Last active
November 29, 2017 09:10
-
-
Save haiyon/05ca2d5eb47f3d6161db80b49401c2a6 to your computer and use it in GitHub Desktop.
nginx
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| server { | |
| listen 80; | |
| server_name domain.com www.domain.com; | |
| access_log /dev/null; | |
| if ($request_method !~ ^(GET|HEAD|POST)$ ) { | |
| return 444; | |
| } | |
| location ^~ /.well-known/acme-challenge/ { | |
| alias /data/www/common/; | |
| try_files $uri =404; | |
| } | |
| location / { | |
| rewrite ^/(.*)$ https://domain.com/$1 redirect; # 302 | |
| # rewrite ^/(.*)$ https://domain.com/$1 permanent; #301 | |
| } | |
| } | |
| server { | |
| listen 443 ssl http2; | |
| server_name domain.com www.domain.com; | |
| root /data/www/domain; | |
| index index.html index.htm; | |
| # include conf.d/blacklist.conf; | |
| # dehydrated | |
| ssl_certificate /etc/letsencrypt/live/domain/fullchain.pem; | |
| ssl_certificate_key /etc/letsencrypt/live/domain/privkey.pem; | |
| include conf.d/ssl.conf; | |
| access_log /data/log/nginx/domain.access.log main; | |
| if ($request_method !~ ^(GET|HEAD|POST|OPTIONS)$ ) { | |
| return 444; | |
| } | |
| error_page 500 502 503 504 /50x.html; | |
| location = /50x.html { | |
| root /usr/share/nginx/html; | |
| } | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #user nobody; | |
| worker_processes 1; | |
| error_log /var/log/nginx/error.log warn; | |
| pid /var/run/nginx.pid; | |
| worker_rlimit_nofile 51200; | |
| events { | |
| use epoll; | |
| worker_connections 51200; | |
| } | |
| http { | |
| include /etc/nginx/mime.types; | |
| default_type application/octet-stream; | |
| charset utf-8; | |
| server_tokens off; | |
| # tengine | |
| server_info off; | |
| server_tag off; | |
| gzip on; | |
| gzip_vary on; | |
| gzip_comp_level 6; | |
| gzip_buffers 16 8k; | |
| gzip_min_length 1k; | |
| gzip_proxied any; | |
| gzip_http_version 1.0; | |
| gzip_disable "msie6"; | |
| gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript; | |
| server_names_hash_bucket_size 128; | |
| client_header_buffer_size 32k; | |
| large_client_header_buffers 4 32k; | |
| client_max_body_size 50m; | |
| log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | |
| '$status $body_bytes_sent "$http_referer" ' | |
| '"$http_user_agent" "$http_x_forwarded_for"'; | |
| access_log /var/log/nginx/access.log main; | |
| sendfile on; | |
| tcp_nopush on; | |
| tcp_nodelay on; | |
| keepalive_timeout 60; | |
| fastcgi_connect_timeout 300; | |
| fastcgi_send_timeout 300; | |
| fastcgi_read_timeout 300; | |
| fastcgi_buffer_size 64k; | |
| fastcgi_buffers 4 64k; | |
| fastcgi_busy_buffers_size 128k; | |
| fastcgi_temp_file_write_size 256k; | |
| server { | |
| listen 80; | |
| server_name _ server_ip; | |
| rewrite ^(.*) https://domain.com$request_uri permanent; | |
| } | |
| include /etc/nginx/vhost/*.conf; | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| location ~ \.php$ { | |
| # fastcgi_pass 127.0.0.1:9000; | |
| fastcgi_pass unix:/tmp/php-fpm.sock; | |
| fastcgi_index index.php; | |
| fastcgi_intercept_errors on; | |
| fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; | |
| include fastcgi_params; | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ssl_session_cache shared:SSL:10m; | |
| ssl_session_timeout 60m; | |
| ssl_buffer_size 1400; | |
| ssl_session_tickets on; | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| ssl_stapling on; | |
| ssl_stapling_verify on; | |
| resolver 8.8.4.4 8.8.8.8 valid=300s; | |
| resolver_timeout 10s; | |
| ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"; | |
| ssl_prefer_server_ciphers on; | |
| # spdy_keepalive_timeout 300; | |
| # spdy_headers_comp 9; | |
| add_header Strict-Transport-Security max-age=63072000; | |
| add_header X-Frame-Options DENY; | |
| add_header X-Content-Type-Options nosniff; | |
| ssl_dhparam /data/certs/dhparams.pem; # openssl dhparam -out dhparam.pem 4096 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment