mirror of
https://github.com/joglomedia/LEMPer.git
synced 2026-04-06 20:59:08 +00:00
Update Nginx config
This commit is contained in:
Edi Septriyanto
@@ -18,8 +18,8 @@ log_format cache '$remote_addr - $upstream_cache_status [$time_local] '
|
||||
|
||||
# Purge cache for request method.
|
||||
map $request_method $purge_method {
|
||||
PURGE 1;
|
||||
default 0;
|
||||
PURGE 1;
|
||||
}
|
||||
|
||||
# Skip caching for request method.
|
||||
|
||||
@@ -5,3 +5,8 @@ map $scheme $server_https {
|
||||
default off;
|
||||
https on;
|
||||
}
|
||||
|
||||
map $http_x_forwarded_proto $proto_https {
|
||||
default $scheme;
|
||||
https https;
|
||||
}
|
||||
|
||||
@@ -3,7 +3,8 @@
|
||||
|
||||
# Comment out HTTPS line for PHP behind SSL https.
|
||||
#fastcgi_param HTTPS on; # old pre .03 method
|
||||
#fastcgi_param HTTPS $server_https; # new .04+ map method
|
||||
fastcgi_param HTTPS $server_https; # new .04+ map method
|
||||
fastcgi_param HTTP_X_FORWARDED_PROTO $proto_https;
|
||||
|
||||
# Comment out PATH_TRANSLATED line if /etc/php5/fpm/php.ini sets following:
|
||||
# cgi.fix_pathinfo=0
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
## Designed to be included to /etc/nginx/nginx.conf http{} or server{} block
|
||||
|
||||
# Varnish HTTP Accelerator
|
||||
# HTTP Accelerator or Load Balancer.
|
||||
set_real_ip_from 127.0.0.1/32;
|
||||
|
||||
# Header
|
||||
|
||||
@@ -66,9 +66,9 @@ brotli_buffers 16 8k;
|
||||
brotli_window 512k;
|
||||
|
||||
# Up the minimum length a little to account for gzip overhead
|
||||
# this means anything smaller than 1024 bytes won't be compressed.
|
||||
# this means anything smaller than 256 bytes won't be compressed.
|
||||
# The default is 20 bytes, which is sooo tiny it's a waste to compress.
|
||||
brotli_min_length 1024;
|
||||
brotli_min_length 256;
|
||||
|
||||
# Custom header.
|
||||
add_header X-Powered-By "LEMPer/Brotli";
|
||||
|
||||
@@ -79,9 +79,9 @@ gzip_vary on;
|
||||
gzip_buffers 16 8k;
|
||||
|
||||
# Up the minimum length a little to account for gzip overhead
|
||||
# this means anything smaller than 1024 bytes won't be compressed.
|
||||
# this means anything smaller than 256 bytes won't be compressed.
|
||||
# The default is 20 bytes, which is sooo tiny it's a waste to compress.
|
||||
gzip_min_length 1024;
|
||||
gzip_min_length 256;
|
||||
|
||||
# Custom header.
|
||||
add_header X-Powered-By "LEMPer/Gzip";
|
||||
|
||||
@@ -16,8 +16,8 @@ fastcgi_no_cache $http_pragma $http_authorization;
|
||||
|
||||
fastcgi_cache_purge $purge_method;
|
||||
|
||||
# Ignore header
|
||||
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
|
||||
# Ignore header (Added Pragma, crosscheck first)
|
||||
fastcgi_ignore_headers Cache-Control Expires Pragma Set-Cookie;
|
||||
|
||||
# Header status
|
||||
add_header X-FastCGI-Cache $upstream_cache_status;
|
||||
|
||||
@@ -1,8 +1,10 @@
|
||||
# Enables SSL (deprecated on http2).
|
||||
#ssl on;
|
||||
|
||||
# --- Common definitions for HTTPS content --- #
|
||||
|
||||
# Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes.
|
||||
ssl_session_cache shared:LEMPer_SSL:10m; # a 1mb cache can hold about 4000 sessions
|
||||
ssl_session_cache shared:LEMPer_SSL:50m; # a 1mb cache can hold about 4000 sessions
|
||||
ssl_session_timeout 1d;
|
||||
|
||||
# SSL buffer size was added in 1.5.9
|
||||
@@ -14,25 +16,33 @@ ssl_session_tickets off;
|
||||
# Diffie-Hellman parameter for DHE ciphersuites, minimum recommendation 2048 bits.
|
||||
ssl_dhparam /etc/nginx/ssl/dhparam-2048.pem;
|
||||
|
||||
# If you need to support older browsers (IE6) you may need to add
|
||||
# SSLv2 SSLv3 TLSv1 TLSv1.1 to the list of protocols below.
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
# --- Protocols & Ciphers [start] --- #
|
||||
|
||||
# Enables server-side protection from BEAST attacks.
|
||||
# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
|
||||
# Maximum client support [enabled by default]
|
||||
# Supports Firefox 1, Android 2.3, Chrome 1, Edge 12, IE8 on Windows XP, Java 6, OpenSSL 0.9.8, Opera 5 & Safari 1
|
||||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
# Ciphers set to best allow protection from Beast, while providing forwarding secrecy,
|
||||
# as defined by Mozilla (Intermediate Set) - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
|
||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
|
||||
# Intermediate client support [disabled by default]
|
||||
# Supports Firefox 27, Android 4.4.2, Chrome 31, Edge, IE 11 on Windows 7, Java 8u31, OpenSSL 1.0.1, Opera 20 & Safari 9
|
||||
#ssl_protocols TLSv1.2 TLSv1.3;
|
||||
#ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||
#ssl_prefer_server_ciphers off;
|
||||
|
||||
# Modern client support [disabled by default]
|
||||
# Supports Firefox 63, Android 10.0, Chrome 70, Edge 75, Java 11, OpenSSL 1.1.1, Opera 57 & Safari 12.1
|
||||
#ssl_protocols TLSv1.3;
|
||||
#ssl_ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
|
||||
#ssl_prefer_server_ciphers off;
|
||||
|
||||
# Specifies a curve for ECDHE ciphers, default is auto.
|
||||
ssl_ecdh_curve prime256v1:secp384r1;
|
||||
|
||||
# Enable OCSP stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
|
||||
# http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
#ssl_stapling on;
|
||||
#ssl_stapling_verify on;
|
||||
|
||||
# Reduce SSL buffer size.
|
||||
ssl_buffer_size 4k; # Default = 16k
|
||||
@@ -55,4 +65,4 @@ resolver_timeout 5s;
|
||||
# This header tells browsers to cache the certificate for a year and to connect exclusively via HTTPS.
|
||||
#add_header Strict-Transport-Security "max-age=31536000;" always;
|
||||
# This version tells browsers to treat all subdomains the same as this site and to load exclusively over HTTPS
|
||||
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;";
|
||||
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;";
|
||||
|
||||
@@ -60,6 +60,8 @@ http {
|
||||
# Optimization settings.
|
||||
aio threads;
|
||||
sendfile on;
|
||||
# Limit the amount of data transferred in a single sendfile() call to 1MB.
|
||||
sendfile_max_chunk 1m;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
client_body_buffer_size 128k;
|
||||
@@ -80,8 +82,8 @@ http {
|
||||
|
||||
# Enable Compression.
|
||||
# gzip (default) or brotli (requires Nginx installed with brotli module).
|
||||
# TODO: Move to per site config.
|
||||
#include /etc/nginx/comp_gzip;
|
||||
# Moved to per site config.
|
||||
##include /etc/nginx/compression_gzip;
|
||||
|
||||
# Uncomment to enable FastCGI cache. If disabled, do not use the cached vhost setting.
|
||||
include /etc/nginx/fastcgi_cache;
|
||||
@@ -91,7 +93,7 @@ http {
|
||||
|
||||
# Upstream, ex: for Node.JS application server.
|
||||
# TODO: Move to per site config.
|
||||
#include /etc/nginx/upstream;
|
||||
##include /etc/nginx/upstream;
|
||||
|
||||
# SSL map.
|
||||
include /etc/nginx/fastcgi_https_map;
|
||||
|
||||
@@ -11,8 +11,8 @@ server {
|
||||
#ssl_certificate_key /etc/letsencrypt/live/localhost.localdomain/privkey.pem;
|
||||
#ssl_trusted_certificate /etc/letsencrypt/live/localhost.localdomain/fullchain.pem;
|
||||
|
||||
access_log /var/log/nginx/localhost.access.log;
|
||||
error_log /var/log/nginx/localhost.error.log;
|
||||
access_log /var/log/nginx/localhost.access.log combined buffer=32k;
|
||||
error_log /var/log/nginx/localhost.error.log error;
|
||||
|
||||
root /usr/share/nginx/html;
|
||||
index index.php index.html index.htm;
|
||||
@@ -24,7 +24,18 @@ server {
|
||||
|
||||
include /etc/nginx/vhost/site_default.conf;
|
||||
|
||||
location ~ ^/(status|ping)$ {
|
||||
# Nginx basic status monitoring.
|
||||
location = /nginx_status {
|
||||
stub_status;
|
||||
allow all;
|
||||
auth_basic "Denied";
|
||||
auth_basic_user_file /srv/.htpasswd;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
|
||||
# PHP-FPM status monitoring.
|
||||
location ~ ^/php-fpm_(status|ping)$ {
|
||||
include /etc/nginx/fastcgi_params;
|
||||
|
||||
fastcgi_pass unix:/run/php/php8.0-fpm.sock;
|
||||
@@ -33,6 +44,8 @@ server {
|
||||
allow all;
|
||||
auth_basic "Denied";
|
||||
auth_basic_user_file /srv/.htpasswd;
|
||||
access_log off;
|
||||
log_not_found off;
|
||||
}
|
||||
|
||||
location ~ \.php81$ {
|
||||
@@ -46,7 +59,7 @@ server {
|
||||
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
|
||||
}
|
||||
|
||||
location ~ \.php80$ {
|
||||
location ~ \.(php|php80)$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_index index.php;
|
||||
@@ -56,7 +69,7 @@ server {
|
||||
fastcgi_pass unix:/run/php/php8.0-fpm.sock;
|
||||
}
|
||||
|
||||
location ~ \.(php|php74)$ {
|
||||
location ~ \.php74$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_index index.php;
|
||||
@@ -132,8 +145,8 @@ server {
|
||||
index index.php index.html index.htm;
|
||||
|
||||
# Log Settings.
|
||||
access_log /var/log/nginx/localhost.access.log;
|
||||
error_log /var/log/nginx/localhost.error.log;
|
||||
access_log /var/log/nginx/localhost.access.log combined buffer=32k;
|
||||
error_log /var/log/nginx/localhost.error.log error;
|
||||
|
||||
location /lcp {
|
||||
try_files $uri $uri/ /index.php?$args;
|
||||
@@ -175,7 +188,7 @@ server {
|
||||
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
|
||||
}
|
||||
|
||||
location ~ \.php80$ {
|
||||
location ~ \.(php|php80)$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_index index.php;
|
||||
@@ -185,7 +198,7 @@ server {
|
||||
fastcgi_pass unix:/run/php/php8.0-fpm.sock;
|
||||
}
|
||||
|
||||
location ~ \.(php|php74)$ {
|
||||
location ~ \.php74$ {
|
||||
try_files $uri =404;
|
||||
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
||||
fastcgi_index index.php;
|
||||
|
||||
Reference in New Issue
Block a user