Nginx-Config/nginx.conf at master · bipy/Nginx-Config · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
user  nginx;
worker_processes  auto;
worker_rlimit_nofile 65535;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;

events {
    multi_accept       on;
    worker_connections 65535;
}

stream {
    map $ssl_preread_server_name $backend_name {
        # some_server remove_proxy_protocol;
        my.com my;
        default bad;
    }

    upstream my {
        server 127.0.0.1:2000;
    }

    upstream bad {
        server 127.0.0.1:400;
    }

    # upstream remove_proxy_protocol {
    #     server 127.0.0.1:4444;
    # }

    # server {
    #     listen 4444 proxy_protocol;
    #     proxy_pass some_backend_name;
    # }

    server {
        listen 443 reuseport;
        proxy_pass $backend_name;
        proxy_protocol on;
        ssl_preread on;
    }

}


http {
    include       mime.types;
    default_type  application/octet-stream;

    log_format  main  '$proxy_protocol_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;
    error_log   /var/log/nginx/error.log   warn;

    charset                utf-8;
    sendfile               on;
    tcp_nopush             on;
    tcp_nodelay            on;
    server_tokens          off;
    # log_not_found          off;
    types_hash_max_size    2048;
    types_hash_bucket_size 64;
    # client_max_body_size   16M;

    gzip            on;
    gzip_vary       on;
    gzip_proxied    any;
    gzip_comp_level 6;
    gzip_types      text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;

    ssl_protocols          TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers            ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;


    # security headers
    add_header X-XSS-Protection          "1; mode=block" always;
    add_header X-Content-Type-Options    "nosniff" always;
    add_header Referrer-Policy           "no-referrer-when-downgrade" always;
    add_header Permissions-Policy        "interest-cohort=()" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    map $http_upgrade $connection_upgrade {
        default upgrade;
        ""      close;
    }

    server {
        listen 400 ssl proxy_protocol reuseport;
        ssl_reject_handshake on;
    }

    include /etc/nginx/conf.d/*.conf;
}