Created
June 3, 2025 04:59
-
-
Save linuxmalaysia/b68a435e9a0c9f057a6d184a2ab4dc32 to your computer and use it in GitHub Desktop.
contoh nginx http2 port 80 not redirect
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Global Rate Limiting Settings | |
| # These settings define how Nginx will manage the rate of incoming requests across all services. | |
| # 'warn' log level means only significant events (like requests being limited) are logged. | |
| # The 'global' zone tracks requests based on client IP, allowing 10 requests per second. | |
| limit_req_log_level warn; | |
| limit_req_zone $binary_remote_addr zone=global:10m rate=10r/s; | |
| # --- HTTP Traffic Handler (Port 80) --- | |
| # This section defines how Nginx processes standard, unencrypted web requests on port 80. | |
| # It's intended for traffic forwarded by a load balancer, potentially after SSL termination. | |
| server { | |
| listen 80 reuseport; # Listen for IPv4 HTTP connections, enabling port reuse for performance. | |
| listen [::]:80 reuseport; # Listen for IPv6 HTTP connections, enabling port reuse. | |
| # Assigns the primary domain name for this server block. | |
| # The underscore '_' serves as a generic placeholder for the default server in some setups. | |
| server_name your_actual_domain.com; # Replace with your website's domain name (e.g., example.com) | |
| # --- Logging Configuration --- | |
| # Specifies where Nginx records successful requests and errors for HTTP traffic. | |
| access_log /var/log/nginx/your_domain_access.log main; # Path for successful request logs. | |
| error_log /var/log/nginx/your_domain_error.log warn; # Path for error logs, showing 'warn' level messages. | |
| # --- Website Root and Index Files --- | |
| # Defines the base directory where your website files are located. | |
| root /var/www/your_website_public_directory; # Replace with the actual path to your website's public folder. | |
| index index.php index.html index.htm; # Specifies the default files Nginx should look for. | |
| # --- Essential Security Headers --- | |
| # These headers help protect against common web vulnerabilities. | |
| add_header X-Frame-Options "SAMEORIGIN"; # Prevents clickjacking by restricting embedding in iframes. | |
| add_header X-XSS-Protection "1; mode=block"; # Activates XSS (Cross-Site Scripting) protection in browsers. | |
| add_header X-Content-Type-Options "nosniff"; # Prevents browsers from "guessing" content types. | |
| # --- Common Website Paths --- | |
| # Specific rules for frequently accessed, small files. | |
| location = /favicon.ico { access_log off; log_not_found off; } # Ignores favicon requests in logs. | |
| # Default request handling for all URLs not matched by more specific rules. | |
| # It tries to serve the requested file, then a directory, then passes to index.php. | |
| location / { | |
| try_files $uri $uri/ /index.php$is_args$args; | |
| } | |
| location = /robots.txt { access_log off; log_not_found off; } # Ignores robots.txt requests in logs. | |
| error_page 404 /index.php; # Directs 404 (Not Found) errors to your main application's index.php. | |
| # --- PHP Application Processing --- | |
| # This block routes requests for PHP files to the PHP-FPM service. | |
| location ~ \.php$ { | |
| include snippets/fastcgi-php.conf; # Includes standard FastCGI configuration for PHP. | |
| fastcgi_pass unix:/var/run/php/php8.3-fpm.sock; # Connects to the PHP-FPM service via a Unix socket. | |
| fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; # Tells PHP-FPM the script's path. | |
| include fastcgi_params; # Includes additional FastCGI parameters. | |
| fastcgi_read_timeout 600s; # Timeout for Nginx to read responses from PHP-FPM (10 minutes). | |
| fastcgi_send_timeout 600s; # Timeout for Nginx to send requests to PHP-FPM (10 minutes). | |
| } | |
| # --- Restrict Access to Hidden Files --- | |
| # Prevents direct access to hidden files (starting with '.') for security, | |
| # except for the '.well-known' directory often used by Let's Encrypt. | |
| location ~ /\.(?!well-known).* { | |
| deny all; | |
| } | |
| # --- Nginx Rate Limiting for HTTP (Optional) --- | |
| # Uncomment the line below if you want to apply the global rate limit to HTTP traffic as well. | |
| # limit_req zone=global burst=5 nodelay; | |
| } | |
| --- | |
| ## HTTPS Traffic Handler (Port 443) | |
| This section defines how Nginx processes secure, encrypted web requests using TLS/SSL and HTTP/2 on port 443. This is where your website's main, secure traffic will be handled. | |
| ```nginx | |
| server { | |
| # Listen on port 443 for both IPv4 and IPv6 connections. | |
| # 'ssl' enables TLS encryption, 'http2' enables the faster HTTP/2 protocol. | |
| # 'reuseport' enhances performance, and 'backlog=65535' increases the queue for pending connections, | |
| # matching the kernel's max capacity for high traffic. | |
| listen 443 ssl http2 reuseport backlog=65535; | |
| listen [::]:443 ssl http2 reuseport backlog=65535; | |
| # Specifies the primary domain name for this secure server block. | |
| # This must precisely match the domain name in your SSL certificate. | |
| server_name your_actual_domain.com; # Replace with your website's domain name (e.g., example.com) | |
| # --- HTTP/2 Specific Optimizations --- | |
| # Allows up to 1000 simultaneous request streams over a single HTTP/2 connection. | |
| # This boosts performance for browsers loading many resources concurrently. | |
| http2_max_concurrent_streams 1000; | |
| # http2_max_requests 10000000; # Uncomment and adjust to limit requests per HTTP/2 connection if needed. | |
| # --- SSL Certificate and Key Paths --- | |
| # These directives point to your website's security certificate and its private key. | |
| # For a public website, these should be issued by a trusted Certificate Authority (CA). | |
| ssl_certificate /etc/ssl/certs/your_domain_cert.crt; # Path to your SSL certificate. | |
| ssl_certificate_key /etc/ssl/private/your_domain_key.key; # Path to your SSL private key. | |
| # --- Recommended SSL/TLS Security Settings --- | |
| # These settings enforce strong encryption and secure communication protocols. | |
| ssl_protocols TLSv1.2 TLSv1.3; # Only allow modern and secure TLS versions. | |
| ssl_prefer_server_ciphers on; # Prioritize the server's strong ciphers over the client's. | |
| ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; # Defines a list of strong cryptographic ciphers. | |
| ssl_session_cache shared:SSL:10m; # Caches SSL session parameters for faster re-connections. | |
| ssl_session_timeout 1h; # Sets the timeout for SSL sessions. | |
| ssl_session_tickets off; # Disables SSL session tickets for better forward secrecy. | |
| ssl_stapling on; # Enables OCSP stapling to speed up certificate validation. | |
| ssl_stapling_verify on; # Ensures the validity of OCSP responses. | |
| resolver 8.8.8.8 8.8.4.4 valid=300s; # Specifies DNS resolvers for OCSP stapling (use your own trusted DNS). | |
| resolver_timeout 5s; # Timeout for DNS resolver queries. | |
| # --- Logging Configuration --- | |
| # Specifies where Nginx records successful requests and errors for HTTPS traffic. | |
| access_log /var/log/nginx/your_domain_access_ssl.log main; # Separate log for successful SSL requests. | |
| error_log /var/log/nginx/your_domain_error_ssl.log warn; # Separate log for SSL error messages. | |
| # --- Website Root and Index Files --- | |
| # Defines the base directory where your website files are located. | |
| root /var/www/your_website_public_directory; # Replace with the actual path to your website's public folder. | |
| index index.php index.html index.htm; # Specifies the default files Nginx should look for. | |
| # --- Essential Security Headers --- | |
| # These headers help protect against common web vulnerabilities. | |
| add_header X-Frame-Options "SAMEORIGIN"; # Prevents clickjacking. | |
| add_header X-XSS-Protection "1; mode=block"; # Activates XSS protection. | |
| add_header X-Content-Type-Options "nosniff"; # Prevents content type sniffing. | |
| add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; # HSTS for forced HTTPS. | |
| # --- Common Website Paths --- | |
| location = /favicon.ico { access_log off; log_not_found off; } | |
| location / { | |
| try_files $uri $uri/ /index.php$is_args$args; | |
| } | |
| location = /robots.txt { access_log off; log_not_found off; } | |
| error_page 404 /index.php; | |
| # --- PHP Application Processing --- | |
| location ~ \.php$ { | |
| include snippets/fastcgi-php.conf; | |
| fastcgi_pass unix:/var/run/php/php8.3-fpm.sock; | |
| fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
| include fastcgi_params; | |
| fastcgi_read_timeout 600s; | |
| fastcgi_send_timeout 600s; | |
| } | |
| # --- Restrict Access to Hidden Files --- | |
| location ~ /\.(?!well-known).* { | |
| deny all; | |
| } | |
| # --- Nginx Rate Limiting for Login Page (HTTPS Specific) --- | |
| # Applies a specific rate limit to the login page to protect against brute-force attacks. | |
| # Allows a burst of 5 requests before strictly enforcing the global 10r/s limit without delay. | |
| location /login/ { | |
| limit_req zone=global burst=5 nodelay; | |
| # You might also want to re-include common PHP processing for login if it's a separate PHP script | |
| # include snippets/fastcgi-php.conf; | |
| # fastcgi_pass unix:/var/run/php/php8.3-fpm.sock; | |
| # fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
| # include fastcgi_params; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment