# this allows you to call directives such as "env" in your own conf files # http://nginx.org/en/docs/ngx_core_module.html#env # # and load dynamic modules via load_module # http://nginx.org/en/docs/ngx_core_module.html#load_module include /etc/nginx/main.d/*.conf; user www-data; worker_processes 1; pid /var/run/nginx.pid; error_log /var/log/nginx/error.log warn; events { worker_connections 1024; # multi_accept on; } http { ################################ ## Basic Settings ################################ client_body_buffer_size 10K; client_header_buffer_size 1k; client_max_body_size 8m; large_client_header_buffers 4 4k; proxy_buffer_size 8k; proxy_buffers 4 4k; proxy_busy_buffers_size 8k; proxy_http_version 1.1; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; client_body_timeout 12; client_header_timeout 12; send_timeout 10; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65s 65s; keepalive_requests 10000; types_hash_max_size 2048; # security, reveal less information about ourselves # disables emitting nginx version in error messages and in the "Server" response header field server_tokens off; more_clear_headers 'Server'; more_clear_headers 'X-Powered-By'; # prevent clickjacking attacks more_set_headers 'X-Frame-Options: SAMEORIGIN'; # help to prevent cross-site scripting exploits more_set_headers 'X-XSS-Protection: 1; mode=block'; # help to prevent Cross-Site Scripting (XSS) and data injection attacks # https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP more_set_headers "Content-Security-Policy: object-src 'none'; frame-ancestors 'self'; form-action 'self'; block-all-mixed-content; sandbox allow-forms allow-same-origin allow-scripts allow-popups allow-downloads; base-uri 'self';"; # server_names_hash_bucket_size 64; # server_name_in_redirect off; include /etc/nginx/mime.types; default_type text/html; ################################ ## SSL Settings ################################ # Grade A+ SSL support # https://ssl-config.mozilla.org/#server=nginx&version=1.17.9&config=intermediate&openssl=1.1.1d&guideline=5.4 ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem ssl_dhparam /etc/ssl/dhparam.pem; # intermediate configuration ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; # OCSP stapling # ssl_stapling on; ssl_stapling_verify on; ################################ ## Logging Settings ################################ log_format main escape=json '{' '"ip":"$remote_addr", ' '"time":"$time_iso8601", ' '"scheme":"$scheme", ' '"http3":"$http3", ' '"domain":"$server_name", ' '"port":"$server_port", ' '"request":"$request", ' '"request_uri":"$request_uri", ' '"args":"$args", ' '"status":"$status", ' '"sent_bytes":"$body_bytes_sent", ' '"referer":"$http_referer", ' '"msec":"$msec", ' '"host":"$host", ' '"response_time":"$request_time", ' '"upstream_time":"$upstream_response_time", ' '"upstream_ip":"$upstream_addr", ' '"user-agent":"$http_user_agent", ' '"request_body":"$request_body"' '}'; access_log /var/log/nginx/access.log; ################################ ## Gzip Settings ################################ gzip on; gzip_disable "msie6"; gzip_vary on; gzip_proxied any; gzip_min_length 1024; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; brotli on; brotli_static on; ################################ ## Virtual Host Configs ################################ include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*.conf; }