aboutsummaryrefslogblamecommitdiff
path: root/files/usr/local/etc/nginx/nginx.conf.common
blob: 6ed42fae1301fb1a9ab3db2e4a6895ad51098ee4 (plain) (tree)
1
2
3
4
                                                
                                                                                                                   






























                                                                                                                                                                 
                                                   













                                                                                                                                                                                                                                                                          




                                           
                                             

   
                                                                       
          
                            









                                             










                                               

                      
 
worker_processes      ${nginx_worker_processes};
worker_rlimit_nofile  ${nginx_nofile};
$([ "${nginx_gssapi:-}"  = true ] && echo 'load_module "/usr/local/libexec/nginx/ngx_http_auth_spnego_module.so";')
$([ "${nginx_dav_ext:-}" = true ] && echo 'load_module "/usr/local/libexec/nginx/ngx_http_dav_ext_module.so";')

events {
  worker_connections  ${nginx_worker_connections};
}

http {
  include       mime.types;
  default_type  application/octet-stream;
  index         index.html;

  aio                   threads;
  aio_write             on;
  sendfile              on;
  directio              4m;
  tcp_nopush            on;
  tcp_nodelay           on;
  keepalive_timeout     65;
  types_hash_max_size   2048;
  server_tokens         off;
  client_max_body_size  5m;
  charset               utf-8;
  gzip                  on;
  gzip_http_version     1.0;
  gzip_types            text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/json image/svg+xml;

  proxy_buffers            64 32k;
  proxy_busy_buffers_size  64k;
  fastcgi_buffers          64 32k;

  ssl_session_timeout        1d;
  ssl_session_cache          shared:SSL:10m;
  ssl_session_tickets        off;
$(if [ "${nginx_public:-}" = true ]; then cat <<EOF
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
  ssl_dhparam ${dhparams_path};
  ssl_stapling on;
  ssl_stapling_verify on;
  resolver ${resolvers};
  resolver_timeout 5s;
EOF
else
  cat <<EOF
  ssl_protocols TLSv1.3;
EOF
fi
)
  ssl_prefer_server_ciphers off;

  map \$http_upgrade \$connection_upgrade {
    default upgrade;
    '' keep-alive;
  }

$([ "${nginx_gssapi:-}" = true ] && cat <<EOF
  auth_gss_realm ${realm};
EOF
)

$(if [ "${acme:-}" = true ] && [ "${acme_standalone:-}" != true ]; then
cat <<EOF
  server {
    listen       0.0.0.0:80;
    listen       [::]:80;

    location /.well-known/acme-challenge/ {
      root ${acme_webroot};
      default_type text/plain;
    }

    location / {
      return 301 https://\$host\$request_uri;
    }
  }
EOF
  elif [ "${nginx_redirect:-}" != false ]; then
cat <<EOF
  server {
    listen       0.0.0.0:80;
    listen       [::]:80;

    location / {
      return 301 https://\$host\$request_uri;
    }
  }
EOF
  fi
)

  include vhosts.conf;
}