nginx.conf.j2 7.9 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191
  1. {% if ansible_prolog -%}
  2. {% from 'templates/ansible/prolog.j2' import prolog with context %}
  3. {{ prolog() }}
  4. {% endif -%}
  5. # nginx Configuration File
  6. # http://wiki.nginx.org/Configuration
  7. # Run as a less privileged user for security reasons.
  8. user www-data;
  9. # How many worker threads to run;
  10. # "auto" sets it to the number of CPU cores available in the system, and
  11. # offers the best performance. Don't set it higher than the number of CPU
  12. # cores if changing this parameter.
  13. # The maximum number of connections for Nginx is calculated by:
  14. # max_clients = worker_processes * worker_connections
  15. worker_processes {{ nginx_workers }};
  16. # Maximum open file descriptors per process;
  17. # should be > worker_connections.
  18. worker_rlimit_nofile 16384;
  19. events {
  20. # When you need > 8000 * cpu_cores connections, you start optimizing your OS,
  21. # and this is probably the point at where you hire people who are smarter than
  22. # you, as this is *a lot* of requests.
  23. worker_connections 4096;
  24. # Event model to use
  25. use epoll;
  26. }
  27. # PID file
  28. pid /var/run/nginx.pid;
  29. http {
  30. ### Global settings ###
  31. # Hide nginx version information.
  32. server_tokens off;
  33. # How long to allow each connection to stay idle; longer values are better
  34. # for each individual client, particularly for SSL, but means that worker
  35. # connections are tied up longer. (Default: 65)
  36. keepalive_timeout 60 60;
  37. # Speed up file transfers by using sendfile() to copy directly
  38. # between descriptors rather than using read()/write().
  39. sendfile on;
  40. # Tell Nginx not to send out partial frames; this increases throughput
  41. # since TCP frames are filled up before being sent out. (adds TCP_CORK)
  42. tcp_nopush on;
  43. # Tell Nginx to enable(off)/disable(on) the Nagle buffering algorithm for TCP packets, which
  44. # collates several smaller packets together into one larger packet, thus saving
  45. # bandwidth at the cost of a nearly imperceptible increase to latency. (removes TCP_NODELAY)
  46. tcp_nodelay on;
  47. # Specifies the maximum accepted body size of a client request, as
  48. # indicated by the request header Content-Length (0 to disable)
  49. client_max_body_size 4m;
  50. # Directive assigns the maximum number and size of buffers for large
  51. # headers to read from client request.
  52. large_client_header_buffers 8 8k;
  53. # Directive sets the headerbuffer size for the request header from client.
  54. # For the overwhelming majority of requests it is completely sufficient
  55. # with a buffer size of 1K
  56. client_header_buffer_size 4k;
  57. ### Define the MIME types for files ###
  58. include /etc/nginx/mime.types;
  59. default_type application/octet-stream;
  60. # Format to use in log files
  61. log_format main '$remote_addr - $remote_user [$time_local] "$request" '
  62. '$status $body_bytes_sent "$http_referer" '
  63. '"$http_user_agent" "$http_x_forwarded_for"';
  64. ### Default log files ###
  65. # (this is only used when you don't override {error,access}_log on a server{} level)
  66. access_log /var/log/nginx/access.log;
  67. error_log /var/log/nginx/error.log;
  68. # Compression
  69. # Enable Gzip compressed.
  70. gzip on;
  71. # Enable compression both for HTTP/1.0 and HTTP/1.1 (required for CloudFront).
  72. gzip_http_version 1.0;
  73. # Compression level (1-9).
  74. # 5 is a perfect compromise between size and cpu usage, offering about
  75. # 75% reduction for most ascii files (almost identical to level 9).
  76. gzip_comp_level 5;
  77. # Don't compress anything that's already small and unlikely to shrink much
  78. # if at all (the default is 20 bytes, which is bad as that usually leads to
  79. # larger files after gzipping).
  80. gzip_min_length 256;
  81. # Compress data even for clients that are connecting to us via proxies,
  82. # identified by the "Via" header (required for CloudFront).
  83. gzip_proxied any;
  84. # Tell proxies to cache both the gzipped and regular version of a resource
  85. # whenever the client's Accept-Encoding capabilities header varies;
  86. # Avoids the issue where a non-gzip capable client (which is extremely rare
  87. # today) would display gibberish if their proxy gave them the gzipped version.
  88. gzip_vary on;
  89. # Compress all output labeled with one of the following MIME-types.
  90. gzip_types
  91. application/atom+xml
  92. application/javascript
  93. application/x-javascript
  94. application/json
  95. application/rss+xml
  96. application/vnd.ms-fontobject
  97. application/x-font-ttf
  98. application/x-web-app-manifest+json
  99. application/xhtml+xml
  100. application/xml
  101. font/opentype
  102. image/svg+xml
  103. image/x-icon
  104. text/css
  105. text/plain
  106. text/x-component;
  107. # text/html is always compressed by HttpGzipModule
  108. # This should be turned on if you are going to have pre-compressed copies (.gz) of
  109. # static files available. If not it should be left off as it will cause extra I/O
  110. # for the check. It is best if you enable this in a location{} block for
  111. # a specific directory, or on an individual server{} level.
  112. # gzip_static on;
  113. ### SSL ###
  114. # Diffie-Hellman parameter for DHE ciphersuites
  115. ssl_dhparam /etc/ssl/private/dh2048.pem;
  116. {% if nginx_ssl_strengthened %}
  117. ssl_protocols TLSv1.1 TLSv1.2;
  118. ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
  119. {% else %}
  120. ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  121. ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
  122. {% endif %}
  123. ssl_prefer_server_ciphers on;
  124. # Optimize SSL by caching session parameters for 5 minutes. This cuts down on the number of expensive SSL handshakes.
  125. # The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection.
  126. # By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state.
  127. # Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS.
  128. ssl_session_cache shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
  129. ssl_session_timeout 5m;
  130. # This default SSL certificate will be served whenever the client lacks support for SNI (Server Name Indication).
  131. # Make it a symlink to the most important certificate you have, so that users of IE 8 and below on WinXP can see your main site without SSL errors.
  132. #ssl_certificate /etc/nginx/default_ssl.crt;
  133. #ssl_certificate_key /etc/nginx/default_ssl.key;
  134. ### Passenger ###
  135. #passenger_root /usr;
  136. #passenger_ruby /usr/bin/ruby;
  137. ### Extended configuration ###
  138. # More configuration parameters
  139. include /etc/nginx/conf.d/*.conf;
  140. # Virtual hosts inclusion
  141. include /etc/nginx/sites-enabled/*;
  142. }
  143. #
  144. # Include more global diretives (mail, rtmp, etc.)
  145. #
  146. include /etc/nginx/conf.d/*.inc;