# Run as a less privileged user for security reasons. #user www-data; # The maximum number of connections for Nginx is calculated by: # max_clients = worker_processes * worker_connections # It is better if you set the worker_processes count 1 less than your cpu cores. You have other processes running as well! worker_processes 1; # Maximum open file descriptors per process; # should be > worker_connections. worker_rlimit_nofile 50000; pid /run/nginx.pid; events { # When you need > 8000 * cpu_cores connections, you start optimizing your OS, # and this is probably the point at which you hire people who are smarter than # you, as this is *a lot* of requests. worker_connections 4096 ; use epoll; # accept_mutex off; # Accept as many connections as possible. multi_accept on; } http { ############################################################################ General Settings # Define the MIME types for files. # Usually located at mime.types; include mime.types; default_type application/octet-stream; # Update charset_types due to updated mime.types charset_types text/xml text/plain text/vnd.wap.wml application/x-javascript application/rss+xml text/css application/javascript application/json; client_max_body_size 20m; client_body_buffer_size 128k; large_client_header_buffers 2 1k; ## Hide the Nginx version number. server_tokens off; server_names_hash_bucket_size 512; server_names_hash_max_size 512; server_name_in_redirect off; variables_hash_max_size 2048; variables_hash_bucket_size 64; # Speed up file transfers by using sendfile() to copy directly # between descriptors rather than using read()/write(). sendfile on; # Tell Nginx not to send out partial frames; this increases throughput # since TCP frames are filled up before being sent out. (adds TCP_CORK) tcp_nopush on; # Tell Nginx to enable the Nagle buffering algorithm for TCP packets, which # collates several smaller packets together into one larger packet, thus saving # bandwidth at the cost of a nearly imperceptible increase to latency. (removes TCP_NODELAY) tcp_nodelay on; # Don't put the IP to the end of url when there's a redirection port_in_redirect off; # Let's make a lot of keepalive requests possible keepalive_requests 100000; # How long to allow each connection to stay idle; longer values are better # for each individual client, particularly for SSL, but means that worker # connections are tied up longer. (Default: 65) keepalive_timeout 30; client_body_timeout 30; client_header_timeout 60; send_timeout 30; ## Reset lingering timed out connections. Deflect DDoS. reset_timedout_connection on; ############################################################################ Gzip Settings # Enable Gzip compressed. # Pagespeed might not allow us to turn it on gzip on; gzip_buffers 16 8k; # This feature allow you to use static GZipped versions of your files (you need to create them yourself) and serve those gzipped files directly through Nginx. Nginx just looks for a filename identical to the one requested by the browsers, but with a “.gz” extension (eg. if 'index.html' is requested, nginx will look for a 'index.html.gz' file next to it). If it exists, Nginx serves this -already compressed- file and does not perform gzip compression, thus reducing CPU overhead and response time. gzip_static on; # Enable compression both for HTTP/1.0 and HTTP/1.1 (required for CloudFront). gzip_http_version 1.1; # Compression level (1-9). # 5 is a perfect compromise between size and cpu usage, offering about # 75% reduction for most ascii files (almost identical to level 9). gzip_comp_level 7; # Don't compress anything that's already small and unlikely to shrink much # if at all (the default is 20 bytes, which is bad as that usually leads to # larger files after gzipping). gzip_min_length 1064; # Compress data even for clients that are connecting to us via proxies, # identified by the "Via" header (required for CloudFront). gzip_proxied expired no-cache no-store private auth; # Tell proxies to cache both the gzipped and regular version of a resource # whenever the clients Accept-Encoding capabilities header varies; # Avoids the issue where a non-gzip capable client (which is extremely rare # today) would display gibberish if their proxy gave them the gzipped version. gzip_vary on; # Disable gzip for non-supporting browsers. gzip_disable "MSIE [1-6]\."; # Compress all output labeled with one of the following MIME-types. gzip_types application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/x-javascript application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon image/bmp text/css text/richtext text/xsd text/xsl text/xml text/plain text/x-component text/javascript; #text/html is always compressed by HttpGzipModule ############################################################################ Caching # Define a cache path for fastcgi caching under the zone name microcache fastcgi_cache_path /var/cache/nginx/ levels=1:2 keys_zone=microcache:10m max_size=1000m inactive=60m; proxy_cache_path /var/cache/nginx/proxy/ levels=1:2 keys_zone=proxy:10m; # Improve static content handling by caching metadata, not the files itself open_file_cache max=1000 inactive=1h; open_file_cache_valid 2h; open_file_cache_min_uses 1; open_file_cache_errors on; # Define a zone for limiting the number of simultaneous # connections nginx accepts. 1m means 32000 simultaneous # sessions. We need to define for each server the limit_conn # value refering to this or other zones. # ** This syntax requires nginx version >= # ** 1.1.8. Cf. http://nginx.org/en/CHANGES. If using an older # ** version then use the limit_zone directive below # ** instead. Comment out this # ** one if not using nginx version >= 1.1.8. # limit_conn_zone $binary_remote_addr zone=arbeit:10m; # For the filefield_nginx_progress module to work. From the # README. Reserve 1MB under the name 'uploads' to track uploads. # upload_progress uploads 1m; ############################################################################ Security # Enable the builtin cross-site scripting (XSS) filter available # in modern browsers. Usually enabled by default we just # reinstate in case it has been somehow disabled for this # particular server instance. # https://www.owasp.org/index.php/List_of_useful_HTTP_headers. add_header X-XSS-Protection '1; mode=block'; # Enable clickjacking protection in modern browsers. Available in # IE8 also. See # https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header # This may conflicts with pseudo streaming (at least with Nginx version 1.0.12). # Uncomment the line below if you are not using media streaming. # For sites being framing on the same domqin uncomment the line below. #add_header X-Frame-Options SAMEORIGIN; # For sites accepting to be framed in any context comment the # line below. add_header X-Frame-Options DENY; ## Block MIME type sniffing on IE. add_header X-Content-Options nosniff; ############################################################################ Logging log_format custom '$remote_addr - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"'; #log_format varnish_log '$http_x_forwarded_for - $remote_user [$time_local] ' '"$request" $status $body_bytes_sent "$http_referer" ' ; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; ############################################################################ Pagespeed # Edit this file to add your domain. # https://developers.google.com/speed/pagespeed/module/domains # include conf.d/pagespeed/pagespeed.conf; # Virtual Host Configs include conf.d/*.conf; # include sites-enabled/*; ############################################################################ CLOUDFLARE GET REALIP PROBE # include nomad-conf/realip.add; }