ansible-playbooks/roles/webserver/templates/nginx/nginx.conf.j2

{% if ansible_prolog -%}
{% from 'templates/ansible/prolog.j2' import prolog with context %}
{{ prolog() }}
{% endif -%}
# nginx Configuration File
# http://wiki.nginx.org/Configuration

# Run as a less privileged user for security reasons.
user www-data;

# How many worker threads to run;
# "auto" sets it to the number of CPU cores available in the system, and
# offers the best performance. Don't set it higher than the number of CPU
# cores if changing this parameter.

# The maximum number of connections for Nginx is calculated by:
# max_clients = worker_processes * worker_connections
worker_processes {{ nginx_workers }};

# Maximum open file descriptors per process;
# should be > worker_connections.
worker_rlimit_nofile 16384;

events {
    # When you need > 8000 * cpu_cores connections, you start optimizing your OS,
    # and this is probably the point at where you hire people who are smarter than
    # you, as this is *a lot* of requests.
worker_connections 4096;
    # Event model to use
    use epoll;
}

# PID file
pid /run/nginx.pid;

http {
    ### Global settings ###

    # Hide nginx version information.
    server_tokens off;

    # How long to allow each connection to stay idle; longer values are better
    # for each individual client, particularly for SSL, but means that worker
    # connections are tied up longer. (Default: 65)
    keepalive_timeout 60 60;

    # Speed up file transfers by using sendfile() to copy directly
    # between descriptors rather than using read()/write().
    sendfile on;

    # Tell Nginx not to send out partial frames; this increases throughput
    # since TCP frames are filled up before being sent out. (adds TCP_CORK)
    tcp_nopush on;

    # Tell Nginx to enable(off)/disable(on) the Nagle buffering algorithm for TCP packets, which
    # collates several smaller packets together into one larger packet, thus saving
    # bandwidth at the cost of a nearly imperceptible increase to latency. (removes TCP_NODELAY)
    tcp_nodelay on;

    # Specifies the maximum accepted body size of a client request, as
    # indicated by the request header Content-Length (0 to disable)
    client_max_body_size 4m;

    # Directive assigns the maximum number and size of buffers for large
    # headers to read from client request.
    large_client_header_buffers 8 8k;

    # Directive sets the headerbuffer size for the request header from client.
    # For the overwhelming majority of requests it is completely sufficient
    # with a buffer size of 1K
    client_header_buffer_size 4k;


    ### Define the MIME types for files ###
    include       /etc/nginx/mime.types;
    include       /etc/nginx/mime.types.custom;
    default_type  application/octet-stream;

    # Format to use in log files
    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for" '
                    '$host ${request_time} ${scheme}';

    ### Default log files ###

    # (this is only used when you don't override {error,access}_log on a server{} level)
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    # Compression

    # Enable Gzip compressed.
    gzip on;

    # Enable compression both for HTTP/1.0 and HTTP/1.1 (required for CloudFront).
    gzip_http_version 1.0;

    # Compression level (1-9).
    # 5 is a perfect compromise between size and cpu usage, offering about
    # 75% reduction for most ascii files (almost identical to level 9).
    gzip_comp_level 5;

    # Don't compress anything that's already small and unlikely to shrink much
    # if at all (the default is 20 bytes, which is bad as that usually leads to
    # larger files after gzipping).
    gzip_min_length 256;

    # Compress data even for clients that are connecting to us via proxies,
    # identified by the "Via" header (required for CloudFront).
    gzip_proxied any;

    # Tell proxies to cache both the gzipped and regular version of a resource
    # whenever the client's Accept-Encoding capabilities header varies;
    # Avoids the issue where a non-gzip capable client (which is extremely rare
    # today) would display gibberish if their proxy gave them the gzipped version.
    gzip_vary on;

    # Compress all output labeled with one of the following MIME-types.
    gzip_types
        application/atom+xml
        application/javascript
        application/x-javascript
        application/json
        application/rss+xml
        application/vnd.ms-fontobject
        application/x-font-ttf
        application/x-web-app-manifest+json
        application/xhtml+xml
        application/xml
        font/opentype
        image/svg+xml
        image/x-icon
        text/css
        text/plain
        text/x-component;
    # text/html is always compressed by HttpGzipModule

    # This should be turned on if you are going to have pre-compressed copies (.gz) of
    # static files available. If not it should be left off as it will cause extra I/O
    # for the check. It is best if you enable this in a location{} block for
    # a specific directory, or on an individual server{} level.
    # gzip_static on;


    ### SSL ###

    # Diffie-Hellman parameter for DHE ciphersuites
    ssl_dhparam /etc/ssl/private/dh2048.pem;

{% if nginx_ssl_strengthened %}
    ssl_protocols   TLSv1.2;
    ssl_ciphers     'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
{% else %}
    ssl_protocols   TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers     'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
{% endif %}
    ssl_prefer_server_ciphers  on;

    # Optimize SSL by caching session parameters for 5 minutes. This cuts down on the number of expensive SSL handshakes.
    # The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection.
    # By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state.
    # Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS.
    ssl_session_cache    shared:SSL:10m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
    ssl_session_timeout  5m;
    ssl_session_tickets off;

    # This default SSL certificate will be served whenever the client lacks support for SNI (Server Name Indication).
    # Make it a symlink to the most important certificate you have, so that users of IE 8 and below on WinXP can see your main site without SSL errors.
    #ssl_certificate      /etc/nginx/default_ssl.crt;
    #ssl_certificate_key  /etc/nginx/default_ssl.key;

    ### Passenger ###

    #passenger_root /usr;
    #passenger_ruby /usr/bin/ruby;

    ### Extended configuration ###

{% if nginx_http_config %}
    # Custom settings
{%for param in nginx_http_config %}
    {{ param }} {{ nginx_http_config[param] }};
{% endfor %}
{% endif %}

    # More configuration parameters
    include /etc/nginx/conf.d/*.conf;

    # Virtual hosts inclusion
    include /etc/nginx/sites-enabled/*;
}

#
# Include more global diretives (mail, rtmp, etc.)
#

include /etc/nginx/conf.d/*.inc;