nginx.conf 2.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102
  1. user www-data;
  2. worker_processes 4;
  3. pid /run/nginx.pid;
  4. include /etc/nginx/modules-enabled/*.conf;
  5. events {
  6. worker_connections 768;
  7. # multi_accept on;
  8. }
  9. http {
  10. ##
  11. # Basic Settings
  12. ##
  13. # increase body size that nextcloud can receive large files
  14. client_max_body_size 64m;
  15. sendfile on;
  16. tcp_nopush on;
  17. tcp_nodelay on;
  18. keepalive_timeout 65;
  19. types_hash_max_size 2048;
  20. # server_tokens off;
  21. {% if 'frontend' in salt['pillar.get']('nodes:' ~ grains.id ~ ':roles', []) %}
  22. server_names_hash_bucket_size 64;
  23. {%- else %}
  24. # server_names_hash_bucket_size 64;
  25. {%- endif %}
  26. # server_name_in_redirect off;
  27. include /etc/nginx/mime.types;
  28. default_type application/octet-stream;
  29. ##
  30. # SSL Settings
  31. ##
  32. ssl_prefer_server_ciphers on;
  33. ssl_protocols TLSv1.1 TLSv1.2; # Dropping SSLv3/TLSv1, ref: POODLE
  34. ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
  35. ssl_dhparam /etc/ssl/dhparam.pem;
  36. ssl_ecdh_curve secp384r1;
  37. ssl_session_cache shared:SSL:10m;
  38. add_header Strict-Transport-Security "max-age=2592000; preload";
  39. add_header X-Frame-Options SAMEORIGIN;
  40. add_header X-Content-Type-Options nosniff;
  41. add_header X-XSS-Protection "1; mode=block";
  42. add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval' always; upgrade-insecure-requests";
  43. add_header Referrer-Policy "strict-origin-when-cross-origin";
  44. ssl_session_timeout 1d;
  45. ##
  46. # Logging Settings
  47. ##
  48. access_log /var/log/nginx/access.log;
  49. error_log /var/log/nginx/error.log;
  50. ##
  51. # Gzip Settings
  52. ##
  53. gzip on;
  54. gzip_disable "msie6";
  55. # gzip_vary on;
  56. # gzip_proxied any;
  57. # gzip_comp_level 6;
  58. # gzip_buffers 16 8k;
  59. # gzip_http_version 1.1;
  60. # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
  61. ##
  62. # Virtual Host Configs
  63. ##
  64. include /etc/nginx/conf.d/*.conf;
  65. include /etc/nginx/sites-enabled/*;
  66. }
  67. #mail {
  68. # # See sample authentication script at:
  69. # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
  70. #
  71. # # auth_http localhost/auth.php;
  72. # # pop3_capabilities "TOP" "USER";
  73. # # imap_capabilities "IMAP4rev1" "UIDPLUS";
  74. #
  75. # server {
  76. # listen localhost:110;
  77. # protocol pop3;
  78. # proxy on;
  79. # }
  80. #
  81. # server {
  82. # listen localhost:143;
  83. # protocol imap;
  84. # proxy on;
  85. # }
  86. #}