-
Notifications
You must be signed in to change notification settings - Fork 3
/
Copy pathnginx.conf
168 lines (149 loc) · 5.27 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
user www;
worker_processes auto; # Autodetección de núcleos
worker_rlimit_nofile 2048; # Aumentado para mejor rendimiento
# Carga de módulos necesarios
load_module /usr/local/libexec/nginx/ngx_http_modsecurity_module.so;
load_module /usr/local/libexec/nginx/ngx_http_brotli_filter_module.so;
load_module /usr/local/libexec/nginx/ngx_http_brotli_static_module.so;
events {
worker_connections 2048; # Aumentado para mejor manejo de conexiones
use kqueue; # Optimizado para FreeBSD
multi_accept on;
}
http {
# Configuraciones generales
server_names_hash_bucket_size 64;
server_names_hash_max_size 512;
types_hash_max_size 2048;
variables_hash_max_size 2048;
variables_hash_bucket_size 128;
# Timeouts y buffers
client_body_buffer_size 256k;
client_max_body_size 64m;
client_body_timeout 30s;
client_header_timeout 30s;
keepalive_timeout 30;
send_timeout 30;
keepalive_requests 1000;
reset_timedout_connection on;
large_client_header_buffers 4 16k;
# Caché de archivos abiertos
open_file_cache max=2000 inactive=30s;
open_file_cache_valid 60s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
# MIME types y configuración básica
include mime.types;
default_type application/octet-stream;
charset UTF-8;
server_tokens off;
# Optimizaciones de rendimiento
sendfile on;
tcp_nopush on;
tcp_nodelay on;
aio threads;
directio 4m;
# Caché FastCGI
fastcgi_cache_path /tmp/nginx/cache levels=1:2 keys_zone=WORDPRESS:20m max_size=256m inactive=60m;
fastcgi_cache_key "$scheme$request_method$host$request_uri";
fastcgi_cache_use_stale error timeout invalid_header http_500;
fastcgi_cache_valid 200 301 302 60m;
fastcgi_cache_min_uses 1;
fastcgi_buffers 16 16k;
fastcgi_buffer_size 32k;
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
# Configuración Brotli
brotli on;
brotli_comp_level 4;
brotli_static on;
brotli_types
application/atom+xml
application/javascript
application/json
application/rss+xml
application/vnd.ms-fontobject
application/x-font-ttf
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/opentype
image/svg+xml
image/x-icon
image/webp
text/css
text/plain
text/x-component
text/xml;
# Encabezados de seguridad globales
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer-when-downgrade" always;
add_header Permissions-Policy "interest-cohort=()";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Configuración SSL
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_buffer_size 4k;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1 valid=300s;
resolver_timeout 5s;
# Configuración de IP real para Varnish
set_real_ip_from 127.0.0.1;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
# CloudFlare IPs
# List from: https://www.cloudflare.com/ips-v4
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 104.16.0.0/12;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 131.0.72.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 162.158.0.0/15;
set_real_ip_from 172.64.0.0/13;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
# List from: https://www.cloudflare.com/ips-v6
set_real_ip_from 2400:cb00::/32;
set_real_ip_from 2606:4700::/32;
set_real_ip_from 2803:f800::/32;
set_real_ip_from 2405:b500::/32;
set_real_ip_from 2405:8100::/32;
set_real_ip_from 2a06:98c0::/29;
set_real_ip_from 2c0f:f248::/32;
# ModSecurity
modsecurity on;
modsecurity_rules_file /usr/local/etc/modsecurity/modsecurity.conf;
modsecurity_rules_file /usr/local/etc/modsecurity/crs-setup.conf;
modsecurity_rules_file /usr/local/etc/modsecurity/ip_blacklist.conf;
# Log Format
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
# Default server block
server {
listen 8080 default_server;
listen [::]:8080 default_server;
server_name _;
return 444;
# Error pages
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/local/www/nginx-dist;
internal;
}
}
# Incluir configuraciones de sitios
include conf.d/*.conf;
}