aboutsummaryrefslogtreecommitdiff
path: root/files/usr/local/etc/nginx/nginx.conf.common
blob: d340735787240201fe670e533fd930e9f06daf73 (plain) (blame) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95

worker_processes      ${nginx_worker_processes};
worker_rlimit_nofile  ${nginx_nofile};
$([ "${nginx_gssapi:-}" = true ] && echo 'load_module "/usr/local/libexec/nginx/ngx_http_auth_spnego_module.so";')

events {
  worker_connections  ${nginx_worker_connections};
}

http {
  include       mime.types;
  default_type  application/octet-stream;
  index         index.html;

  aio                   threads;
  aio_write             on;
  sendfile              on;
  directio              4m;
  tcp_nopush            on;
  tcp_nodelay           on;
  keepalive_timeout     65;
  types_hash_max_size   2048;
  server_tokens         off;
  client_max_body_size  5m;
  charset               utf-8;
  gzip                  on;
  gzip_http_version     1.0;
  gzip_types            text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript application/json image/svg+xml;

  proxy_buffers            64 32k;
  proxy_busy_buffers_size  64k;
  fastcgi_buffers          64 32k;

  ssl_session_timeout        1d;
  ssl_session_cache          shared:SSL:10m;
  ssl_session_tickets        off;
$(if [ "${nginx_public:-}" = true ]; then cat <<EOF
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
  ssl_dhparam ${dhparams_path};
  ssl_stapling on;
  ssl_stapling_verify on;
  resolver ${resolvers};
  resolver_timeout 5s;
EOF
else
  cat <<EOF
  ssl_protocols TLSv1.3;
EOF
fi
)
  ssl_prefer_server_ciphers off;

  map \$http_upgrade \$connection_upgrade {
    default upgrade;
    '' keep-alive;
  }

$([ "${nginx_gssapi:-}" = true ] && cat <<EOF
  auth_gss_realm ${realm};
  auth_gss_force_realm on;
EOF
)

$(if [ "${acme:-}" = true ] && [ "${acme_standalone:-}" != true ]; then
cat <<EOF
  server {
    listen       0.0.0.0:80;
    listen       [::]:80;

    location /.well-known/acme-challenge/ {
      root ${acme_webroot};
      default_type text/plain;
    }

    location / {
      return 301 https://\$host\$request_uri;
    }
  }
EOF
  elif [ "${nginx_redirect:-}" != false ]; then
cat <<EOF
  server {
    listen       0.0.0.0:80;
    listen       [::]:80;

    location / {
      return 301 https://\$host\$request_uri;
    }
  }
EOF
  fi
)

  include vhosts.conf;
}
generated by cgit v1.2.3 (git 2.25.1) at 2024-12-28 11:25:08 -0500