Last active
July 15, 2022 17:32
-
-
Save hongphuc5497/f404bc9589a148fae8f9c52eed5f0fa0 to your computer and use it in GitHub Desktop.
Nginx Reusable Conf
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| user www-data; | |
| pid /run/nginx.pid; | |
| worker_processes auto; | |
| worker_rlimit_nofile 65535; | |
| include /etc/nginx/modules-enabled/*.conf; | |
| events { | |
| worker_connections 65535; | |
| multi_accept on; | |
| } | |
| http { | |
| ## | |
| # Basic Settings | |
| ## | |
| sendfile on; | |
| tcp_nopush on; | |
| tcp_nodelay on; | |
| log_not_found off; | |
| server_tokens off; | |
| types_hash_max_size 2048; | |
| types_hash_bucket_size 64; | |
| client_body_buffer_size 1k; | |
| client_header_buffer_size 1k; | |
| client_max_body_size 16M; | |
| large_client_header_buffers 2 1k; | |
| include /etc/nginx/mime.types; | |
| default_type application/octet-stream; | |
| ## | |
| # SSL Settings | |
| ## | |
| ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE | |
| ssl_prefer_server_ciphers on; | |
| ## | |
| # Logging Settings | |
| ## | |
| access_log /var/log/nginx/access.log; | |
| error_log /var/log/nginx/error.log; | |
| ## | |
| # Gzip Settings | |
| ## | |
| gzip on; | |
| gzip_vary on; | |
| gzip_proxied any; | |
| gzip_comp_level 6; | |
| gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml; | |
| ## | |
| # Connection header for WebSocket reverse proxy | |
| ## | |
| map $http_upgrade $connection_upgrade { | |
| default upgrade; | |
| "" close; | |
| } | |
| map $remote_addr $proxy_forwarded_elem { | |
| # IPv4 addresses can be sent as-is | |
| ~^[0-9.]+$ "for=$remote_addr"; | |
| # IPv6 addresses need to be bracketed and quoted | |
| ~^[0-9A-Fa-f:.]+$ "for=\"[$remote_addr]\""; | |
| # Unix domain socket names cannot be represented in RFC 7239 syntax | |
| default "for=unknown"; | |
| } | |
| map $http_forwarded $proxy_add_forwarded { | |
| # If the incoming Forwarded header is syntactically valid, append to it | |
| "~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem"; | |
| # Otherwise, replace it | |
| default "$proxy_forwarded_elem"; | |
| } | |
| ## | |
| # Virtual Host Configs | |
| ## | |
| include /etc/nginx/conf.d/*.conf; | |
| include /etc/nginx/sites-enabled/*; | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| proxy_http_version 1.1; | |
| proxy_cache_bypass $http_upgrade; | |
| # Proxy headers | |
| proxy_set_header Upgrade $http_upgrade; | |
| proxy_set_header Connection $connection_upgrade; | |
| proxy_set_header Host $host; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header Forwarded $proxy_add_forwarded; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header X-Forwarded-Proto $scheme; | |
| proxy_set_header X-Forwarded-Host $host; | |
| proxy_set_header X-Forwarded-Port $server_port; | |
| # Proxy timeouts | |
| proxy_connect_timeout 60s; | |
| proxy_send_timeout 60s; | |
| proxy_read_timeout 60s; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # security headers | |
| add_header X-XSS-Protection "1; mode=block" always; | |
| add_header X-Frame-Options "SAMEORIGIN" always; | |
| add_header X-Content-Type-Options "nosniff" always; | |
| add_header Referrer-Policy "strict-origin" always; | |
| add_header Content-Security-Policy "default-src 'self' http: https: ws: wss: data: blob: 'unsafe-inline'; frame-ancestors 'self';" always; | |
| add_header Permissions-Policy "interest-cohort=()" always; | |
| add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()" always; | |
| add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; | |
| add_header Access-Control-Allow-Origin "*" always; | |
| # . files | |
| location ~ /\.(?!well-known) { | |
| deny all; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment