Permalink
Switch branches/tags
Nothing to show
Find file
Fetching contributors…
Cannot retrieve contributors at this time
223 lines (175 sloc) 8.29 KB
# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
user www-data;
## If you're using an Nginx version below 1.3.8 or 1.2. then uncomment
## the line below and set it to the number of cores of the
## server. Otherwise nginx will determine it automatically.
#worker_processes 4;
error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;
worker_rlimit_nofile 8192;
events {
worker_connections 4096;
## Accept as many connections as possible.
multi_accept on;
}
http {
## MIME types.
include /etc/nginx/mime.types;
default_type application/octet-stream;
## Default log and error files.
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
## Use sendfile() syscall to speed up I/O operations and speed up
## static file serving.
sendfile on;
## Handling of IPs in proxied and load balancing situations.
set_real_ip_from 0.0.0.0/32; # all addresses get a real IP.
real_ip_header X-Forwarded-For; # the ip is forwarded from the load balancer/proxy
## Define a zone for limiting the number of simultaneous
## connections nginx accepts. 1m means 32000 simultaneous
## sessions. We need to define for each server the limit_conn
## value refering to this or other zones.
limit_conn_zone $binary_remote_addr zone=arbeit:10m;
## Define a zone for limiting the number of simultaneous
## connections nginx accepts. 1m means 32000 simultaneous
## sessions. We need to define for each server the limit_conn
## value refering to this or other zones.
## ** Use this directive for nginx versions below 1.1.8. Uncomment the line below.
#limit_zone arbeit $binary_remote_addr 10m;
## Timeouts.
client_body_timeout 60;
client_header_timeout 60;
keepalive_timeout 10 10;
send_timeout 60;
## Reset lingering timed out connections. Deflect DDoS.
reset_timedout_connection on;
## Body size.
client_max_body_size 10m;
## TCP options.
tcp_nodelay on;
## Optimization of socket handling when using sendfile.
tcp_nopush on;
## Compression.
gzip on;
gzip_buffers 16 8k;
gzip_comp_level 1;
gzip_http_version 1.1;
gzip_min_length 10;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/x-icon application/vnd.ms-fontobject font/opentype application/x-font-ttf;
gzip_vary on;
gzip_proxied any; # Compression for all requests.
## No need for regexps. See
## http://wiki.nginx.org/NginxHttpGzipModule#gzip_disable
gzip_disable msie6;
## Serve already compressed files directly, bypassing on-the-fly
## compression.
##
# Usually you don't make much use of this. It's better to just
# enable gzip_static on the locations you need it.
# gzip_static on;
## Hide the Nginx version number.
server_tokens off;
## Use a SSL/TLS cache for SSL session resume. This needs to be
## here (in this context, for session resumption to work. See this
## thread on the Nginx mailing list:
## http://nginx.org/pipermail/nginx/2010-November/023736.html.
ssl_session_cache shared:SSL:30m;
ssl_session_timeout 1d;
## The server dictates the choice of cipher suites.
ssl_prefer_server_ciphers on;
## Use only Perfect Forward Secrecy Ciphers. Fallback on non ECDH
## for crufty clients.
ssl_ciphers ECDH+aRSA+AESGCM:ECDH+aRSA+SHA384:ECDH+aRSA+SHA256:ECDH:EDH+CAMELLIA:EDH+aRSA:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA;
## Enable TLS only. No SSL support.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
## Pregenerated Diffie-Hellman parameters.
ssl_dhparam /etc/nginx/dh_param.pem;
## Curve to use for ECDH.
ssl_ecdh_curve secp521r1;
## Enable OCSP stapling. A better way to revocate server certificates.
ssl_stapling on;
## Enable verification of OCSP stapling responses by the server.
ssl_stapling_verify on;
## Fill in with your own resolver.
resolver 8.8.8.8;
## Use fast header compression for SPDY in nginx versions 1.3.15-1.8.
#spdy_headers_comp 1;
## Uncomment to increase map_hash_bucket_size. If start getting
## [emerg]: could not build the map_hash, you should increase
## map_hash_bucket_size: 64 in your
## logs. Cf. http://wiki.nginx.org/NginxOptimizations.
#map_hash_bucket_size 192;
## For the filefield_nginx_progress module to work. From the
## README. Reserve 1MB under the name 'uploads' to track uploads.
upload_progress uploads 1m;
## Enable the builtin cross-site scripting (XSS) filter available
## in modern browsers. Usually enabled by default we just
## reinstate in case it has been somehow disabled for this
## particular server instance.
## https://www.owasp.org/index.php/List_of_useful_HTTP_headers.
add_header X-XSS-Protection '1; mode=block';
## Enable clickjacking protection in modern browsers. Available in
## IE8 also. See
## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12).
## Uncomment the line below if you're not using media streaming.
## For sites being framing on the same domqin uncomment the line below.
#add_header X-Frame-Options SAMEORIGIN;
## For sites accepting to be framed in any context comment the
## line below.
add_header X-Frame-Options DENY;
## Block MIME type sniffing on IE.
add_header X-Content-Options nosniff;
## Increase variables hash table
## See http://nginx.org/en/docs/hash.html
variables_hash_max_size 1024;
## FastCGI.
include /etc/nginx/fastcgi.conf;
## Include the upstream servers for PHP FastCGI handling config.
## This one uses the FCGI process listening on TCP sockets.
include upstream_phpcgi_tcp.conf;
## Include the map to block HTTP methods.
include map_block_http_methods.conf;
## Include the upstream servers for PHP FastCGI handling
## configuration. This setup uses UNIX sockets for talking with the
## upstream.
#include upstream_phpcgi_unix.conf;
## If using Nginx version >= 1.1.11 then there's a $https variable
## that has the value 'on' if the used scheme is https and '' if not.
## See: http://trac.nginx.org/nginx/changeset/4380/nginx
## http://trac.nginx.org/nginx/changeset/4333/nginx and
## http://trac.nginx.org/nginx/changeset/4334/nginx. If using a
## previous version then uncomment out the line below.
#include map_https_fcgi.conf;
## Include this line, if used in a loadbalanced environment
## and comment the line which includes map_https_fcgi.conf.
## If the loadbalancer always sends the request in http protocol,
## and adds the server variable $http_x_forwarded_proto
#include map_https_forwarded_proto.conf;
## Include the upstream servers for Apache handling the PHP
## processes. In this case Nginx functions as a reverse proxy.
#include reverse_proxy.conf;
#include upstream_phpapache.conf;
## Include the php-fpm status allowed hosts configuration block.
## Uncomment to enable if you're running php-fpm.
#include php_fpm_status_allowed_hosts.conf;
## Include the Nginx stub status allowed hosts configuration block.
include nginx_status_allowed_hosts.conf;
## If you want to run cron using Drupal cron.php. i.e., you're not
## using drush then uncomment the line below. Specify in
## cron_allowed_hosts.conf which hosts can invole cron.
# include apps/drupal/cron_allowed_hosts.conf;
## Include blacklist for bad bot and referer blocking.
include blacklist.conf;
## Include the map directive that sets the $no_slash_uri variable for drupal 6.
include apps/drupal/map_drupal6.conf;
## Include the caching setup. Needed for using Drupal with an external cache.
include apps/drupal/map_cache.conf;
## Microcache zone definition for FastCGI.
include fastcgi_microcache_zone.conf;
## If you're using Apache for handling PHP then comment the line
## above and uncomment the line below.
#include proxy_microcache_zone.conf
## Include all vhosts.
include /etc/nginx/sites-enabled/*;
}