153 lines
5.8 KiB
Nginx Configuration File
153 lines
5.8 KiB
Nginx Configuration File
# /etc/nginx/nginx.conf
|
|
|
|
# load dynamic modules
|
|
load_module /usr/lib/nginx/modules/ngx_http_cookie_flag_filter_module.so;
|
|
load_module /usr/lib/nginx/modules/ngx_http_geoip2_module.so;
|
|
load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;
|
|
load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;
|
|
load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
|
|
load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so;
|
|
load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so;
|
|
|
|
# PID file
|
|
pid /tmp/nginx.pid;
|
|
|
|
# worker number (default = auto)
|
|
worker_processes {{ WORKER_PROCESSES }};
|
|
|
|
# faster regexp
|
|
pcre_jit on;
|
|
|
|
# config files for dynamic modules
|
|
include /etc/nginx/modules/*.conf;
|
|
|
|
# max open files for each worker
|
|
worker_rlimit_nofile {{ WORKER_RLIMIT_NOFILE }};
|
|
|
|
events {
|
|
# max connections per worker
|
|
worker_connections {{ WORKER_CONNECTIONS }};
|
|
|
|
# epoll seems to be the best on Linux
|
|
use epoll;
|
|
}
|
|
|
|
http {
|
|
# zero copy within the kernel
|
|
sendfile on;
|
|
|
|
# send packets only if filled
|
|
tcp_nopush on;
|
|
|
|
# remove 200ms delay
|
|
tcp_nodelay on;
|
|
|
|
# load mime types and set default one
|
|
include /etc/nginx/mime-types.conf;
|
|
default_type application/octet-stream;
|
|
|
|
# write logs to local syslog
|
|
log_format logf '{{ LOG_FORMAT }}';
|
|
access_log /var/log/nginx/access.log logf;
|
|
error_log /var/log/nginx/error.log {{ LOG_LEVEL }};
|
|
|
|
# temp paths
|
|
proxy_temp_path /tmp/proxy_temp;
|
|
client_body_temp_path /tmp/client_temp;
|
|
fastcgi_temp_path /tmp/fastcgi_temp;
|
|
uwsgi_temp_path /tmp/uwsgi_temp;
|
|
scgi_temp_path /tmp/scgi_temp;
|
|
|
|
# close connections in FIN_WAIT1 state
|
|
reset_timedout_connection on;
|
|
|
|
# timeouts
|
|
client_body_timeout 10;
|
|
client_header_timeout 10;
|
|
keepalive_timeout 15;
|
|
send_timeout 10;
|
|
|
|
# resolvers to use
|
|
resolver {{ DNS_RESOLVERS }} ipv6=off;
|
|
|
|
# remove ports when sending redirects
|
|
port_in_redirect off;
|
|
|
|
# lua path and dicts
|
|
lua_package_path "/opt/bunkerized-nginx/lua/?.lua;/opt/bunkerized-nginx/plugins/?.lua;/opt/bunkerized-nginx/deps/lib/lua/?.lua;;";
|
|
lua_package_cpath "/opt/bunkerized-nginx/deps/lib/?.so;/opt/bunkerized-nginx/deps/lib/lua/?.so;;";
|
|
lua_ssl_trusted_certificate "/opt/bunkerized-nginx/lua/misc/root-ca.pem";
|
|
lua_ssl_verify_depth 2;
|
|
{% if has_value("USE_WHITELIST_IP", "yes") %}lua_shared_dict whitelist_ip_cache 10m;{% endif +%}
|
|
{% if has_value("USE_WHITELIST_REVERSE", "yes") %}lua_shared_dict whitelist_reverse_cache 10m;{% endif +%}
|
|
{% if has_value("USE_BLACKLIST_IP", "yes") %}lua_shared_dict blacklist_ip_cache 10m;{% endif +%}
|
|
{% if has_value("USE_BLACKLIST_REVERSE", "yes") %}lua_shared_dict blacklist_reverse_cache 10m;{% endif +%}
|
|
{% if has_value("USE_DNSBL", "yes") %}lua_shared_dict dnsbl_cache 10m;{% endif +%}
|
|
{% if has_value("BLOCK_PROXIES", "yes") %}lua_shared_dict proxies_data 250m;{% endif +%}
|
|
{% if has_value("BLOCK_ABUSERS", "yes") %}lua_shared_dict abusers_data 50m;{% endif +%}
|
|
{% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}lua_shared_dict tor_exit_nodes_data 1m;{% endif +%}
|
|
{% if has_value("BLOCK_USER_AGENT", "yes") %}lua_shared_dict user_agents_data 1m;{% endif +%}
|
|
{% if has_value("BLOCK_USER_AGENT", "yes") %}lua_shared_dict user_agents_cache 10m;{% endif +%}
|
|
{% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_data 1m;{% endif +%}
|
|
{% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_cache 10m;{% endif +%}
|
|
{% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_ban 10m;{% endif +%}
|
|
{% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_count 10m;{% endif +%}
|
|
{% if has_value("USE_LIMIT_REQ", "yes") %}lua_shared_dict limit_req {{ LIMIT_REQ_CACHE }};{% endif +%}
|
|
lua_shared_dict plugins_data 10m;
|
|
lua_shared_dict reserved_ips 1m;
|
|
{% if has_value("USE_REMOTE_API", "yes") %}lua_shared_dict remote_api 1m;{% endif +%}
|
|
{% if has_value("USE_REMOTE_API", "yes") %}lua_shared_dict remote_api_db 10m;{% endif +%}
|
|
|
|
# shared memory zone for limit_req
|
|
#{% if has_value("USE_LIMIT_REQ", "yes") %}limit_req_zone $binary_remote_addr$uri zone=limit:{{ LIMIT_REQ_CACHE }} rate={{ LIMIT_REQ_RATE }};{% endif +%}
|
|
|
|
# shared memory zone for limit_conn
|
|
{% if has_value("USE_LIMIT_CONN", "yes") %}limit_conn_zone $binary_remote_addr zone=ddos:{{ LIMIT_CONN_CACHE }};{% endif +%}
|
|
|
|
# whitelist or blacklist country
|
|
{% if BLACKLIST_COUNTRY != "" or WHITELIST_COUNTRY != "" %}include /etc/nginx/geoip.conf;{% endif +%}
|
|
|
|
# zone for proxy_cache
|
|
{% if has_value("USE_PROXY_CACHE", "yes") %}proxy_cache_path /tmp/proxy_cache keys_zone=proxycache:{{ PROXY_CACHE_PATH_ZONE_SIZE }} {{ PROXY_CACHE_PATH_PARAMS }};{% endif +%}
|
|
|
|
# custom http confs
|
|
include /opt/bunkerized-nginx/http-confs/*.conf;
|
|
|
|
# LUA init block
|
|
include /etc/nginx/init-lua.conf;
|
|
|
|
# default server when MULTISITE=yes
|
|
{% if MULTISITE == "yes" %}include /etc/nginx/multisite-default-server.conf;{% endif +%}
|
|
|
|
# server config(s)
|
|
{% if MULTISITE == "yes" and SERVER_NAME != "" %}
|
|
{% set map_servers = {} %}
|
|
{% for server_name in SERVER_NAME.split(" ") %}
|
|
{% if server_name + "_SERVER_NAME" in all %}
|
|
{% set x = map_servers.update({server_name : all[server_name + "_SERVER_NAME"].split(" ")}) %}
|
|
{% endif %}
|
|
{% endfor %}
|
|
{% for server_name in SERVER_NAME.split(" ") %}
|
|
{% if not server_name in map_servers %}
|
|
{% set found = {"res": false} %}
|
|
{% for first_server, servers in map_servers.items() %}
|
|
{% if server_name in servers %}
|
|
{% set x = found.update({"res" : true}) %}
|
|
{% endif %}
|
|
{% endfor %}
|
|
{% if not found["res"] %}
|
|
{% set x = map_servers.update({server_name : [server_name]}) %}
|
|
{% endif %}
|
|
{% endif %}
|
|
{% endfor %}
|
|
{% for first_server in map_servers +%}
|
|
include /etc/nginx/{{ first_server }}/server.conf;
|
|
{% endfor %}
|
|
{% elif MULTISITE == "no" +%}
|
|
include /etc/nginx/server.conf;
|
|
{% endif %}
|
|
|
|
# API
|
|
{% if USE_API == "yes" %}include /etc/nginx/api.conf;{% endif +%}
|
|
}
|