Skip to content

Commit

Permalink
update config
Browse files Browse the repository at this point in the history
  • Loading branch information
noogen committed Sep 28, 2022
1 parent 159e2f0 commit ca4b741
Show file tree
Hide file tree
Showing 13 changed files with 279 additions and 255 deletions.
2 changes: 1 addition & 1 deletion Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -43,7 +43,7 @@ ADD ./files/etc/ /etc/
ADD ./files/root/ /root/
ADD ./files/sbin/ /sbin/

RUN bash /root/bin/placeholder-ssl.sh \
RUN bash /root/bin/dummycert.sh \
&& bash /etc/cron.daily/geoip2-update \
&& mkdir -p /app-start/etc \
&& mv /etc/nginx /app-start/etc/nginx \
Expand Down
64 changes: 0 additions & 64 deletions files/etc/nginx/cdn-example.conf

This file was deleted.

Empty file.
2 changes: 2 additions & 0 deletions files/etc/nginx/include/resolvers.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
# default resolver
resolver 8.8.8.8 8.8.4.4 ipv6=off;
7 changes: 7 additions & 0 deletions files/etc/nginx/include/ssl-ciphers.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;
ssl_prefer_server_ciphers off;

# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
96 changes: 96 additions & 0 deletions files/etc/nginx/mime.types
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
types {
text/html html htm shtml;
text/css css;
text/xml xml;
image/gif gif;
image/jpeg jpeg jpg;
application/javascript js;
application/atom+xml atom;
application/rss+xml rss;

text/mathml mml;
text/plain txt;
text/vnd.sun.j2me.app-descriptor jad;
text/vnd.wap.wml wml;
text/x-component htc;

image/png png;
image/svg+xml svg svgz;
image/tiff tif tiff;
image/vnd.wap.wbmp wbmp;
image/webp webp;
image/x-icon ico;
image/x-jng jng;
image/x-ms-bmp bmp;

font/woff woff;
font/woff2 woff2;

application/java-archive jar war ear;
application/json json;
application/mac-binhex40 hqx;
application/msword doc;
application/pdf pdf;
application/postscript ps eps ai;
application/rtf rtf;
application/vnd.apple.mpegurl m3u8;
application/vnd.google-earth.kml+xml kml;
application/vnd.google-earth.kmz kmz;
application/vnd.ms-excel xls;
application/vnd.ms-fontobject eot;
application/vnd.ms-powerpoint ppt;
application/vnd.oasis.opendocument.graphics odg;
application/vnd.oasis.opendocument.presentation odp;
application/vnd.oasis.opendocument.spreadsheet ods;
application/vnd.oasis.opendocument.text odt;
application/vnd.openxmlformats-officedocument.presentationml.presentation
pptx;
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
xlsx;
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
application/x-java-jnlp-file jnlp;
application/x-makeself run;
application/x-perl pl pm;
application/x-pilot prc pdb;
application/x-rar-compressed rar;
application/x-redhat-package-manager rpm;
application/x-sea sea;
application/x-shockwave-flash swf;
application/x-stuffit sit;
application/x-tcl tcl tk;
application/x-x509-ca-cert der pem crt;
application/x-xpinstall xpi;
application/xhtml+xml xhtml;
application/xspf+xml xspf;
application/zip zip;

application/octet-stream bin exe dll;
application/octet-stream deb;
application/octet-stream dmg;
application/octet-stream iso img;
application/octet-stream msi msp msm;

audio/midi mid midi kar;
audio/mpeg mp3;
audio/ogg ogg;
audio/x-m4a m4a;
audio/x-realaudio ra;

video/3gpp 3gpp 3gp;
video/mp2t ts;
video/mp4 mp4;
video/mpeg mpeg mpg;
video/quicktime mov;
video/webm webm;
video/x-flv flv;
video/x-m4v m4v;
video/x-mng mng;
video/x-ms-asf asx asf;
video/x-ms-wmv wmv;
video/x-msvideo avi;
}
123 changes: 50 additions & 73 deletions files/etc/nginx/nginx.new
Original file line number Diff line number Diff line change
Expand Up @@ -8,85 +8,62 @@ pid /var/run/nginx.pid;

# Worker config
events {
worker_connections 8192;
use epoll;
multi_accept on;
worker_connections 8192;
use epoll;
multi_accept on;
}

# Includes files with directives to load dynamic modules.
include /etc/nginx/modules/*.conf;

http {
# Main settings
sendfile on;
tcp_nopush on;
tcp_nodelay on;
client_header_timeout 1m;
client_body_timeout 1m;
client_header_buffer_size 2k;
client_body_buffer_size 256k;
client_max_body_size 256m;
large_client_header_buffers 4 8k;
send_timeout 30;
keepalive_timeout 60 60;
reset_timedout_connection on;
server_tokens off;
server_name_in_redirect off;
server_names_hash_max_size 512;
server_names_hash_bucket_size 512;

# Log format
log_format main '$time_iso8601 $remote_addr - $realip_remote_addr - $remote_user - $server_name '
'$host "$request" $status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" "upstream - $upstream_addr"';

access_log /var/log/nginx/access.log main;

# Mime settings
include /etc/nginx/mime.types;
default_type application/octet-stream;

# Compression settings - aggressively cache text file types
gzip on;
gzip_comp_level 9;
gzip_min_length 512;
gzip_buffers 8 64k;
gzip_types text/plain text/css text/javascript text/js text/xml application/json application/javascript application/x-javascript application/xml application/xml+rss application/x-font-ttf image/svg+xml font/opentype;
gzip_proxied any;
gzip_disable "MSIE [1-6]\.";


# SSL PCI Compliance
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK";


# Error pages
error_page 403 /error/403.html;
error_page 404 /error/404.html;
error_page 502 503 504 /error/50x.html;


# Cache bypass
map $http_cookie $no_cache {
default 0;
~SESS 1;
~wordpress_logged_in 1;
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
server_tokens off;
tcp_nopush on;
tcp_nodelay on;
client_body_temp_path /tmp/nginx/body 1 2;
keepalive_timeout 90s;
proxy_connect_timeout 90s;
proxy_send_timeout 90s;
proxy_read_timeout 90s;
proxy_ignore_client_abort off;
gzip on;
client_max_body_size 2000m;
server_names_hash_bucket_size 1024;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-Scheme $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Accept-Encoding "";
proxy_cache off;
proxy_cache_path /var/cache/nginx/public levels=1:2 keys_zone=public-cache:30m max_size=192m;
proxy_cache_path /var/cache/nginx/private levels=1:2 keys_zone=private-cache:5m max_size=1024m;

# Log formats
#
# # predefined combined format as example
# log_format combined '$remote_addr - $remote_user [$time_local] '
# '"$request" $status $body_bytes_sent '
# '"$http_referer" "$http_user_agent"';

log_format main '[$time_iso8601] $remote_addr - $realip_remote_addr - $remote_user - $server_name '
'$host "$request" $status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" "upstream - $upstream_addr"';


access_log /var/log/nginx/access.log main;

# Dynamically generated resolvers file
include /etc/nginx/conf.d/include/resolvers.conf;

# Default upstream scheme
map $host $forward_scheme {
default http;
}

# File cache settings
open_file_cache max=20000 inactive=20s;
open_file_cache_valid 60s;
open_file_cache_min_uses 2;
open_file_cache_errors off;

# Other settings
log_subrequest on;
rewrite_log on;

include /etc/nginx/cdn-ips.conf;
include /etc/nginx/cdn-ips.conf;

# Wildcard include
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*.conf;
include /etc/nginx/sites-enabled/*.conf;
}
1 change: 0 additions & 1 deletion files/etc/nginx/sites-enabled/1-geoip.conf
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
server {
listen 127.0.0.1:9081;
resolver 8.8.8.8 8.8.4.4;

location / {
charset utf-8;
Expand Down
Loading

0 comments on commit ca4b741

Please sign in to comment.