|
|
@@ -1,11 +1,13 @@
|
|
|
user admin;
|
|
|
worker_processes 1;
|
|
|
+worker_rlimit_nofile 65535;
|
|
|
error_log /usr/local/hestia/log/nginx-error.log;
|
|
|
pid /var/run/hestia-nginx.pid;
|
|
|
|
|
|
events {
|
|
|
worker_connections 128;
|
|
|
use epoll;
|
|
|
+ multi_accept on;
|
|
|
}
|
|
|
|
|
|
http {
|
|
|
@@ -13,20 +15,39 @@ http {
|
|
|
sendfile on;
|
|
|
tcp_nopush on;
|
|
|
tcp_nodelay on;
|
|
|
- client_header_timeout 1m;
|
|
|
- client_body_timeout 3m;
|
|
|
+ client_header_timeout 180s;
|
|
|
+ client_body_timeout 180s;
|
|
|
client_header_buffer_size 2k;
|
|
|
client_body_buffer_size 256k;
|
|
|
client_max_body_size 256m;
|
|
|
- large_client_header_buffers 4 8k;
|
|
|
- send_timeout 30;
|
|
|
- keepalive_timeout 60 60;
|
|
|
+ large_client_header_buffers 4 8k;
|
|
|
+ send_timeout 60s;
|
|
|
+ keepalive_timeout 30s;
|
|
|
+ keepalive_requests 100000;
|
|
|
reset_timedout_connection on;
|
|
|
server_tokens off;
|
|
|
server_name_in_redirect off;
|
|
|
server_names_hash_max_size 512;
|
|
|
server_names_hash_bucket_size 512;
|
|
|
-
|
|
|
+ charset utf-8;
|
|
|
+
|
|
|
+ fastcgi_buffers 4 256k;
|
|
|
+ fastcgi_buffer_size 256k;
|
|
|
+ fastcgi_busy_buffers_size 256k;
|
|
|
+ fastcgi_temp_file_write_size 256k;
|
|
|
+ fastcgi_connect_timeout 30s;
|
|
|
+ fastcgi_read_timeout 300s;
|
|
|
+ fastcgi_send_timeout 180s;
|
|
|
+
|
|
|
+ proxy_redirect off;
|
|
|
+ proxy_set_header Host $host;
|
|
|
+ proxy_set_header X-Real-IP $remote_addr;
|
|
|
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
+ proxy_pass_header Set-Cookie;
|
|
|
+ proxy_buffers 32 4k;
|
|
|
+ proxy_connect_timeout 30s;
|
|
|
+ proxy_read_timeout 300s;
|
|
|
+ proxy_send_timeout 180s;
|
|
|
|
|
|
# Log format
|
|
|
log_format main '$remote_addr - $remote_user [$time_local] $request '
|
|
|
@@ -34,74 +55,58 @@ http {
|
|
|
'"$http_user_agent" "$http_x_forwarded_for"';
|
|
|
log_format bytes '$body_bytes_sent';
|
|
|
access_log /usr/local/hestia/log/nginx-access.log main;
|
|
|
-
|
|
|
-
|
|
|
- # SSL PCI Compliance
|
|
|
- ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1;
|
|
|
- ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
|
|
|
- ssl_session_cache shared:SSL:10m;
|
|
|
- ssl_prefer_server_ciphers on;
|
|
|
-
|
|
|
-
|
|
|
+
|
|
|
# Mime settings
|
|
|
include /usr/local/hestia/nginx/conf/mime.types;
|
|
|
default_type application/octet-stream;
|
|
|
|
|
|
-
|
|
|
# Compression
|
|
|
gzip on;
|
|
|
- gzip_comp_level 9;
|
|
|
- gzip_min_length 512;
|
|
|
- gzip_buffers 8 64k;
|
|
|
- gzip_types text/plain text/css text/javascript
|
|
|
- application/x-javascript application/javascript;
|
|
|
+ gzip_static on;
|
|
|
+ gzip_vary on;
|
|
|
+ gzip_comp_level 6;
|
|
|
+ gzip_min_length 1024;
|
|
|
+ gzip_buffers 16 8k;
|
|
|
+ gzip_http_version 1.1;
|
|
|
+ gzip_types text/plain text/css text/javascript text/js text/xml application/json application/javascript application/x-javascript application/xml application/xml+rss application/x-font-ttf image/svg+xml font/opentype;
|
|
|
gzip_proxied any;
|
|
|
+ gzip_disable "MSIE [1-6]\.";
|
|
|
|
|
|
-
|
|
|
- # Proxy settings
|
|
|
- proxy_redirect off;
|
|
|
- proxy_set_header Host $host;
|
|
|
- proxy_set_header X-Real-IP $remote_addr;
|
|
|
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
- proxy_pass_header Set-Cookie;
|
|
|
- proxy_connect_timeout 90;
|
|
|
- proxy_send_timeout 90;
|
|
|
- proxy_read_timeout 90;
|
|
|
- proxy_buffers 32 4k;
|
|
|
- fastcgi_read_timeout 300;
|
|
|
+ # SSL PCI Compliance
|
|
|
+ ssl_session_cache shared:SSL:10m;
|
|
|
+ ssl_session_timeout 10m;
|
|
|
+ ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
|
|
|
+ ssl_prefer_server_ciphers on;
|
|
|
+ ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
|
|
|
|
|
|
# Error pages
|
|
|
error_page 403 /error/403.html;
|
|
|
error_page 404 /error/404.html;
|
|
|
error_page 502 503 504 /error/50x.html;
|
|
|
|
|
|
-
|
|
|
# Vhost
|
|
|
server {
|
|
|
listen 8083 ssl;
|
|
|
server_name _;
|
|
|
root /usr/local/hestia/web;
|
|
|
- charset utf-8;
|
|
|
|
|
|
# Fix error "The plain HTTP request was sent to HTTPS port"
|
|
|
error_page 497 https://$host:$server_port$request_uri;
|
|
|
|
|
|
ssl_certificate /usr/local/hestia/ssl/certificate.crt;
|
|
|
ssl_certificate_key /usr/local/hestia/ssl/certificate.key;
|
|
|
- ssl_session_cache shared:SSL:10m;
|
|
|
- ssl_session_timeout 10m;
|
|
|
|
|
|
error_page 404 /error/404/index.html;
|
|
|
error_page 403 /error/index.html;
|
|
|
error_page 500 /error/index.html;
|
|
|
|
|
|
location / {
|
|
|
- expires max;
|
|
|
+ expires 1d;
|
|
|
index index.php;
|
|
|
}
|
|
|
|
|
|
location /error/ {
|
|
|
- expires max;
|
|
|
+ expires off;
|
|
|
index index.html;
|
|
|
}
|
|
|
|
Raphael Schneeberger