Set low default values for directives
Adjust directive values as needed depending on site requirements e.g client_max_body_size 500M in minio.conf while other sites are limited to 1k
This commit is contained in:
129
data/nginx.conf
129
data/nginx.conf
@@ -3,25 +3,36 @@ worker_processes auto;
|
||||
error_log /var/log/nginx/error.log warn;
|
||||
pid /var/run/nginx.pid;
|
||||
|
||||
# Load modules
|
||||
include /etc/nginx/modules-enabled/*.conf;
|
||||
|
||||
events {
|
||||
worker_connections 1024;
|
||||
use epoll;
|
||||
multi_accept on;
|
||||
}
|
||||
|
||||
http {
|
||||
# MIME
|
||||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
keepalive_timeout 65;
|
||||
keepalive_requests 100000;
|
||||
|
||||
variables_hash_max_size 2048;
|
||||
server_names_hash_bucket_size 128;
|
||||
charset utf-8;
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
server_tokens off;
|
||||
|
||||
resolver 8.8.8.8 valid=30s ipv6=off;
|
||||
resolver_timeout 11s;
|
||||
log_format main '$remote_addr - $remote_user [$time_local] '
|
||||
'"$request" $status $bytes_sent '
|
||||
'"$http_referer" "$http_user_agent" '
|
||||
'"$gzip_ratio"';
|
||||
|
||||
log_format cloudflare '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent" $http_cf_ray $http_cf_connecting_ip '
|
||||
'$http_x_forwarded_for $http_x_forwarded_proto '
|
||||
'$http_true_client_ip $http_cf_ipcountry '
|
||||
'$http_cf_visitor $http_cdn_loop';
|
||||
|
||||
log_format json_combined escape=json '{'
|
||||
'"method":"$request_method",'
|
||||
@@ -40,49 +51,87 @@ http {
|
||||
'"timestamp":"$time_iso8601",'
|
||||
'"ip":"$http_x_forwarded_for"'
|
||||
'}';
|
||||
|
||||
# log_format VCOMBINED '$host:$server_port '
|
||||
# '$remote_addr $remote_user [$time_local] '
|
||||
# '"$request" $status $body_bytes_sent '
|
||||
# '"$http_referer" "$http_user_agent"';
|
||||
|
||||
|
||||
# track every client request and are vital for traffic analysis and performance monitoring.
|
||||
access_log /var/log/nginx/access.log json_combined;
|
||||
# capture internal server issues and help with troubleshooting.
|
||||
error_log /var/log/nginx/error.log debug;
|
||||
|
||||
sendfile on;
|
||||
tcp_nopush on;
|
||||
tcp_nodelay on;
|
||||
types_hash_max_size 2048;
|
||||
|
||||
# Important for MinIO
|
||||
client_max_body_size 0;
|
||||
proxy_buffering off;
|
||||
proxy_request_buffering off;
|
||||
|
||||
# Increase the buffer for the request line and headers
|
||||
client_header_buffer_size 16k;
|
||||
large_client_header_buffers 4 32k;
|
||||
|
||||
# If using Nginx as a proxy to the Harbor core/registry
|
||||
proxy_buffer_size 128k;
|
||||
proxy_buffers 4 256k;
|
||||
proxy_busy_buffers_size 256k;
|
||||
|
||||
proxy_connect_timeout 300;
|
||||
proxy_send_timeout 300;
|
||||
proxy_read_timeout 300;
|
||||
|
||||
# Add extra headers
|
||||
add_header X-Frame-Options DENY;
|
||||
add_header Content-Security-Policy "frame-ancestors 'none'";
|
||||
|
||||
# SSL Settings
|
||||
# SSL
|
||||
# Mozilla Intermediate configuration
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers HIGH:!aNULL:!MD5;
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
|
||||
ssl_prefer_server_ciphers on;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
# enable session resumption to improve https performance
|
||||
ssl_session_timeout 10m;
|
||||
ssl_session_cache shared:SSL:10m;
|
||||
ssl_session_tickets off;
|
||||
|
||||
# Diffie-Hellman parameter for DHE ciphersuites
|
||||
# ssl_dhparam /etc/nginx/dhparam.pem;
|
||||
|
||||
# OCSP Stapling
|
||||
# ssl_stapling on;
|
||||
# ssl_stapling_verify on;
|
||||
resolver 127.0.0.11 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
|
||||
resolver_timeout 2s;
|
||||
|
||||
|
||||
# CONTROL RESOURCES AND LIMITS / CONTROLLING BUFFER OVERFLOW ATTACKS
|
||||
# specify the client request body buffer size; default 8k/16k
|
||||
client_body_buffer_size 1k;
|
||||
# sets the headerbuffer size for the request header from client.
|
||||
# 1K sufficient for most requests.
|
||||
# Increase this if you have a custom header or a large cookie sent from the client (e.g., wap client).
|
||||
client_header_buffer_size 1k;
|
||||
# assigns the maximum accepted body size of client request, indicated by the line Content-Length in the header of request.
|
||||
# If size is greater the given one, then the client gets the error “Request Entity Too Large” (413).
|
||||
# Increase this when you are getting file uploads via the POST method. e.g harbor image push, minio uploads
|
||||
client_max_body_size 1k;
|
||||
# assigns the maximum number and size of buffers for large headers to read from client request.
|
||||
# By default the size of one buffer is equal to the size of page, depending on platform this either 4K or 8K,
|
||||
# if at the end of working request connection converts to state keep-alive,
|
||||
# then these buffers are freed. 2x1k will accept 2kB data URI.
|
||||
# This will also help combat bad bots and DoS attacks.
|
||||
large_client_header_buffers 4 4k;
|
||||
|
||||
client_header_timeout 60;
|
||||
client_body_timeout 60;
|
||||
send_timeout 60;
|
||||
|
||||
# PROXY BUFFERING
|
||||
# NGINX stores the response from a server in internal buffers as it comes in,
|
||||
# and doesn't start sending data to the client until the entire response is buffered
|
||||
|
||||
# With proxy_buffering disabled, data received from the server is immediately relayed by NGINX,
|
||||
# allowing for minimum Time To First Byte (TTFB).
|
||||
# TLDR - Buffering is needed to ensure that the upstream server can be set free after delivering the response to NGINX,
|
||||
# and NGINX will proceed to deliver the response to the slow client.
|
||||
proxy_buffering off; # for a single server setup (SSL termination of Varnish), where no caching is done in NGINX itself
|
||||
# Defines the amount of memory that NGINX will allocate for each request to the proxied server.
|
||||
# This small chunk of memory will be used for reading and storing the tiny fraction of response – the HTTP headers.
|
||||
# tuning solves the upstream sent too big header while reading response header from upstream error.
|
||||
proxy_buffer_size 8k; # defaults: 4k/8k, should be enough for most PHP websites, or adjust as above
|
||||
# size of buffers, in kilobytes, which can be used for delivering the response to clients
|
||||
# while it was not fully read from the upstream server.
|
||||
proxy_busy_buffers_size 16k; # essentially, proxy_buffer_size + 2 small buffers of 4k
|
||||
# The rule of thumb with this setting is that while we make use of buffering,
|
||||
# it is best that the complete response from upstream can be held in memory, to avoid disk I/O.
|
||||
proxy_buffers 8 4k; # Default: 8 4k|8k; should be enough for most PHP websites, adjust as above to get an accurate value
|
||||
|
||||
# Time to establish TCP connection
|
||||
# Increase only if your app has slow endpoints
|
||||
proxy_connect_timeout 60s;
|
||||
# Time between successive writes to upstream
|
||||
proxy_send_timeout 60;
|
||||
# Time between successive reads from upstream
|
||||
proxy_read_timeout 60;
|
||||
|
||||
# Gzip Settings
|
||||
gzip on;
|
||||
@@ -91,7 +140,7 @@ http {
|
||||
gzip_comp_level 6;
|
||||
gzip_types text/plain text/css text/xml text/javascript application/json application/javascript application/xml+rss application/rss+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
|
||||
|
||||
|
||||
# Include all server configurations
|
||||
include /etc/nginx/conf.d/*.conf;
|
||||
# include /etc/nginx/conf.d/*.conf;
|
||||
include /etc/nginx/sites-enabled/*;
|
||||
}
|
||||
Reference in New Issue
Block a user