From 2ab97b87213893e15607c67a964d49c6a9b1b046 Mon Sep 17 00:00:00 2001 From: Seung-Zin Nam Date: Mon, 29 May 2017 15:12:24 +0200 Subject: [PATCH] Update nginx.conf --- doc/nginx/nginx.conf | 136 ++++++++++++++++++------------------------- 1 file changed, 56 insertions(+), 80 deletions(-) diff --git a/doc/nginx/nginx.conf b/doc/nginx/nginx.conf index c8a6b0e740..7b3cc3e7bc 100644 --- a/doc/nginx/nginx.conf +++ b/doc/nginx/nginx.conf @@ -1,91 +1,67 @@ user www-data; +worker_processes auto; pid /run/nginx.pid; -worker_processes auto; - # limit the maximum number of open files #worker_rlimit_nofile 128000; events { - worker_connections 8192; + worker_connections 8192; + # multi_accept on; } http { - include mime.types; - default_type application/octet-stream; - server_tokens off; - - sendfile on; - keepalive_timeout 65; - - proxy_buffering off; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $http_host; - proxy_http_version 1.1; - #websocket - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - - # custom error page if natty is not running - proxy_intercept_errors on; - error_page 500 502 503 504 @errorpage; - - #disable access logging - access_log off; - - upstream my-backend { - server 127.0.0.1:9000; - } - - server { - listen 80; - - server_name _; - return 301 https://$host$request_uri; - - # server_name rye.tuebingen.mpg.de; - # location / { - # proxy_pass http://my-backend; - # } - # location /ganglia { - # alias /usr/share/ganglia-webfrontend; - # allow 10.0.0.0/8; - # deny all; - # } - } - - server { - listen 443; - ssl on; - - # http://www.selfsignedcertificate.com/ is useful for development testing - ssl_certificate /etc/ssl/certs/toolkit-chain.pem; - ssl_certificate_key /etc/ssl/private/toolkit-key.pem; - - # From https://bettercrypto.org/static/applied-crypto-hardening.pdf - ssl_prefer_server_ciphers on; - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive - ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'; - add_header Strict-Transport-Security max-age=15768000; # six months - # use this only if all subdomains support HTTPS! - # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" - - keepalive_timeout 70; - server_name _; - - - location / { - proxy_pass http://my-backend; - client_body_in_file_only clean; - client_body_buffer_size 128k; - client_max_body_size 30m; - } - - location @errorpage { - root /ebio/toolkit_rye/user/toolkit/Toolkit/doc/nginx/; - index underConstruction.html; - } - } + + ## + # Basic Settings + ## + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + # server_tokens off; + + # server_names_hash_bucket_size 64; + # server_name_in_redirect off; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + ## + # SSL Settings + ## + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE + ssl_prefer_server_ciphers on; + + ## + # Logging Settings + ## + + #access_log /var/log/nginx/access.log; + access_log off; + error_log /var/log/nginx/error.log; + + ## + # Gzip Settings + ## + + gzip on; + gzip_disable "msie6"; + + # gzip_vary on; + # gzip_proxied any; + # gzip_comp_level 6; + # gzip_buffers 16 8k; + # gzip_http_version 1.1; + # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + + ## + # Virtual Host Configs + ## + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; }