ";
set $CSP "${CSP}font-src 'self'; frame-src 'none'; object-src 'none'; frame-ancestors 'none';";
add_header Content-Security-Policy $CSP always;
set $FP ""; # to split long string
set $FP "${FP}geolocation 'none'; midi 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; usb 'none';";
set $FP "${FP}magnetometer 'none'; gyroscope 'none'; speaker 'none'; fullscreen 'none'; payment 'none';";
add_header Feature-Policy $FP always;
add_header Referrer-Policy "no-referrer" always;
# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
# to avoid ssl stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping also https://hstspreload.org/
add_header Strict-Transport-Security "max-age=2592000; includeSubdomains;";
} # end of "server"
} # end of "http"