blob: 760ca02adf75159a3ff4c4d1453ecd125085b909 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
|
#
# /usr/local/etc/nginx/nginx.conf
# DragonFly BSD
#
#
# References
# ----------
# * A Guide to Caching with NGINX and NGINX Plus
# https://www.nginx.com/blog/nginx-caching-guide/
# * Reverse Proxy with Caching
# https://www.nginx.com/resources/wiki/start/topics/examples/reverseproxycachingexample/
# * Compression and Decompression
# https://www.nginx.com/resources/admin-guide/compression-and-decompression/
# * Nginx location priority
# https://stackoverflow.com/a/5238430/4856091
# * Nginx add_header configuration pitfall
# https://blog.g3rt.nl/nginx-add_header-pitfall.html
#
# Tools
# -----
# * Qualys SSL Labs SSL Server Test
# https://www.ssllabs.com/ssltest/
# * Security Headers Analyzer
# https://securityheaders.io/
# * KeyCDN HTTP/2 Test
# https://tools.keycdn.com/http2-test
#
#
# Aaron LI
# 2017-04-16
#
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
# Compression
gzip on;
gzip_types text/plain application/xml; # text/html always compressed
gzip_proxied no-cache no-store private expired auth;
gzip_min_length 1000;
# Don't show the Nginx version number (in error pages / headers)
server_tokens off;
# SSL/TLS settings
include conf.d/ssl.conf;
# Security headers
#
# WARNING: The "add_header" directive (and some others) are inherited
# from the *previous* level *IF AND ONLY IF* there are NO
# "add_header" directives defined on the *current* level.
# Such behavior leads to the *pitfall* that the added headers
# may get *cleared*! In consequence, this common header
# configuration file *must* be included within every context
# that has "add_header" directives!
#
include conf.d/security_headers.conf;
# Proxy Caching
#
# This setup a cache zone named "CACHE" given 10 MB for metadata storage,
# maximum 1 GB for cached contents which will be cleared after 24 hours
# without access.
#
# NOTE: The `proxy_cache_path` directive must be placed in `http` context.
#
# NOTE: The caching is not efficient since the traffic is rather low.
# So disable caching to save a bit memory.
#
#proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=CACHE:10m
# inactive=24h max_size=1g use_temp_path=off;
#proxy_cache_valid 200 302 60m;
#proxy_cache_valid any 1m;
#proxy_cache_use_stale error timeout invalid_header updating
# http_500 http_502 http_503 http_504;
#add_header X-Cache-Status $upstream_cache_status;
# Site-specific settings
include sites/*.conf;
}
|
