This repository has been archived on 2024-01-26. You can view files and clone it, but cannot push or open issues or pull requests.
nginx-config/nginx.conf

77 lines
2.7 KiB
Nginx Configuration File
Raw Permalink Normal View History

2016-05-21 13:47:21 +02:00
user www-data;
worker_processes 2;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
# definiere mehrere Formate für logfiles
# Format main bindet gegen über dem Default http_x_forwarded_for, gzip_ratio, zeiten und pipe usw.
log_format main '$remote_addr - $remote_user [$time_local] '
'"$request" $status $bytes_sent '
'"$http_referer" "$http_user_agent" "$http_x_forwarded_for" '
'"$gzip_ratio" "$request_time" "$upstream_response_time" "$pipe"';
# das selbe Format nochmal nur mit ausgtauschter Fake IP
log_format ano '0.0.0.0 - $remote_user [$time_local] '
'"$request" $status $bytes_sent '
'"$http_referer" "$http_user_agent" "$http_x_forwarded_for" '
'"$gzip_ratio" "$request_time" "$upstream_response_time" "$pipe"';
# dieses Format ist für revers-proxy gedacht um mehr informationen über den Cache Zustand bei der Anfrage zu erhalten
log_format cache '$time_local $upstream_cache_status '
'Cache-Control: $upstream_http_cache_control '
'Expires: $upstream_http_expires '
'"$request" ($status) "$gzip_ratio" '
'"$request_time" "$upstream_response_time" "$pipe"';
access_log /var/log/nginx/access.log main;
upstream ro01 {
server [2001:470:6c:655::2] weight=10;
server local.krautspace.de weight=1;
}
proxy_cache_path /var/lib/nginx/cache keys_zone=statusATro01:10m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES2\
56:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-\
SHA:CAMELLIA128-SHA:AES128-SHA';
ssl_dhparam /etc/ssl/private/dhparams.pem;
add_header Strict-Transport-Security max-age=15768000; # six months
## Use a SSL/TLS cache for SSL session resume.
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# setzt die Variable php_https abhängig davon ob es sich um eine https Verbindung handelt, ist für die Weitergabe an php
map $scheme $php_https { default off; https on; }
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
server_tokens off;
# etag ist Ausgeschalten wegen erweiterter möglicher Tracking von Usern
etag off;
# Hier lohnt sich auch ein Blick hinnein
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}