{% if ansible_controlled is defined and ansible_controlled != "" %} # # {{ ansible_controlled }} # {% endif %} # nginx Configuration File # http://wiki.nginx.org/Configuration # Run as a less privileged user for security reasons. user www-data; # How many worker threads to run; # "auto" sets it to the number of CPU cores available in the system, and # offers the best performance. Don't set it higher than the number of CPU # cores if changing this parameter. # The maximum number of connections for Nginx is calculated by: # max_clients = worker_processes * worker_connections worker_processes {{ nginx_workers }}; # Maximum open file descriptors per process; # should be > worker_connections. worker_rlimit_nofile 16384; events { # When you need > 8000 * cpu_cores connections, you start optimizing your OS, # and this is probably the point at where you hire people who are smarter than # you, as this is *a lot* of requests. worker_connections 4096; # Event model to use use epoll; } # PID file pid /run/nginx.pid; http { ### Global settings ### # Hide nginx version information. server_tokens off; # How long to allow each connection to stay idle; longer values are better # for each individual client, particularly for SSL, but means that worker # connections are tied up longer. (Default: 65) keepalive_timeout 60 60; # Speed up file transfers by using sendfile() to copy directly # between descriptors rather than using read()/write(). sendfile on; # Tell Nginx not to send out partial frames; this increases throughput # since TCP frames are filled up before being sent out. (adds TCP_CORK) tcp_nopush on; # Tell Nginx to enable(off)/disable(on) the Nagle buffering algorithm for TCP packets, which # collates several smaller packets together into one larger packet, thus saving # bandwidth at the cost of a nearly imperceptible increase to latency. (removes TCP_NODELAY) tcp_nodelay on; # Specifies the maximum accepted body size of a client request, as # indicated by the request header Content-Length (0 to disable) client_max_body_size 4m; # Directive assigns the maximum number and size of buffers for large # headers to read from client request. large_client_header_buffers 8 8k; # Directive sets the headerbuffer size for the request header from client. # For the overwhelming majority of requests it is completely sufficient # with a buffer size of 1K client_header_buffer_size 4k; ### Define the MIME types for files ### include /etc/nginx/mime.types; include /etc/nginx/mime.types.custom; default_type application/octet-stream; # Format to use in log files log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" ' '$host ${request_time} ${scheme}'; ### Default log files ### # (this is only used when you don't override {error,access}_log on a server{} level) access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; # Compression # Enable Gzip compressed. gzip on; # Enable compression both for HTTP/1.0 and HTTP/1.1 (required for CloudFront). gzip_http_version 1.0; # Compression level (1-9). # 5 is a perfect compromise between size and cpu usage, offering about # 75% reduction for most ascii files (almost identical to level 9). gzip_comp_level 5; # Don't compress anything that's already small and unlikely to shrink much # if at all (the default is 20 bytes, which is bad as that usually leads to # larger files after gzipping). gzip_min_length 256; # Compress data even for clients that are connecting to us via proxies, # identified by the "Via" header (required for CloudFront). gzip_proxied any; # Tell proxies to cache both the gzipped and regular version of a resource # whenever the client's Accept-Encoding capabilities header varies; # Avoids the issue where a non-gzip capable client (which is extremely rare # today) would display gibberish if their proxy gave them the gzipped version. gzip_vary on; # Compress all output labeled with one of the following MIME-types. gzip_types application/atom+xml application/javascript application/x-javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component; # text/html is always compressed by HttpGzipModule # This should be turned on if you are going to have pre-compressed copies (.gz) of # static files available. If not it should be left off as it will cause extra I/O # for the check. It is best if you enable this in a location{} block for # a specific directory, or on an individual server{} level. # gzip_static on; ### SSL ### # Diffie-Hellman parameter for DHE ciphersuites ssl_dhparam /etc/ssl/private/dh2048.pem; {% if nginx_ssl_strengthened %} ssl_protocols TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; {% else %} ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; {% endif %} ssl_prefer_server_ciphers on; # Optimize SSL by caching session parameters for 5 minutes. This cuts down on the number of expensive SSL handshakes. # The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection. # By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state. # Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS. ssl_session_cache shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions ssl_session_timeout 5m; ssl_session_tickets off; # This default SSL certificate will be served whenever the client lacks support for SNI (Server Name Indication). # Make it a symlink to the most important certificate you have, so that users of IE 8 and below on WinXP can see your main site without SSL errors. #ssl_certificate /etc/nginx/default_ssl.crt; #ssl_certificate_key /etc/nginx/default_ssl.key; ### Passenger ### #passenger_root /usr; #passenger_ruby /usr/bin/ruby; ### Extended configuration ### {% if nginx_http_config %} # Custom settings {%for param in nginx_http_config %} {{ param }} {{ nginx_http_config[param] }}; {% endfor %} {% endif %} # More configuration parameters include /etc/nginx/conf.d/*.conf; # Virtual hosts inclusion include /etc/nginx/sites-enabled/*; } # # Include more global diretives (mail, rtmp, etc.) # include /etc/nginx/conf.d/*.inc;