-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnginx.conf
137 lines (120 loc) · 6.78 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
pid /var/run/nginx/nginx.pid;
# Sets the worker threads to the number of CPU cores available in the system for best performance.
# Should be > the number of CPU cores.
# Maximum number of connections = worker_processes * worker_connections
# Default: 1
worker_processes 4;
# Maximum number of open files per worker process.
# Should be > worker_connections.
# Default: no limit
worker_rlimit_nofile 1100;
events {
# If you need more connections than this, you start optimizing your OS.
# That's probably the point at which you hire people who are smarter than you as this is *a lot* of requests.
# Should be < worker_rlimit_nofile.
# Default: 512
worker_connections 1024;
# optmized to serve many clients with each thread, essential for linux -- for testing environment!
use epoll;
# accept as many connections as possible, may flood worker connections if set too low -- for testing environment!
multi_accept on;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format custom '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"'
# ' $request_id $geoip_country_code3 $geoip_region_name $geoip_city';
access_log /var/log/nginx/access.log main buffer=32k;
# access_log /var/log/nginx/access.log custom buffer=32k;
error_log /var/log/nginx/error.log warn;
sendfile on;
sendfile_max_chunk 1m;
#Use the tcp_nopush directive together with the sendfile on; directive.
#This enables NGINX to send HTTP response headers in one packet right after the chunk of data has been obtained by sendfile()
tcp_nopush on;
tcp_nodelay on;
charset utf-8;
# How long to allow each connection to stay idle.
# Longer values are better for each individual client, particularly for SSL,
# but means that worker connections are tied up longer.
# Default: 75s
keepalive_timeout 30;
# number of requests client can make over keep-alive -- for testing environment!
# Default: 100
keepalive_requests 1000;
port_in_redirect off;
# don't send the nginx version number in error pages and Server header
server_tokens off;
# allow the server to close connection on non responding client, this will free up memory
reset_timedout_connection on;
# request timed out -- default 60
client_body_timeout 5;
client_header_timeout 5;
# if client stop responding, free up memory -- default 60
send_timeout 10;
# Sets the maximum allowed size of the client request body, specified in the “Content-Length” request header field.
# If the size in a request exceeds the configured value, the 413 (Request Entity Too Large) error is returned to the client
# Default: 1m;
client_max_body_size 128k;
# if the request body size is more than the buffer size, then the entire (or partial)
# request body is written into a temporary file. Default 8k(32)/16k(64) (=two memory pages)
client_body_buffer_size 128k;
# headerbuffer size for the request header from client. Default 1k
client_header_buffer_size 1k;
# Sets the maximum number and size of buffers used for reading large client request header.
# A request line cannot exceed the size of one buffer, or the 414 (Request-URI Too Large) error is returned to the client.
# Default: large_client_header_buffers 4 8k;
large_client_header_buffers 2 1k;
server {
listen 8081;
# token for loader.io
location /loaderio-6b7df9ede7fa23c6a87eddb74d3bf406.txt {
root /app;
}
location / {
include uwsgi_params;
uwsgi_pass unix:/tmp/uwsgi.sock;
if ($request_method !~ ^(GET|HEAD|OPTIONS)$ ) {
return 405;
}
if ($request_method = 'OPTIONS') {
add_header 'Content-Length' 0;
return 204;
}
# config to don't allow the browser to render the page inside an frame or iframe
# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
add_header X-Frame-Options DENY always;
# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
# to disable content-type sniffing on some browsers.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
add_header X-Content-Type-Options nosniff always;
# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for
# this particular website if it was disabled by the user.
# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
add_header X-XSS-Protection "1; mode=block" always;
# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
# you can tell the browser that it can only download content from the domains you explicitly allow
# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
# https://www.owasp.org/index.php/Content_Security_Policy
# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
# directives for css and js(if you have inline css or js, you will need to keep it too).
# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
set $CSP ""; # to split long string.
set $CSP "${CSP}default-src 'self'; script-src 'self' 'unsafe-inline'; ";
set $CSP "${CSP}style-src 'self'; img-src 'self'; ";
set $CSP "${CSP}font-src 'self'; frame-src 'none'; object-src 'none'; frame-ancestors 'none';";
add_header Content-Security-Policy $CSP always;
set $FP ""; # to split long string
set $FP "${FP}geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none';";
set $FP "${FP}magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'none'; fullscreen 'self'; payment 'none';";
add_header Feature-Policy $FP always;
add_header Referrer-Policy "no-referrer" always;
} # end of "location"
} # end of "server"
} # end of "http"