aboutsummaryrefslogtreecommitdiffstats
path: root/roles/web/files/nginx/nginx.conf
blob: 760ca02adf75159a3ff4c4d1453ecd125085b909 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
#
# /usr/local/etc/nginx/nginx.conf
# DragonFly BSD
#
#
# References
# ----------
# * A Guide to Caching with NGINX and NGINX Plus
#   https://www.nginx.com/blog/nginx-caching-guide/
# * Reverse Proxy with Caching
#   https://www.nginx.com/resources/wiki/start/topics/examples/reverseproxycachingexample/
# * Compression and Decompression
#   https://www.nginx.com/resources/admin-guide/compression-and-decompression/
# * Nginx location priority
#   https://stackoverflow.com/a/5238430/4856091
# * Nginx add_header configuration pitfall
#   https://blog.g3rt.nl/nginx-add_header-pitfall.html
#
# Tools
# -----
# * Qualys SSL Labs SSL Server Test
#   https://www.ssllabs.com/ssltest/
# * Security Headers Analyzer
#   https://securityheaders.io/
# * KeyCDN HTTP/2 Test
#   https://tools.keycdn.com/http2-test
#
#
# Aaron LI
# 2017-04-16
#

worker_processes  1;

events {
    worker_connections  1024;
}


http {
    include             mime.types;
    default_type        application/octet-stream;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;

    # Compression
    gzip                on;
    gzip_types          text/plain application/xml;  # text/html always compressed
    gzip_proxied        no-cache no-store private expired auth;
    gzip_min_length     1000;

    # Don't show the Nginx version number (in error pages / headers)
    server_tokens       off;

    # SSL/TLS settings
    include  conf.d/ssl.conf;

    # Security headers
    #
    # WARNING: The "add_header" directive (and some others) are inherited
    #          from the *previous* level *IF AND ONLY IF* there are NO
    #          "add_header" directives defined on the *current* level.
    #          Such behavior leads to the *pitfall* that the added headers
    #          may get *cleared*!  In consequence, this common header
    #          configuration file *must* be included within every context
    #          that has "add_header" directives!
    #
    include  conf.d/security_headers.conf;

    # Proxy Caching
    #
    # This setup a cache zone named "CACHE" given 10 MB for metadata storage,
    # maximum 1 GB for cached contents which will be cleared after 24 hours
    # without access.
    #
    # NOTE: The `proxy_cache_path` directive must be placed in `http` context.
    #
    # NOTE: The caching is not efficient since the traffic is rather low.
    #       So disable caching to save a bit memory.
    #
    #proxy_cache_path       /var/cache/nginx levels=1:2 keys_zone=CACHE:10m
    #                       inactive=24h max_size=1g use_temp_path=off;
    #proxy_cache_valid      200 302 60m;
    #proxy_cache_valid      any     1m;
    #proxy_cache_use_stale  error timeout invalid_header updating
    #                       http_500 http_502 http_503 http_504;
    #add_header             X-Cache-Status  $upstream_cache_status;

    # Site-specific settings
    include  sites/*.conf;
}