-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnginx.conf
115 lines (99 loc) · 3.19 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
worker_processes auto;
worker_rlimit_nofile 65535;
events {
worker_connections 2048;
multi_accept on;
use epoll;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Performance optimizations
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
variables_hash_max_size 2048;
variables_hash_bucket_size 128;
# Buffer size optimizations
client_body_buffer_size 128k;
client_header_buffer_size 1k;
client_max_body_size 10M;
large_client_header_buffers 4 4k;
# Security headers
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Rate limiting and DDoS protection zones
limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s;
limit_req_zone $binary_remote_addr zone=ws_limit:10m rate=5r/s;
limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
limit_req_status 429;
limit_conn_status 429;
# Block common attack patterns
map $http_user_agent $bad_bot {
default 0;
~*(curl|wget|python|nikto|sqlmap|nmap|xrumer|masscan|libwww|burpcollaborator) 1;
}
map $request_uri $bad_request {
default 0;
~*\.(php|asp|aspx|jsp|cgi)$ 1;
~*(/wp-admin|/wp-login|/administrator|/admin|/phpmyadmin|/xmlrpc\.php) 1;
}
# File cache settings
open_file_cache max=2000 inactive=20s;
open_file_cache_valid 60s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
# Compression settings
gzip on;
gzip_vary on;
gzip_comp_level 6;
gzip_min_length 256;
gzip_proxied any;
gzip_types
application/javascript
application/json
application/x-javascript
application/xml
text/css
text/javascript
text/plain
text/xml;
# Security settings
server_tokens off;
client_body_timeout 10s;
client_header_timeout 10s;
send_timeout 10s;
reset_timedout_connection on;
proxy_connect_timeout 60s;
proxy_send_timeout 60s;
proxy_read_timeout 60s;
# SSL settings
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
# Logging configuration
log_format detailed '$remote_addr - $remote_user [$time_local] '
'"$request" $status $body_bytes_sent '
'"$http_referer" "$http_user_agent" '
'$request_time $upstream_response_time '
'$http_x_forwarded_for $http_x_real_ip '
'$connection $connection_requests';
access_log /var/log/nginx/access.log detailed buffer=32k flush=5s;
error_log /var/log/nginx/error.log warn;
# Load balancing configuration
upstream backend {
server app1:8080 max_fails=3 fail_timeout=30s;
server app2:8080 max_fails=3 fail_timeout=30s;
keepalive 32;
keepalive_requests 100;
keepalive_timeout 60s;
}
# Include site configurations
include /etc/nginx/sites-enabled/*;
}