Nginx (security) optimizations

install/debian/8/nginx/nginx.conf

@@ -2,10 +2,9 @@
 user                    www-data;
 worker_processes        auto;
 worker_rlimit_nofile    65535;
-error_log               /var/log/nginx/error.log crit;
+error_log               /var/log/nginx/error.log;
 pid                     /var/run/nginx.pid;
 
-
 # Worker config
 events {
         worker_connections  1024;
@@ -13,46 +12,68 @@ events {
         multi_accept        on;
 }
 
-
 http {
     # Main settings
     sendfile                        on;
     tcp_nopush                      on;
     tcp_nodelay                     on;
-    client_header_timeout           1m;
-    client_body_timeout             1m;
+    client_header_timeout           180s;
+    client_body_timeout             180s;
     client_header_buffer_size       2k;
     client_body_buffer_size         256k;
     client_max_body_size            256m;
-    large_client_header_buffers     4   8k;
-    send_timeout                    30;
-    keepalive_timeout               60 60;
+    large_client_header_buffers     4 8k;
+    send_timeout                    60s;
+    keepalive_timeout               30s;
+    keepalive_requests              100000;
     reset_timedout_connection       on;
     server_tokens                   off;
     server_name_in_redirect         off;
     server_names_hash_max_size      512;
     server_names_hash_bucket_size   512;
-
+    charset                         utf-8;
+    
+    fastcgi_buffers                 4 256k;
+    fastcgi_buffer_size             256k;
+    fastcgi_busy_buffers_size       256k;
+    fastcgi_temp_file_write_size    256k;
+    fastcgi_connect_timeout         30s;
+    fastcgi_read_timeout            300s;
+    fastcgi_send_timeout            180s;
+    fastcgi_cache_lock              on;
+    fastcgi_cache_lock_timeout      5s;
+    
+    proxy_redirect                  off;
+    proxy_set_header                Host $host;
+    proxy_set_header                X-Real-IP $remote_addr;
+    proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_pass_header               Set-Cookie;
+    proxy_buffers                   32 4k;
+    proxy_connect_timeout           30s;
+    proxy_read_timeout              300s;
+    proxy_send_timeout              180s;
 
     # Log format
     log_format  main    '$remote_addr - $remote_user [$time_local] $request '
                         '"$status" $body_bytes_sent "$http_referer" '
                         '"$http_user_agent" "$http_x_forwarded_for"';
     log_format  bytes   '$body_bytes_sent';
-    #access_log          /var/log/nginx/access.log main;
+    log_not_found off;
     access_log off;
-
+    #access_log         /var/log/nginx/access.log main;
 
     # Mime settings
     include             /etc/nginx/mime.types;
     default_type        application/octet-stream;
 
-
     # Compression
     gzip                on;
-    gzip_comp_level     9;
-    gzip_min_length     512;
-    gzip_buffers        8 64k;
+    gzip_static         on;
+    gzip_vary           on;
+    gzip_comp_level     6;
+    gzip_min_length     1024;
+    gzip_buffers        16 8k;
+    gzip_http_version   1.1;
     gzip_types          text/plain text/css text/javascript text/js text/xml application/json application/javascript application/x-javascript application/xml application/xml+rss application/x-font-ttf image/svg+xml font/opentype;
     gzip_proxied        any;
     gzip_disable        "MSIE [1-6]\.";
@@ -63,52 +84,48 @@ http {
     proxy_set_header    X-Real-IP       $remote_addr;
     proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_pass_header   Set-Cookie;
-    proxy_connect_timeout   90;
-    proxy_send_timeout  90;
-    proxy_read_timeout  90;
+    proxy_connect_timeout 90s;
+    proxy_send_timeout  90s;
+    proxy_read_timeout  90s;
     proxy_buffers       32 4k;
 
-
     # Cloudflare https://www.cloudflare.com/ips
-    set_real_ip_from   199.27.128.0/21;
-    set_real_ip_from   173.245.48.0/20;
-    set_real_ip_from   103.21.244.0/22;
-    set_real_ip_from   103.22.200.0/22;
-    set_real_ip_from   103.31.4.0/22;
-    set_real_ip_from   141.101.64.0/18;
-    set_real_ip_from   108.162.192.0/18;
-    set_real_ip_from   190.93.240.0/20;
-    set_real_ip_from   188.114.96.0/20;  
-    set_real_ip_from   197.234.240.0/22;
-    set_real_ip_from   198.41.128.0/17;
-    set_real_ip_from   162.158.0.0/15;
-    set_real_ip_from   104.16.0.0/12;
-    set_real_ip_from   172.64.0.0/13;
-    #set_real_ip_from   2400:cb00::/32;
-    #set_real_ip_from   2606:4700::/32;
-    #set_real_ip_from   2803:f800::/32;
-    #set_real_ip_from   2405:b500::/32;
-    #set_real_ip_from   2405:8100::/32;
+    set_real_ip_from 103.21.244.0/22;
+    set_real_ip_from 103.22.200.0/22;
+    set_real_ip_from 103.31.4.0/22;
+    set_real_ip_from 104.16.0.0/12;
+    set_real_ip_from 108.162.192.0/18;
+    set_real_ip_from 131.0.72.0/22;
+    set_real_ip_from 141.101.64.0/18;
+    set_real_ip_from 162.158.0.0/15;
+    set_real_ip_from 172.64.0.0/13;
+    set_real_ip_from 173.245.48.0/20;
+    set_real_ip_from 188.114.96.0/20;
+    set_real_ip_from 190.93.240.0/20;
+    set_real_ip_from 197.234.240.0/22;
+    set_real_ip_from 198.41.128.0/17;
+    #set_real_ip_from  2400:cb00::/32;
+    #set_real_ip_from  2405:b500::/32;
+    #set_real_ip_from  2606:4700::/32;
+    #set_real_ip_from  2803:f800::/32;
+    #set_real_ip_from  2c0f:f248::/32;
+    #set_real_ip_from  2a06:98c0::/29;
     real_ip_header     CF-Connecting-IP;
 
-
-    # openssl dhparam 4096 -out /etc/ssl/dhparam.pem
-    # ssl_dhparam /etc/ssl/dhparam.pem;
-
+    #openssl dhparam 4096 -out /etc/ssl/dhparam.pem
+    #ssl_dhparam /etc/ssl/dhparam.pem;
 
     # SSL PCI Compliance
     ssl_session_cache   shared:SSL:10m;
     ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers on;
-    ssl_ciphers        "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
-
+    ssl_ciphers        "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
 
     # Error pages
     error_page          403          /error/403.html;
     error_page          404          /error/404.html;
     error_page          502 503 504  /error/50x.html;
 
-
     # Cache settings
     proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;
     proxy_cache_key "$host$request_uri $cookie_user";
@@ -116,8 +133,7 @@ http {
     proxy_ignore_headers Expires Cache-Control;
     proxy_cache_use_stale error timeout invalid_header http_502;
     proxy_cache_valid any 1d;
-
-
+    
     # Cache bypass
     map $http_cookie $no_cache {
         default 0;
@@ -125,14 +141,12 @@ http {
         ~wordpress_logged_in 1;
     }
 
-
     # File cache settings
     open_file_cache          max=10000 inactive=30s;
     open_file_cache_valid    60s;
     open_file_cache_min_uses 2;
     open_file_cache_errors   off;
 
-
     # Wildcard include
     include             /etc/nginx/conf.d/*.conf;
-}
+}

install/debian/9/nginx/nginx.conf

@@ -2,10 +2,9 @@
 user                    www-data;
 worker_processes        auto;
 worker_rlimit_nofile    65535;
-error_log               /var/log/nginx/error.log crit;
+error_log               /var/log/nginx/error.log;
 pid                     /var/run/nginx.pid;
 
-
 # Worker config
 events {
         worker_connections  1024;
@@ -13,46 +12,68 @@ events {
         multi_accept        on;
 }
 
-
 http {
     # Main settings
     sendfile                        on;
     tcp_nopush                      on;
     tcp_nodelay                     on;
-    client_header_timeout           1m;
-    client_body_timeout             1m;
+    client_header_timeout           180s;
+    client_body_timeout             180s;
     client_header_buffer_size       2k;
     client_body_buffer_size         256k;
     client_max_body_size            256m;
-    large_client_header_buffers     4   8k;
-    send_timeout                    30;
-    keepalive_timeout               60 60;
+    large_client_header_buffers     4 8k;
+    send_timeout                    60s;
+    keepalive_timeout               30s;
+    keepalive_requests              100000;
     reset_timedout_connection       on;
     server_tokens                   off;
     server_name_in_redirect         off;
     server_names_hash_max_size      512;
     server_names_hash_bucket_size   512;
-
+    charset                         utf-8;
+    
+    fastcgi_buffers                 4 256k;
+    fastcgi_buffer_size             256k;
+    fastcgi_busy_buffers_size       256k;
+    fastcgi_temp_file_write_size    256k;
+    fastcgi_connect_timeout         30s;
+    fastcgi_read_timeout            300s;
+    fastcgi_send_timeout            180s;
+    fastcgi_cache_lock              on;
+    fastcgi_cache_lock_timeout      5s;
+    
+    proxy_redirect                  off;
+    proxy_set_header                Host $host;
+    proxy_set_header                X-Real-IP $remote_addr;
+    proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_pass_header               Set-Cookie;
+    proxy_buffers                   32 4k;
+    proxy_connect_timeout           30s;
+    proxy_read_timeout              300s;
+    proxy_send_timeout              180s;
 
     # Log format
     log_format  main    '$remote_addr - $remote_user [$time_local] $request '
                         '"$status" $body_bytes_sent "$http_referer" '
                         '"$http_user_agent" "$http_x_forwarded_for"';
     log_format  bytes   '$body_bytes_sent';
-    #access_log          /var/log/nginx/access.log main;
+    log_not_found off;
     access_log off;
-
+    #access_log         /var/log/nginx/access.log main;
 
     # Mime settings
     include             /etc/nginx/mime.types;
     default_type        application/octet-stream;
 
-
     # Compression
     gzip                on;
-    gzip_comp_level     9;
-    gzip_min_length     512;
-    gzip_buffers        8 64k;
+    gzip_static         on;
+    gzip_vary           on;
+    gzip_comp_level     6;
+    gzip_min_length     1024;
+    gzip_buffers        16 8k;
+    gzip_http_version   1.1;
     gzip_types          text/plain text/css text/javascript text/js text/xml application/json application/javascript application/x-javascript application/xml application/xml+rss application/x-font-ttf image/svg+xml font/opentype;
     gzip_proxied        any;
     gzip_disable        "MSIE [1-6]\.";
@@ -63,52 +84,48 @@ http {
     proxy_set_header    X-Real-IP       $remote_addr;
     proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_pass_header   Set-Cookie;
-    proxy_connect_timeout   90;
-    proxy_send_timeout  90;
-    proxy_read_timeout  90;
+    proxy_connect_timeout 90s;
+    proxy_send_timeout  90s;
+    proxy_read_timeout  90s;
     proxy_buffers       32 4k;
 
-
     # Cloudflare https://www.cloudflare.com/ips
-    set_real_ip_from   199.27.128.0/21;
-    set_real_ip_from   173.245.48.0/20;
-    set_real_ip_from   103.21.244.0/22;
-    set_real_ip_from   103.22.200.0/22;
-    set_real_ip_from   103.31.4.0/22;
-    set_real_ip_from   141.101.64.0/18;
-    set_real_ip_from   108.162.192.0/18;
-    set_real_ip_from   190.93.240.0/20;
-    set_real_ip_from   188.114.96.0/20;  
-    set_real_ip_from   197.234.240.0/22;
-    set_real_ip_from   198.41.128.0/17;
-    set_real_ip_from   162.158.0.0/15;
-    set_real_ip_from   104.16.0.0/12;
-    set_real_ip_from   172.64.0.0/13;
-    #set_real_ip_from   2400:cb00::/32;
-    #set_real_ip_from   2606:4700::/32;
-    #set_real_ip_from   2803:f800::/32;
-    #set_real_ip_from   2405:b500::/32;
-    #set_real_ip_from   2405:8100::/32;
+    set_real_ip_from 103.21.244.0/22;
+    set_real_ip_from 103.22.200.0/22;
+    set_real_ip_from 103.31.4.0/22;
+    set_real_ip_from 104.16.0.0/12;
+    set_real_ip_from 108.162.192.0/18;
+    set_real_ip_from 131.0.72.0/22;
+    set_real_ip_from 141.101.64.0/18;
+    set_real_ip_from 162.158.0.0/15;
+    set_real_ip_from 172.64.0.0/13;
+    set_real_ip_from 173.245.48.0/20;
+    set_real_ip_from 188.114.96.0/20;
+    set_real_ip_from 190.93.240.0/20;
+    set_real_ip_from 197.234.240.0/22;
+    set_real_ip_from 198.41.128.0/17;
+    #set_real_ip_from  2400:cb00::/32;
+    #set_real_ip_from  2405:b500::/32;
+    #set_real_ip_from  2606:4700::/32;
+    #set_real_ip_from  2803:f800::/32;
+    #set_real_ip_from  2c0f:f248::/32;
+    #set_real_ip_from  2a06:98c0::/29;
     real_ip_header     CF-Connecting-IP;
 
-
-    # openssl dhparam 4096 -out /etc/ssl/dhparam.pem
-    # ssl_dhparam /etc/ssl/dhparam.pem;
-
+    #openssl dhparam 4096 -out /etc/ssl/dhparam.pem
+    #ssl_dhparam /etc/ssl/dhparam.pem;
 
     # SSL PCI Compliance
     ssl_session_cache   shared:SSL:10m;
     ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers on;
-    ssl_ciphers        "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
-
+    ssl_ciphers        "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
 
     # Error pages
     error_page          403          /error/403.html;
     error_page          404          /error/404.html;
     error_page          502 503 504  /error/50x.html;
 
-
     # Cache settings
     proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;
     proxy_cache_key "$host$request_uri $cookie_user";
@@ -116,8 +133,7 @@ http {
     proxy_ignore_headers Expires Cache-Control;
     proxy_cache_use_stale error timeout invalid_header http_502;
     proxy_cache_valid any 1d;
-
-
+    
     # Cache bypass
     map $http_cookie $no_cache {
         default 0;
@@ -125,14 +141,12 @@ http {
         ~wordpress_logged_in 1;
     }
 
-
     # File cache settings
     open_file_cache          max=10000 inactive=30s;
     open_file_cache_valid    60s;
     open_file_cache_min_uses 2;
     open_file_cache_errors   off;
 
-
     # Wildcard include
     include             /etc/nginx/conf.d/*.conf;
-}
+}

install/ubuntu/14.04/nginx/nginx.conf

@@ -2,10 +2,9 @@
 user                    www-data;
 worker_processes        auto;
 worker_rlimit_nofile    65535;
-error_log               /var/log/nginx/error.log crit;
+error_log               /var/log/nginx/error.log;
 pid                     /var/run/nginx.pid;
 
-
 # Worker config
 events {
         worker_connections  1024;
@@ -13,46 +12,68 @@ events {
         multi_accept        on;
 }
 
-
 http {
     # Main settings
     sendfile                        on;
     tcp_nopush                      on;
     tcp_nodelay                     on;
-    client_header_timeout           1m;
-    client_body_timeout             1m;
+    client_header_timeout           180s;
+    client_body_timeout             180s;
     client_header_buffer_size       2k;
     client_body_buffer_size         256k;
     client_max_body_size            256m;
-    large_client_header_buffers     4   8k;
-    send_timeout                    30;
-    keepalive_timeout               60 60;
+    large_client_header_buffers     4 8k;
+    send_timeout                    60s;
+    keepalive_timeout               30s;
+    keepalive_requests              100000;
     reset_timedout_connection       on;
     server_tokens                   off;
     server_name_in_redirect         off;
     server_names_hash_max_size      512;
     server_names_hash_bucket_size   512;
-
+    charset                         utf-8;
+    
+    fastcgi_buffers                 4 256k;
+    fastcgi_buffer_size             256k;
+    fastcgi_busy_buffers_size       256k;
+    fastcgi_temp_file_write_size    256k;
+    fastcgi_connect_timeout         30s;
+    fastcgi_read_timeout            300s;
+    fastcgi_send_timeout            180s;
+    fastcgi_cache_lock              on;
+    fastcgi_cache_lock_timeout      5s;
+    
+    proxy_redirect                  off;
+    proxy_set_header                Host $host;
+    proxy_set_header                X-Real-IP $remote_addr;
+    proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_pass_header               Set-Cookie;
+    proxy_buffers                   32 4k;
+    proxy_connect_timeout           30s;
+    proxy_read_timeout              300s;
+    proxy_send_timeout              180s;
 
     # Log format
     log_format  main    '$remote_addr - $remote_user [$time_local] $request '
                         '"$status" $body_bytes_sent "$http_referer" '
                         '"$http_user_agent" "$http_x_forwarded_for"';
     log_format  bytes   '$body_bytes_sent';
-    #access_log          /var/log/nginx/access.log main;
+    log_not_found off;
     access_log off;
-
+    #access_log         /var/log/nginx/access.log main;
 
     # Mime settings
     include             /etc/nginx/mime.types;
     default_type        application/octet-stream;
 
-
     # Compression
     gzip                on;
-    gzip_comp_level     9;
-    gzip_min_length     512;
-    gzip_buffers        8 64k;
+    gzip_static         on;
+    gzip_vary           on;
+    gzip_comp_level     6;
+    gzip_min_length     1024;
+    gzip_buffers        16 8k;
+    gzip_http_version   1.1;
     gzip_types          text/plain text/css text/javascript text/js text/xml application/json application/javascript application/x-javascript application/xml application/xml+rss application/x-font-ttf image/svg+xml font/opentype;
     gzip_proxied        any;
     gzip_disable        "MSIE [1-6]\.";
@@ -63,52 +84,48 @@ http {
     proxy_set_header    X-Real-IP       $remote_addr;
     proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_pass_header   Set-Cookie;
-    proxy_connect_timeout   90;
-    proxy_send_timeout  90;
-    proxy_read_timeout  90;
+    proxy_connect_timeout 90s;
+    proxy_send_timeout  90s;
+    proxy_read_timeout  90s;
     proxy_buffers       32 4k;
 
-
     # Cloudflare https://www.cloudflare.com/ips
-    set_real_ip_from   199.27.128.0/21;
-    set_real_ip_from   173.245.48.0/20;
-    set_real_ip_from   103.21.244.0/22;
-    set_real_ip_from   103.22.200.0/22;
-    set_real_ip_from   103.31.4.0/22;
-    set_real_ip_from   141.101.64.0/18;
-    set_real_ip_from   108.162.192.0/18;
-    set_real_ip_from   190.93.240.0/20;
-    set_real_ip_from   188.114.96.0/20;  
-    set_real_ip_from   197.234.240.0/22;
-    set_real_ip_from   198.41.128.0/17;
-    set_real_ip_from   162.158.0.0/15;
-    set_real_ip_from   104.16.0.0/12;
-    set_real_ip_from   172.64.0.0/13;
-    #set_real_ip_from   2400:cb00::/32;
-    #set_real_ip_from   2606:4700::/32;
-    #set_real_ip_from   2803:f800::/32;
-    #set_real_ip_from   2405:b500::/32;
-    #set_real_ip_from   2405:8100::/32;
+    set_real_ip_from 103.21.244.0/22;
+    set_real_ip_from 103.22.200.0/22;
+    set_real_ip_from 103.31.4.0/22;
+    set_real_ip_from 104.16.0.0/12;
+    set_real_ip_from 108.162.192.0/18;
+    set_real_ip_from 131.0.72.0/22;
+    set_real_ip_from 141.101.64.0/18;
+    set_real_ip_from 162.158.0.0/15;
+    set_real_ip_from 172.64.0.0/13;
+    set_real_ip_from 173.245.48.0/20;
+    set_real_ip_from 188.114.96.0/20;
+    set_real_ip_from 190.93.240.0/20;
+    set_real_ip_from 197.234.240.0/22;
+    set_real_ip_from 198.41.128.0/17;
+    #set_real_ip_from  2400:cb00::/32;
+    #set_real_ip_from  2405:b500::/32;
+    #set_real_ip_from  2606:4700::/32;
+    #set_real_ip_from  2803:f800::/32;
+    #set_real_ip_from  2c0f:f248::/32;
+    #set_real_ip_from  2a06:98c0::/29;
     real_ip_header     CF-Connecting-IP;
 
-
-    # openssl dhparam 4096 -out /etc/ssl/dhparam.pem
-    # ssl_dhparam /etc/ssl/dhparam.pem;
-
+    #openssl dhparam 4096 -out /etc/ssl/dhparam.pem
+    #ssl_dhparam /etc/ssl/dhparam.pem;
 
     # SSL PCI Compliance
     ssl_session_cache   shared:SSL:10m;
     ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers on;
-    ssl_ciphers        "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
-
+    ssl_ciphers        "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
 
     # Error pages
     error_page          403          /error/403.html;
     error_page          404          /error/404.html;
     error_page          502 503 504  /error/50x.html;
 
-
     # Cache settings
     proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;
     proxy_cache_key "$host$request_uri $cookie_user";
@@ -116,8 +133,7 @@ http {
     proxy_ignore_headers Expires Cache-Control;
     proxy_cache_use_stale error timeout invalid_header http_502;
     proxy_cache_valid any 1d;
-
-
+    
     # Cache bypass
     map $http_cookie $no_cache {
         default 0;
@@ -125,14 +141,12 @@ http {
         ~wordpress_logged_in 1;
     }
 
-
     # File cache settings
     open_file_cache          max=10000 inactive=30s;
     open_file_cache_valid    60s;
     open_file_cache_min_uses 2;
     open_file_cache_errors   off;
 
-
     # Wildcard include
     include             /etc/nginx/conf.d/*.conf;
-}
+}

install/ubuntu/16.04/nginx/nginx.conf

@@ -2,10 +2,9 @@
 user                    www-data;
 worker_processes        auto;
 worker_rlimit_nofile    65535;
-error_log               /var/log/nginx/error.log crit;
+error_log               /var/log/nginx/error.log;
 pid                     /var/run/nginx.pid;
 
-
 # Worker config
 events {
         worker_connections  1024;
@@ -13,46 +12,68 @@ events {
         multi_accept        on;
 }
 
-
 http {
     # Main settings
     sendfile                        on;
     tcp_nopush                      on;
     tcp_nodelay                     on;
-    client_header_timeout           1m;
-    client_body_timeout             1m;
+    client_header_timeout           180s;
+    client_body_timeout             180s;
     client_header_buffer_size       2k;
     client_body_buffer_size         256k;
     client_max_body_size            256m;
-    large_client_header_buffers     4   8k;
-    send_timeout                    30;
-    keepalive_timeout               60 60;
+    large_client_header_buffers     4 8k;
+    send_timeout                    60s;
+    keepalive_timeout               30s;
+    keepalive_requests              100000;
     reset_timedout_connection       on;
     server_tokens                   off;
     server_name_in_redirect         off;
     server_names_hash_max_size      512;
     server_names_hash_bucket_size   512;
-
+    charset                         utf-8;
+    
+    fastcgi_buffers                 4 256k;
+    fastcgi_buffer_size             256k;
+    fastcgi_busy_buffers_size       256k;
+    fastcgi_temp_file_write_size    256k;
+    fastcgi_connect_timeout         30s;
+    fastcgi_read_timeout            300s;
+    fastcgi_send_timeout            180s;
+    fastcgi_cache_lock              on;
+    fastcgi_cache_lock_timeout      5s;
+    
+    proxy_redirect                  off;
+    proxy_set_header                Host $host;
+    proxy_set_header                X-Real-IP $remote_addr;
+    proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_pass_header               Set-Cookie;
+    proxy_buffers                   32 4k;
+    proxy_connect_timeout           30s;
+    proxy_read_timeout              300s;
+    proxy_send_timeout              180s;
 
     # Log format
     log_format  main    '$remote_addr - $remote_user [$time_local] $request '
                         '"$status" $body_bytes_sent "$http_referer" '
                         '"$http_user_agent" "$http_x_forwarded_for"';
     log_format  bytes   '$body_bytes_sent';
-    #access_log          /var/log/nginx/access.log main;
+    log_not_found off;
     access_log off;
-
+    #access_log         /var/log/nginx/access.log main;
 
     # Mime settings
     include             /etc/nginx/mime.types;
     default_type        application/octet-stream;
 
-
     # Compression
     gzip                on;
-    gzip_comp_level     9;
-    gzip_min_length     512;
-    gzip_buffers        8 64k;
+    gzip_static         on;
+    gzip_vary           on;
+    gzip_comp_level     6;
+    gzip_min_length     1024;
+    gzip_buffers        16 8k;
+    gzip_http_version   1.1;
     gzip_types          text/plain text/css text/javascript text/js text/xml application/json application/javascript application/x-javascript application/xml application/xml+rss application/x-font-ttf image/svg+xml font/opentype;
     gzip_proxied        any;
     gzip_disable        "MSIE [1-6]\.";
@@ -63,52 +84,48 @@ http {
     proxy_set_header    X-Real-IP       $remote_addr;
     proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_pass_header   Set-Cookie;
-    proxy_connect_timeout   90;
-    proxy_send_timeout  90;
-    proxy_read_timeout  90;
+    proxy_connect_timeout 90s;
+    proxy_send_timeout  90s;
+    proxy_read_timeout  90s;
     proxy_buffers       32 4k;
 
-
     # Cloudflare https://www.cloudflare.com/ips
-    set_real_ip_from   199.27.128.0/21;
-    set_real_ip_from   173.245.48.0/20;
-    set_real_ip_from   103.21.244.0/22;
-    set_real_ip_from   103.22.200.0/22;
-    set_real_ip_from   103.31.4.0/22;
-    set_real_ip_from   141.101.64.0/18;
-    set_real_ip_from   108.162.192.0/18;
-    set_real_ip_from   190.93.240.0/20;
-    set_real_ip_from   188.114.96.0/20;  
-    set_real_ip_from   197.234.240.0/22;
-    set_real_ip_from   198.41.128.0/17;
-    set_real_ip_from   162.158.0.0/15;
-    set_real_ip_from   104.16.0.0/12;
-    set_real_ip_from   172.64.0.0/13;
-    #set_real_ip_from   2400:cb00::/32;
-    #set_real_ip_from   2606:4700::/32;
-    #set_real_ip_from   2803:f800::/32;
-    #set_real_ip_from   2405:b500::/32;
-    #set_real_ip_from   2405:8100::/32;
+    set_real_ip_from 103.21.244.0/22;
+    set_real_ip_from 103.22.200.0/22;
+    set_real_ip_from 103.31.4.0/22;
+    set_real_ip_from 104.16.0.0/12;
+    set_real_ip_from 108.162.192.0/18;
+    set_real_ip_from 131.0.72.0/22;
+    set_real_ip_from 141.101.64.0/18;
+    set_real_ip_from 162.158.0.0/15;
+    set_real_ip_from 172.64.0.0/13;
+    set_real_ip_from 173.245.48.0/20;
+    set_real_ip_from 188.114.96.0/20;
+    set_real_ip_from 190.93.240.0/20;
+    set_real_ip_from 197.234.240.0/22;
+    set_real_ip_from 198.41.128.0/17;
+    #set_real_ip_from  2400:cb00::/32;
+    #set_real_ip_from  2405:b500::/32;
+    #set_real_ip_from  2606:4700::/32;
+    #set_real_ip_from  2803:f800::/32;
+    #set_real_ip_from  2c0f:f248::/32;
+    #set_real_ip_from  2a06:98c0::/29;
     real_ip_header     CF-Connecting-IP;
 
-
-    # openssl dhparam 4096 -out /etc/ssl/dhparam.pem
-    # ssl_dhparam /etc/ssl/dhparam.pem;
-
+    #openssl dhparam 4096 -out /etc/ssl/dhparam.pem
+    #ssl_dhparam /etc/ssl/dhparam.pem;
 
     # SSL PCI Compliance
     ssl_session_cache   shared:SSL:10m;
     ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers on;
-    ssl_ciphers        "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
-
+    ssl_ciphers        "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
 
     # Error pages
     error_page          403          /error/403.html;
     error_page          404          /error/404.html;
     error_page          502 503 504  /error/50x.html;
 
-
     # Cache settings
     proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;
     proxy_cache_key "$host$request_uri $cookie_user";
@@ -116,8 +133,7 @@ http {
     proxy_ignore_headers Expires Cache-Control;
     proxy_cache_use_stale error timeout invalid_header http_502;
     proxy_cache_valid any 1d;
-
-
+    
     # Cache bypass
     map $http_cookie $no_cache {
         default 0;
@@ -125,14 +141,12 @@ http {
         ~wordpress_logged_in 1;
     }
 
-
     # File cache settings
     open_file_cache          max=10000 inactive=30s;
     open_file_cache_valid    60s;
     open_file_cache_min_uses 2;
     open_file_cache_errors   off;
 
-
     # Wildcard include
     include             /etc/nginx/conf.d/*.conf;
-}
+}

install/ubuntu/18.04/nginx/nginx.conf

@@ -2,10 +2,9 @@
 user                    www-data;
 worker_processes        auto;
 worker_rlimit_nofile    65535;
-error_log               /var/log/nginx/error.log crit;
+error_log               /var/log/nginx/error.log;
 pid                     /var/run/nginx.pid;
 
-
 # Worker config
 events {
         worker_connections  1024;
@@ -13,46 +12,68 @@ events {
         multi_accept        on;
 }
 
-
 http {
     # Main settings
     sendfile                        on;
     tcp_nopush                      on;
     tcp_nodelay                     on;
-    client_header_timeout           1m;
-    client_body_timeout             1m;
+    client_header_timeout           180s;
+    client_body_timeout             180s;
     client_header_buffer_size       2k;
     client_body_buffer_size         256k;
     client_max_body_size            256m;
-    large_client_header_buffers     4   8k;
-    send_timeout                    30;
-    keepalive_timeout               60 60;
+    large_client_header_buffers     4 8k;
+    send_timeout                    60s;
+    keepalive_timeout               30s;
+    keepalive_requests              100000;
     reset_timedout_connection       on;
     server_tokens                   off;
     server_name_in_redirect         off;
     server_names_hash_max_size      512;
     server_names_hash_bucket_size   512;
-
+    charset                         utf-8;
+    
+    fastcgi_buffers                 4 256k;
+    fastcgi_buffer_size             256k;
+    fastcgi_busy_buffers_size       256k;
+    fastcgi_temp_file_write_size    256k;
+    fastcgi_connect_timeout         30s;
+    fastcgi_read_timeout            300s;
+    fastcgi_send_timeout            180s;
+    fastcgi_cache_lock              on;
+    fastcgi_cache_lock_timeout      5s;
+    
+    proxy_redirect                  off;
+    proxy_set_header                Host $host;
+    proxy_set_header                X-Real-IP $remote_addr;
+    proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_pass_header               Set-Cookie;
+    proxy_buffers                   32 4k;
+    proxy_connect_timeout           30s;
+    proxy_read_timeout              300s;
+    proxy_send_timeout              180s;
 
     # Log format
     log_format  main    '$remote_addr - $remote_user [$time_local] $request '
                         '"$status" $body_bytes_sent "$http_referer" '
                         '"$http_user_agent" "$http_x_forwarded_for"';
     log_format  bytes   '$body_bytes_sent';
-    #access_log          /var/log/nginx/access.log main;
+    log_not_found off;
     access_log off;
-
+    #access_log         /var/log/nginx/access.log main;
 
     # Mime settings
     include             /etc/nginx/mime.types;
     default_type        application/octet-stream;
 
-
     # Compression
     gzip                on;
-    gzip_comp_level     9;
-    gzip_min_length     512;
-    gzip_buffers        8 64k;
+    gzip_static         on;
+    gzip_vary           on;
+    gzip_comp_level     6;
+    gzip_min_length     1024;
+    gzip_buffers        16 8k;
+    gzip_http_version   1.1;
     gzip_types          text/plain text/css text/javascript text/js text/xml application/json application/javascript application/x-javascript application/xml application/xml+rss application/x-font-ttf image/svg+xml font/opentype;
     gzip_proxied        any;
     gzip_disable        "MSIE [1-6]\.";
@@ -63,52 +84,48 @@ http {
     proxy_set_header    X-Real-IP       $remote_addr;
     proxy_set_header    X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_pass_header   Set-Cookie;
-    proxy_connect_timeout   90;
-    proxy_send_timeout  90;
-    proxy_read_timeout  90;
+    proxy_connect_timeout 90s;
+    proxy_send_timeout  90s;
+    proxy_read_timeout  90s;
     proxy_buffers       32 4k;
 
-
     # Cloudflare https://www.cloudflare.com/ips
-    set_real_ip_from   199.27.128.0/21;
-    set_real_ip_from   173.245.48.0/20;
-    set_real_ip_from   103.21.244.0/22;
-    set_real_ip_from   103.22.200.0/22;
-    set_real_ip_from   103.31.4.0/22;
-    set_real_ip_from   141.101.64.0/18;
-    set_real_ip_from   108.162.192.0/18;
-    set_real_ip_from   190.93.240.0/20;
-    set_real_ip_from   188.114.96.0/20;  
-    set_real_ip_from   197.234.240.0/22;
-    set_real_ip_from   198.41.128.0/17;
-    set_real_ip_from   162.158.0.0/15;
-    set_real_ip_from   104.16.0.0/12;
-    set_real_ip_from   172.64.0.0/13;
-    #set_real_ip_from   2400:cb00::/32;
-    #set_real_ip_from   2606:4700::/32;
-    #set_real_ip_from   2803:f800::/32;
-    #set_real_ip_from   2405:b500::/32;
-    #set_real_ip_from   2405:8100::/32;
+    set_real_ip_from 103.21.244.0/22;
+    set_real_ip_from 103.22.200.0/22;
+    set_real_ip_from 103.31.4.0/22;
+    set_real_ip_from 104.16.0.0/12;
+    set_real_ip_from 108.162.192.0/18;
+    set_real_ip_from 131.0.72.0/22;
+    set_real_ip_from 141.101.64.0/18;
+    set_real_ip_from 162.158.0.0/15;
+    set_real_ip_from 172.64.0.0/13;
+    set_real_ip_from 173.245.48.0/20;
+    set_real_ip_from 188.114.96.0/20;
+    set_real_ip_from 190.93.240.0/20;
+    set_real_ip_from 197.234.240.0/22;
+    set_real_ip_from 198.41.128.0/17;
+    #set_real_ip_from  2400:cb00::/32;
+    #set_real_ip_from  2405:b500::/32;
+    #set_real_ip_from  2606:4700::/32;
+    #set_real_ip_from  2803:f800::/32;
+    #set_real_ip_from  2c0f:f248::/32;
+    #set_real_ip_from  2a06:98c0::/29;
     real_ip_header     CF-Connecting-IP;
 
-
-    # openssl dhparam 4096 -out /etc/ssl/dhparam.pem
-    # ssl_dhparam /etc/ssl/dhparam.pem;
-
+    #openssl dhparam 4096 -out /etc/ssl/dhparam.pem
+    #ssl_dhparam /etc/ssl/dhparam.pem;
 
     # SSL PCI Compliance
     ssl_session_cache   shared:SSL:10m;
     ssl_protocols       TLSv1.1 TLSv1.2 TLSv1.3;
     ssl_prefer_server_ciphers on;
-    ssl_ciphers        "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
-
+    ssl_ciphers        "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
 
     # Error pages
     error_page          403          /error/403.html;
     error_page          404          /error/404.html;
     error_page          502 503 504  /error/50x.html;
 
-
     # Cache settings
     proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;
     proxy_cache_key "$host$request_uri $cookie_user";
@@ -116,8 +133,7 @@ http {
     proxy_ignore_headers Expires Cache-Control;
     proxy_cache_use_stale error timeout invalid_header http_502;
     proxy_cache_valid any 1d;
-
-
+    
     # Cache bypass
     map $http_cookie $no_cache {
         default 0;
@@ -125,14 +141,12 @@ http {
         ~wordpress_logged_in 1;
     }
 
-
     # File cache settings
     open_file_cache          max=10000 inactive=30s;
     open_file_cache_valid    60s;
     open_file_cache_min_uses 2;
     open_file_cache_errors   off;
 
-
     # Wildcard include
     include             /etc/nginx/conf.d/*.conf;
-}
+}