#user nginx; worker_processes 4; # load_module lib64/nginx/modules/ngx_http_geoip_module.so; # load_module lib64/nginx/modules/ngx_http_image_filter_module.so; # load_module lib64/nginx/modules/ngx_http_perl_module.so; # load_module lib64/nginx/modules/ngx_http_xslt_filter_module.so; # load_module lib64/nginx/modules/ngx_mail_module.so; # load_module lib64/nginx/modules/ngx_stream_module.so; error_log /var/log/nginx/error.log; #error_log /var/log/nginx/error.log notice; #error_log /var/log/nginx/error.log info; pid /var/run/nginx.pid; worker_rlimit_nofile 8192; events { worker_connections 4096; use epoll; } http { include mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 2; types_hash_max_size 2048; server_tokens off; ## # File Cache Settings ## open_file_cache max=5000 inactive=20s; open_file_cache_valid 30s; open_file_cache_min_uses 2; open_file_cache_errors on; ## gzip on; #gzip_static on; gzip_disable "msie6"; gzip_http_version 1.1; gzip_vary on; gzip_comp_level 6; gzip_proxied any; gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js; gzip_buffers 16 8k; fastcgi_cache_path /var/cache/nginx levels=1:2 keys_zone=microcache:10m max_size=1000m inactive=60m; include conf.d/*.conf; server { listen 80; listen [::]:80; server_name xxx.com; return 301 https://$server_name$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name xxx.com; root /srv/www/htdocs/; ssl_certificate star_xxx.com.crt; ssl_certificate_key star_xxx..com.key; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_ciphers EECDH+AESGCM:EDH+AESGCM:EECDH:EDH:!MD5:!RC4:!LOW:!MEDIUM:!CAMELLIA:!ECDSA:!DES:!DSS:!3DES:!NULL; ssl_prefer_server_ciphers on; #ssl_dhparam /pfad/dhparam2048.pem; #ssl_ecdh_curve secp384r1; #Nur sinnvoll wenn ein RSA Schlüssel über 3072 bit verwendet wird #add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; #add_header Public-Key-Pins 'pin-sha256="AKTUELLER-KEY-HASH"; pin-sha256="BACKUP-KEY-HASH"; max-age=31536000; includeSubDomains'; #ssl_stapling on; #ssl_trusted_certificate /pfad/bundle.ca.pem; #ssl_stapling_verify on; ssl_session_timeout 10m; ssl_session_cache shared:SSL:10m; #ssl_session_tickets on; #ssl_session_ticket_key /pfad/nginx_ticketkey; location / { try_files $uri $uri/ =404; root /srv/www/htdocs/; index index.html index.htm index.php; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /srv/www/htdocs/; } location ~ [^/]\.php(/|$) { root /srv/www/htdocs/; # Setup var defaults set $no_cache ""; # If non GET/HEAD, don't cache & mark user as uncacheable for 1 second via cookie if ($request_method !~ ^(GET|HEAD)$) { set $no_cache "1"; } # Drop no cache cookie if need be # (for some reason, add_header fails if included in prior if-block) if ($no_cache = "1") { add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/"; add_header X-Microcachable "0"; } # Bypass cache if no-cache cookie is set if ($http_cookie ~* "_mcnc") { set $no_cache "1"; } # Bypass cache if flag is set fastcgi_no_cache $no_cache; fastcgi_cache_bypass $no_cache; fastcgi_cache microcache; fastcgi_cache_key $scheme$host$request_uri$request_method; fastcgi_cache_valid 200 301 302 10m; fastcgi_cache_use_stale updating error timeout invalid_header http_500; fastcgi_pass_header Set-Cookie; fastcgi_pass_header Cookie; fastcgi_ignore_headers Cache-Control Expires Set-Cookie; #try_files $uri =404; fastcgi_split_path_info ^(.+?\.php)(/.*)$; if (!-f $document_root$fastcgi_script_name) { return 404; } include fastcgi_params; fastcgi_pass 127.0.0.1:9000; #fastcgi_pass unix:/var/lib/php5-fpm/www.sock; fastcgi_index index.php; fastcgi_intercept_errors on; fastcgi_buffer_size 128k; fastcgi_buffers 256 16k; fastcgi_busy_buffers_size 256k; fastcgi_temp_file_write_size 256k; fastcgi_read_timeout 240; } # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # location ~ /\.ht { deny all; } location ~* .(jpg|jpeg|png|gif|ico)$ { expires 365d; } location ~* .(jpg|jpeg|png|gif|ico)$ { log_not_found off; access_log off; } } include vhosts.d/*.conf; #include /etc/nginx/sites-enabled/*; }