ini 终极nginx配置，提高了安全性和性能。

Posted 2021-05-24

#
# /etc/nginx/nginx.conf
#

user http;
worker_processes 1;
worker_priority -10;

worker_rlimit_nofile 260000;
timer_resolution 100ms;

pcre_jit on;
include /etc/nginx/conf.d/dynamic-modules.conf;

#pid /var/log/nginx/nginx.pid;

events {
  worker_connections  50000;
  accept_mutex off;
  accept_mutex_delay 200ms;
  use epoll;
  #multi_accept on;
}

http {
  map_hash_bucket_size 128;
  map_hash_max_size 4096;
  server_names_hash_bucket_size 128;
  server_names_hash_max_size 2048;
  variables_hash_max_size 2048;

  limit_req_zone $binary_remote_addr zone=xwplogin:16m rate=40r/m;
  #limit_conn_zone $binary_remote_addr zone=xwpconlimit:16m;

  more_set_headers "Server: nginx";
  more_set_headers "X-Powered-By: Angel";

  include /etc/nginx/conf.d/geoip.conf;
  include /etc/nginx/conf.d/fastcgi_param_https_map.conf;


  log_format  main  '$remote_addr - $remote_user [$time_local] $request '
              '"$status" $body_bytes_sent "$http_referer" '
              '"$http_user_agent" "$http_x_forwarded_for" "$gzip_ratio"'
              ' "$connection" "$connection_requests" "$request_time"';

  log_format  ddos-proxy '$remote_addr for $http_x_real_ip - $remote_user [$time_local] $request '
              '"$status" $body_bytes_sent "$http_referer" '
              '"$http_user_agent" "$http_x_forwarded_for" "$gzip_ratio"'
              ' "$connection" "$connection_requests" "$request_time"';
  log_format  main_ext '$remote_addr - $remote_user [$time_local] "$request" '
              '$status $body_bytes_sent "$http_referer" '
              '"$http_user_agent" "$http_x_forwarded_for" '
              'rt=$request_time ua="$upstream_addr" '
              'us="$upstream_status" ut="$upstream_response_time" '
              'ul="$upstream_response_length" '
              'cs=$upstream_cache_status' ;


  access_log  /var/log/nginx/access.log combined buffer=128k flush=5m;
  error_log   /var/log/nginx/error.log warn;

  index         index.php index.html;
  include       mime.types;
  default_type  application/octet-stream;
  charset utf-8;

  sendfile on;
  sendfile_max_chunk 512k;
  tcp_nopush  on;
  tcp_nodelay on;
  server_tokens off;
  server_name_in_redirect off;

  keepalive_timeout  5;
  keepalive_requests 500;
  lingering_time 20s;
  lingering_timeout 5s;
  keepalive_disable msie6;

  gzip on;
  gzip_vary   on;
  gzip_disable "MSIE [1-6]\.";
  gzip_static on;
  gzip_min_length   1400;
  gzip_buffers      32 8k;
  gzip_http_version 1.0;
  gzip_comp_level 5;
  gzip_proxied    any;
  gzip_types text/plain text/css text/xml application/javascript application/x-javascript application/xml application/xml+rss application/ecmascript application/json image/svg+xml;

  client_body_buffer_size 256k;
  client_body_in_file_only off;
  client_body_timeout 10s;
  client_header_buffer_size 64k;
  ## how long a connection has to complete sending
  ## it's headers for request to be processed
  client_header_timeout  5s;
  client_max_body_size 50m;
  connection_pool_size  512;
  directio  4m;
  ignore_invalid_headers on;
  large_client_header_buffers 8 64k;
  output_buffers   8 256k;
  postpone_output  1460;
  proxy_temp_path  /tmp/nginx_proxy/;
  request_pool_size  32k;
  reset_timedout_connection on;
  send_timeout     10s;
  types_hash_max_size 2048;

  # for nginx proxy backends to prevent redirects to backend port
  # port_in_redirect off;

  open_file_cache max=50000 inactive=60s;
  open_file_cache_valid 120s;
  open_file_cache_min_uses 2;
  open_file_cache_errors off;
  open_log_file_cache max=10000 inactive=30s min_uses=2;

  ## limit number of concurrency connections per ip to 16
  ## add to your server {} section the next line
  ## limit_conn limit_per_ip 16;
  ## uncomment below line allows 500K sessions
  # limit_conn_log_level error;
  #######################################
  # use limit_zone for Nginx <v1.1.7 and lower
  # limit_zone $binary_remote_addr zone=limit_per_ip:16m;
  #######################################
  # use limit_conn_zone for Nginx >v1.1.8 and higher
  # limit_conn_zone $binary_remote_addr zone=limit_per_ip:16m;
  #######################################

  # ssl settings

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  # 1) mozilla intermediate.
  #ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
  # 2) comodo recommendation:
  #ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
  # 3) suggestion from sslabs / including PFS, good compatibility
  #ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
  # default
  ssl_ciphers HIGH:!aNULL:!MD5;
  ssl_prefer_server_ciphers on;
  ssl_session_cache      shared:SSL:10m;
  ssl_session_timeout    60m;
  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;

  # improved security
  #add_header X-Frame-Options SAMEORIGIN;
  #add_header X-Content-Type-Options "nosniff" always;
  #add_header X-XSS-Protection "1; mode=block" always;
  #add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com; object-src 'none'";

  ssl_session_tickets off;

  #ssl_stapling on; # uncomment and add the path for ssl_trusted_certifiate
  #ssl_stapling_verify on;
  #ssl_trusted_certificate /etc/letsencrypt/live/example.dom/fullchain.pem;
  resolver 8.8.8.8 8.8.4.4 valid=300s; # Google DNS Servers
  resolver_timeout 5s;

  # Redirect to HTTPS
  server {
    listen 80;
    server_name localhost;
    return 301 https://$server_name$request_uri;
  }

  server {
    #listen 80; # Uncomment to also listen for HTTP requests
    listen       443 ssl http2;
    server_name  localhost;

    ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    ssl_certificate /etc/nginx/ssl/server.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;
    root   /usr/share/nginx/html;

    location / {
        index  index index.html index.php;
    }

    #error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    # pass the PHP scripts to FastCGI server
    location ~ \.php$ {
    #fastcgi_pass 127.0.0.1:9000;
    fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
    fastcgi_index index.php;
    include fastcgi.conf;
    }

    # deny access to .htaccess files, if Apache's document root
    # concurs with nginx's one
    location ~ /\.ht {
        deny  all;
    }
  }

  # Include enabled sites
  include sites-enabled/*;
}