# NGINX # FILE: /usr/local/etc/nginx/nginx.conf #------------------------------------------------------------------------------# # http://nginx.org/en/docs/ngx_core_module.html #------------------------------------------------------------------------------# user prm staff; worker_processes auto; #------------------------------------------------------------------------------# # http://nginx.org/en/docs/ngx_core_module.html#events #------------------------------------------------------------------------------# events { worker_connections 1024; accept_mutex off; } #------------------------------------------------------------------------------# # http://nginx.org/en/docs/http/ngx_http_core_module.html #------------------------------------------------------------------------------# http { include mime.types; charset utf-8; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /usr/local/var/log/nginx/access.log main; error_log /usr/local/var/log/nginx/error.log warn; # compression gzip on; gzip_comp_level 5; gzip_min_length 256; gzip_proxied any; gzip_vary on; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy text/xml; # http://tautt.com/best-nginx-configuration-for-security/ directio off; disable_symlinks off; ignore_invalid_headers on; merge_slashes on; recursive_error_pages on; server_name_in_redirect off; server_tokens off; underscores_in_headers on; # https://t37.net/nginx-optimization-understanding-sendfile-tcp_nodelay-and-tcp_nopush.html sendfile on; tcp_nodelay on; tcp_nopush on; # timeouts keepalive_timeout 25; send_timeout 120; proxy_connect_timeout 120; proxy_send_timeout 120; proxy_read_timeout 120; # sizes client_body_buffer_size 128k; client_max_body_size 2M; server_names_hash_bucket_size 128; types_hash_max_size 2048; # nosniff header (https://www.owasp.org/index.php/List_of_useful_HTTP_headers) add_header X-Content-Type-Options nosniff; add_header X-Frame-Options SAMEORIGIN; add_header X-XSS-Protection "1; mode=block"; # enable session resumption to improve https performance # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html ssl_session_cache shared:SSL:50m; ssl_session_timeout 5m; # Diffie-Hellman parameter for DHE ciphersuites ssl_dhparam /usr/local/etc/nginx/ssl/dh.pem; # disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS # http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # enables server-side protection from BEAST attacks # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html ssl_prefer_server_ciphers on; # ciphers chosen for forward secrecy and compatibility # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html ssl_ciphers 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS'; # config to enable HSTS(HTTP Strict Transport Security) # https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security # to avoid SSL stripping https://en.wikipedia.org/wiki/SSL_stripping#SSL_stripping add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;"; # detect https map $scheme $fastcgi_https { default $https; http ""; https on; } # PHP-FPM upstream phpfpm { server unix:/usr/local/var/run/php-fpm.sock; } upstream fastcgi_backend { server unix:/usr/local/var/run/php-fpm.sock; } # include active sites include /usr/local/etc/nginx/sites-enabled/*; }