Skip to content
This repository
branch: master
Fetching contributors…

Cannot retrieve contributors at this time

file 221 lines (176 sloc) 8.568 kb
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221
# -*- mode: nginx; mode: flyspell-prog; ispell-local-dictionary: "american" -*-
user www-data;

## If you're using an Nginx version below 1.3.8 or 1.2. then uncomment
## the line below and set it to the number of cores of the
## server. Otherwise nginx will determine it automatically.
#worker_processes 4;

error_log /var/log/nginx/error.log;
pid /var/run/nginx.pid;

worker_rlimit_nofile 8192;

events {
    worker_connections 4096;
    ## Accept as many connections as possible.
    multi_accept on;
}

http {
    ## MIME types.
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ## FastCGI.
    include /etc/nginx/fastcgi.conf;

    ## Default log and error files.
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ## Use sendfile() syscall to speed up I/O operations and speed up
    ## static file serving.
    sendfile on;
    ## Handling of IPs in proxied and load balancing situations.
    set_real_ip_from 0.0.0.0/32; # all addresses get a real IP.
    real_ip_header X-Forwarded-For; # the ip is forwarded from the load balancer/proxy

    ## Define a zone for limiting the number of simultaneous
    ## connections nginx accepts. 1m means 32000 simultaneous
    ## sessions. We need to define for each server the limit_conn
    ## value refering to this or other zones.
    ## ** This syntax requires nginx version >=
    ## ** 1.1.8. Cf. http://nginx.org/en/CHANGES. If using an older
    ## ** version then use the limit_zone directive below
    ## ** instead. Comment out this
    ## ** one if not using nginx version >= 1.1.8.
    limit_conn_zone $binary_remote_addr zone=arbeit:10m;

    ## Define a zone for limiting the number of simultaneous
    ## connections nginx accepts. 1m means 32000 simultaneous
    ## sessions. We need to define for each server the limit_conn
    ## value refering to this or other zones.
    ## ** Use this directive for nginx versions below 1.1.8. Uncomment the line below.
    #limit_zone arbeit $binary_remote_addr 10m;

    ## Timeouts.
    client_body_timeout 60;
    client_header_timeout 60;
    keepalive_timeout 10 10;
    send_timeout 60;

    ## Reset lingering timed out connections. Deflect DDoS.
    reset_timedout_connection on;

    ## Body size.
    client_max_body_size 10m;

    ## TCP options.
    tcp_nodelay on;
    ## Optimization of socket handling when using sendfile.
    tcp_nopush on;

    ## Compression.
    gzip on;
    gzip_buffers 16 8k;
    gzip_comp_level 1;
    gzip_http_version 1.1;
    gzip_min_length 10;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/x-icon application/vnd.ms-fontobject font/opentype application/x-font-ttf;
    gzip_vary on;
    gzip_proxied any; # Compression for all requests.
    ## No need for regexps. See
    ## http://wiki.nginx.org/NginxHttpGzipModule#gzip_disable
    gzip_disable msie6;

    ## Serve already compressed files directly, bypassing on-the-fly
    ## compression.
    ##
    # Usually you don't make much use of this. It's better to just
    # enable gzip_static on the locations you need it.
    # gzip_static on;

    ## Hide the Nginx version number.
    server_tokens off;

    ## Use a SSL/TLS cache for SSL session resume. This needs to be
    ## here (in this context, for session resumption to work. See this
    ## thread on the Nginx mailing list:
    ## http://nginx.org/pipermail/nginx/2010-November/023736.html.
    ssl_session_cache shared:SSL:30m;
    ssl_session_timeout 1d;

    ## The server dictates the choice of cipher suites.
    ssl_prefer_server_ciphers on;

    ## Use only Perfect Forward Secrecy Ciphers. Fallback on non ECDH
    ## for crufty clients.
    ssl_ciphers ECDH+aRSA+AESGCM:ECDH+aRSA+SHA384:ECDH+aRSA+SHA256:ECDH:EDH+CAMELLIA:EDH+aRSA:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA;

    ## No SSL2 support. Legacy support of SSLv3.
    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;

    ## Pregenerated Diffie-Hellman parameters.
    ssl_dhparam /etc/nginx/dh_param.pem;

    ## Curve to use for ECDH.
    ssl_ecdh_curve secp521r1;

    ## Enable OCSP stapling. A better way to revocate server certificates.
    ssl_stapling on;
    ## Fill in with your own resolver.
    resolver 8.8.8.8;

    ## Uncomment to increase map_hash_bucket_size. If start getting
    ## [emerg]: could not build the map_hash, you should increase
    ## map_hash_bucket_size: 64 in your
    ## logs. Cf. http://wiki.nginx.org/NginxOptimizations.
    #map_hash_bucket_size 192;

    ## For the filefield_nginx_progress module to work. From the
    ## README. Reserve 1MB under the name 'uploads' to track uploads.
    upload_progress uploads 1m;

    ## Enable the builtin cross-site scripting (XSS) filter available
    ## in modern browsers. Usually enabled by default we just
    ## reinstate in case it has been somehow disabled for this
    ## particular server instance.
    ## https://www.owasp.org/index.php/List_of_useful_HTTP_headers.
    add_header X-XSS-Protection '1; mode=block';

    ## Enable clickjacking protection in modern browsers. Available in
    ## IE8 also. See
    ## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
    ## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12).
    ## Uncomment the line below if you're not using media streaming.
    ## For sites being framing on the same domqin uncomment the line below.
    #add_header X-Frame-Options SAMEORIGIN;
    ## For sites accepting to be framed in any context comment the
    ## line below.
    add_header X-Frame-Options DENY;

    ## Block MIME type sniffing on IE.
    add_header X-Content-Options nosniff;

    ## Increase variables hash table
    ## See http://nginx.org/en/docs/hash.html
    variables_hash_max_size 1024;

    ## Include the upstream servers for PHP FastCGI handling config.
    ## This one uses the FCGI process listening on TCP sockets.
    include upstream_phpcgi_tcp.conf;

    ## Include the map to block HTTP methods.
    include map_block_http_methods.conf;

    ## Include the upstream servers for PHP FastCGI handling
    ## configuration. This setup uses UNIX sockets for talking with the
    ## upstream.
    #include upstream_phpcgi_unix.conf;

    ## If using Nginx version >= 1.1.11 then there's a $https variable
    ## that has the value 'on' if the used scheme is https and '' if not.
    ## See: http://trac.nginx.org/nginx/changeset/4380/nginx
    ## http://trac.nginx.org/nginx/changeset/4333/nginx and
    ## http://trac.nginx.org/nginx/changeset/4334/nginx. If using a
    ## previous version then uncomment out the line below.
    #include map_https_fcgi.conf;

    ## Include this line, if used in a loadbalanced environment
    ## and comment the line which includes map_https_fcgi.conf.
    ## If the loadbalancer always sends the request in http protocol,
    ## and adds the server variable $http_x_forwarded_proto
    #include map_https_forwarded_proto.conf;

    ## Include the upstream servers for Apache handling the PHP
    ## processes. In this case Nginx functions as a reverse proxy.
    #include reverse_proxy.conf;
    #include upstream_phpapache.conf;

    ## Include the php-fpm status allowed hosts configuration block.
    ## Uncomment to enable if you're running php-fpm.
    #include php_fpm_status_allowed_hosts.conf;

    ## Include the Nginx stub status allowed hosts configuration block.
    include nginx_status_allowed_hosts.conf;

    ## If you want to run cron using Drupal cron.php. i.e., you're not
    ## using drush then uncomment the line below. Specify in
    ## cron_allowed_hosts.conf which hosts can invole cron.
    # include apps/drupal/cron_allowed_hosts.conf;

    ## Include blacklist for bad bot and referer blocking.
    include blacklist.conf;

    ## Include the map directive that sets the $no_slash_uri variable for drupal 6.
    include apps/drupal/map_drupal6.conf;

    ## Include the caching setup. Needed for using Drupal with an external cache.
    include apps/drupal/map_cache.conf;

    ## Microcache zone definition for FastCGI.
    include fastcgi_microcache_zone.conf;

    ## If you're using Apache for handling PHP then comment the line
    ## above and uncomment the line below.
    #include proxy_microcache_zone.conf

    ## Include all vhosts.
    include /etc/nginx/sites-enabled/*;
}
Something went wrong with that request. Please try again.