201 lines
5.4 KiB
Text
201 lines
5.4 KiB
Text
###
|
|
## This file comes with the "Angie modules" on https://deb.paranoid.nl/angie-modules
|
|
## It contains various optimizations, examples and tweaks.
|
|
####
|
|
|
|
user www-data;
|
|
|
|
worker_processes auto;
|
|
worker_rlimit_nofile 10000;
|
|
|
|
pid /run/angie.pid;
|
|
include /etc/angie/modules-enabled/*.conf;
|
|
|
|
pcre_jit on;
|
|
|
|
events {
|
|
worker_connections 8192; # this can go as high as ulimit -n
|
|
multi_accept on;
|
|
use epoll;
|
|
}
|
|
|
|
http {
|
|
|
|
##
|
|
# Basic Settings
|
|
##
|
|
|
|
aio threads;
|
|
aio_write on;
|
|
sendfile on;
|
|
directio 256k;
|
|
sendfile_max_chunk 256k;
|
|
|
|
tcp_nopush on;
|
|
tcp_nodelay on;
|
|
|
|
include /etc/angie/mime.types;
|
|
server_name_in_redirect off; # if off, angie will use the requested Host header
|
|
source_charset utf-8; # same value as "charset"
|
|
|
|
|
|
###
|
|
## Enable security_headers only if you installed/enabled the module
|
|
###
|
|
# security_headers on;
|
|
|
|
|
|
###
|
|
## Enable other security headers.
|
|
###
|
|
# hide_server_tokens on;
|
|
# fastcgi_hide_header X-Powered-By;
|
|
# server_tokens off;
|
|
|
|
##
|
|
# Optimizing TLS over TCP to reduce latency (Cloudflare patch)
|
|
##
|
|
# ssl_dyn_rec_enable on;
|
|
|
|
##
|
|
# Enable HTTP2 and HTTP3
|
|
#
|
|
http2 on;
|
|
#http3 on;
|
|
|
|
##
|
|
# SSL Settings
|
|
##
|
|
|
|
# Enable only if you are running on a openssl3 build and kernel 4.17 or higher
|
|
# You need to do `modprobe tls` to load the kernel TLS module
|
|
#ssl_conf_command Options KTLS;
|
|
|
|
ssl_protocols TLSv1.3 TLSv1.2;
|
|
ssl_prefer_server_ciphers on;
|
|
ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
|
|
|
|
ssl_dhparam /etc/angie/dhparam.pem;
|
|
ssl_ecdh_curve secp521r1:secp384r1;
|
|
ssl_session_tickets off;
|
|
ssl_early_data on;
|
|
|
|
ssl_session_cache shared:SSL:10m;
|
|
ssl_session_timeout 1440m;
|
|
|
|
# OCSP Stapling
|
|
# fetch OCSP records from URL in ssl_certificate and cache them
|
|
# Please enter your own nameservers for security
|
|
ssl_stapling on;
|
|
ssl_stapling_verify on;
|
|
resolver 1.1.1.1 8.8.8.8 valid=300;
|
|
|
|
##
|
|
# Logging Settings
|
|
##
|
|
|
|
## Log Format
|
|
log_format main '$remote_addr $host $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $ssl_cipher $request_time';
|
|
|
|
access_log /var/log/angie/access.log;
|
|
error_log /var/log/angie/error.log;
|
|
|
|
##
|
|
# Gzip Settings
|
|
##
|
|
gzip on;
|
|
gzip_vary on;
|
|
gzip_proxied any;
|
|
gzip_comp_level 6;
|
|
gzip_buffers 16 8k;
|
|
gzip_http_version 1.1;
|
|
gzip_min_length 250;
|
|
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
|
|
|
|
##
|
|
# Brotli settings (Please load module first!)
|
|
##
|
|
#brotli on;
|
|
#brotli_comp_level 4;
|
|
#brotli_buffers 32 8k;
|
|
#brotli_min_length 1000;
|
|
#brotli_static on;
|
|
#brotli_types image/svg+xml text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon;
|
|
|
|
##
|
|
# ZSTD Settings (Please load module first!)
|
|
##
|
|
#zstd on;
|
|
#zstd_min_length 256; # no less than 256 bytes
|
|
#zstd_comp_level 3; # set the level to #
|
|
#zstd_buffers 32 8k;
|
|
#zstd_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/ xml+rss text/javascript image/x-icon;
|
|
|
|
|
|
###
|
|
## Miscellaneous
|
|
###
|
|
|
|
# cache informations about FDs, frequently accessed files
|
|
# can boost performance, but you need to test those values
|
|
#open_file_cache max=200000 inactive=20s;
|
|
#open_file_cache_valid 30s;
|
|
#open_file_cache_min_uses 2;
|
|
#open_file_cache_errors on;
|
|
|
|
server_names_hash_bucket_size 256;
|
|
server_names_hash_max_size 2048;
|
|
variables_hash_bucket_size 256;
|
|
variables_hash_max_size 2048;
|
|
map_hash_max_size 2048;
|
|
map_hash_bucket_size 256;
|
|
|
|
#postpone_output 1440; # postpone sends to match our machine's MSS
|
|
read_ahead 512K; # kernel read head set to the output_buffers
|
|
output_buffers 4 512k;
|
|
|
|
# Buffer size for POST submissions
|
|
client_body_buffer_size 80K;
|
|
client_max_body_size 16m;
|
|
|
|
# Buffer size for Headers
|
|
client_header_buffer_size 1k;
|
|
|
|
# Timeouts, do not keep connections open longer then necessary to reduce
|
|
# resource usage and deny Slowloris type attacks.
|
|
client_body_timeout 12; # maximum time between packets the client can pause when sending angie any data
|
|
client_header_timeout 12;# maximum time the client has to send the entire header to ngin
|
|
keepalive_timeout 15; # timeout which a single keep-alive client connection will stay open
|
|
keepalive_disable none; # allow all browsers to use keepalive connections
|
|
keepalive_requests 5000; # number of requests per connection, does not affect SPDY
|
|
reset_timedout_connection on; # Allow the server to close the connection after a client stops responding.
|
|
send_timeout 12;
|
|
|
|
##
|
|
# Virtual Host Configs
|
|
##
|
|
|
|
include /etc/angie/conf.d/*.conf;
|
|
include /etc/angie/sites-enabled/*;
|
|
}
|
|
|
|
#mail {
|
|
# # See sample authentication script at:
|
|
# # http://wiki.angie.org/ImapAuthenticateWithApachePhpScript
|
|
#
|
|
# # auth_http localhost/auth.php;
|
|
# # pop3_capabilities "TOP" "USER";
|
|
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
|
|
#
|
|
# server {
|
|
# listen localhost:110;
|
|
# protocol pop3;
|
|
# proxy on;
|
|
# }
|
|
#
|
|
# server {
|
|
# listen localhost:143;
|
|
# protocol imap;
|
|
# proxy on;
|
|
# }
|
|
#}
|