1 files changed, 94 insertions, 0 deletions
diff --git a/roles/web/files/nginx.conf b/roles/web/files/nginx.conf
new file mode 100644
index 0000000..760ca02
--- /dev/null
+++ b/roles/web/files/nginx.conf
@@ -0,0 +1,94 @@
+#
+# /usr/local/etc/nginx/nginx.conf
+# DragonFly BSD
+#
+#
+# References
+# ----------
+# * A Guide to Caching with NGINX and NGINX Plus
+#   https://www.nginx.com/blog/nginx-caching-guide/
+# * Reverse Proxy with Caching
+#   https://www.nginx.com/resources/wiki/start/topics/examples/reverseproxycachingexample/
+# * Compression and Decompression
+#   https://www.nginx.com/resources/admin-guide/compression-and-decompression/
+# * Nginx location priority
+#   https://stackoverflow.com/a/5238430/4856091
+# * Nginx add_header configuration pitfall
+#   https://blog.g3rt.nl/nginx-add_header-pitfall.html
+#
+# Tools
+# -----
+# * Qualys SSL Labs SSL Server Test
+#   https://www.ssllabs.com/ssltest/
+# * Security Headers Analyzer
+#   https://securityheaders.io/
+# * KeyCDN HTTP/2 Test
+#   https://tools.keycdn.com/http2-test
+#
+#
+# Aaron LI
+# 2017-04-16
+#
+
+worker_processes  1;
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include             mime.types;
+    default_type        application/octet-stream;
+
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+    keepalive_timeout   65;
+
+    # Compression
+    gzip                on;
+    gzip_types          text/plain application/xml;  # text/html always compressed
+    gzip_proxied        no-cache no-store private expired auth;
+    gzip_min_length     1000;
+
+    # Don't show the Nginx version number (in error pages / headers)
+    server_tokens       off;
+
+    # SSL/TLS settings
+    include  conf.d/ssl.conf;
+
+    # Security headers
+    #
+    # WARNING: The "add_header" directive (and some others) are inherited
+    #          from the *previous* level *IF AND ONLY IF* there are NO
+    #          "add_header" directives defined on the *current* level.
+    #          Such behavior leads to the *pitfall* that the added headers
+    #          may get *cleared*!  In consequence, this common header
+    #          configuration file *must* be included within every context
+    #          that has "add_header" directives!
+    #
+    include  conf.d/security_headers.conf;
+
+    # Proxy Caching
+    #
+    # This setup a cache zone named "CACHE" given 10 MB for metadata storage,
+    # maximum 1 GB for cached contents which will be cleared after 24 hours
+    # without access.
+    #
+    # NOTE: The `proxy_cache_path` directive must be placed in `http` context.
+    #
+    # NOTE: The caching is not efficient since the traffic is rather low.
+    #       So disable caching to save a bit memory.
+    #
+    #proxy_cache_path       /var/cache/nginx levels=1:2 keys_zone=CACHE:10m
+    #                       inactive=24h max_size=1g use_temp_path=off;
+    #proxy_cache_valid      200 302 60m;
+    #proxy_cache_valid      any     1m;
+    #proxy_cache_use_stale  error timeout invalid_header updating
+    #                       http_500 http_502 http_503 http_504;
+    #add_header             X-Cache-Status  $upstream_cache_status;
+
+    # Site-specific settings
+    include  sites/*.conf;
+}