-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathnginx_http3.conf
170 lines (160 loc) · 7.4 KB
/
nginx_http3.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
# This is an example of a configuration file for enabling QUIC and HTTP3. Further configuration is required.
worker_processes auto;
worker_rlimit_nofile 65536;
pid /tmp/nginx.pid;
lock_file /tmp/nginx.lock;
pcre_jit on;
events {
worker_connections 8192;
multi_accept on;
accept_mutex on;
use epoll;
}
http {
sendfile on;
aio threads;
tcp_nopush on;
tcp_nodelay on;
reset_timedout_connection on;
send_timeout 2;
client_body_timeout 60;
client_body_buffer_size 10M;
client_max_body_size 10M;
keepalive_timeout 60;
server_tokens off;
types_hash_max_size 4096;
http2 on;
http3 on;
ssl_early_data on;
ssl_session_cache shared:SSL:60m;
ssl_session_tickets off;
ssl_session_timeout 1440m;
ssl_buffer_size 4k;
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ecdh_curve X25519:secp521r1:secp384r1;
ssl_ciphers TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDH+AESGCM+AES256:ECDH+CHACHA20;
ssl_conf_command Options ServerPreference,PrioritizeChaCha;
ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDH+AESGCM+AES256:ECDH+CHACHA20;
ssl_prefer_server_ciphers on;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
ssl_trusted_certificate /etc/nginx/ssl/fullchain.pem;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_ocsp on;
ssl_ocsp_cache shared:ocspSSL:60m;
ssl_verify_depth 2;
resolver_timeout 300s;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Content-Type-Options nosniff;
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive" always;
add_header Content-Security-Policy upgrade-insecure-requests always;
add_header Alt-Svc 'h3=":443"; quic=":443"; ma=86400; persist=1' always;
quic_retry on;
quic_gso on;
log_format simple '$ssl_server_name $scheme $ssl_alpn_protocol $status $ssl_protocol $server_protocol $ssl_curve $ssl_cipher';
log_format main escape=json '{"@timestamp": "$time_iso8601","ssl_server_name": "$ssl_server_name","scheme": "$scheme","ssl_alpn_protocol": "$ssl_alpn_protocol","status": "$status","ssl_protocol": "$ssl_protocol","server_protocol": "$server_protocol","ssl_curve": "$ssl_curve","ssl_cipher": "$ssl_cipher"}';
log_format debug escape=json '{'
'"@timestamp": "$time_iso8601", '
'"msec": "$msec", '
'"connection": "$connection", '
'"connection_requests": "$connection_requests", '
'"pid": "$pid", '
'"request_id": "$request_id", '
'"request_length": "$request_length", '
'"remote_addr": "$remote_addr", '
'"remote_user": "$remote_user", '
'"remote_port": "$remote_port", '
'"time_local": "$time_local", '
'"request": "$request", '
'"request_uri": "$request_uri", '
'"args": "$args", '
'"status": "$status", '
'"body_bytes_sent": "$body_bytes_sent", '
'"bytes_sent": "$bytes_sent", '
'"http_referer": "$http_referer", '
'"http_user_agent": "$http_user_agent", '
'"http_x_forwarded_for": "$http_x_forwarded_for", '
'"http_host": "$http_host", '
'"host": "$host", '
'"ssl_server_name": "$ssl_server_name", '
'"ssl_alpn_protocol": "$ssl_alpn_protocol", '
'"server_name": "$server_name", '
'"request_time": "$request_time", '
'"upstream": "$upstream_addr", '
'"upstream_connect_time": "$upstream_connect_time", '
'"upstream_header_time": "$upstream_header_time", '
'"upstream_response_time": "$upstream_response_time", '
'"upstream_response_length": "$upstream_response_length", '
'"upstream_cache_status": "$upstream_cache_status", '
'"ssl_protocol": "$ssl_protocol", '
'"ssl_cipher": "$ssl_cipher", '
'"ssl_curve": "$ssl_curve", '
'"scheme": "$scheme", '
'"request_method": "$request_method", '
'"server_protocol": "$server_protocol", '
'"pipe": "$pipe", '
'"gzip_ratio": "$gzip_ratio", '
'"http_cf_ray": "$http_cf_ray", '
'"http_x_forwarded_proto": "$http_x_forwarded_proto" '
'}';
access_log /dev/stdout simple;
error_log stderr warn;
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
brotli on;
brotli_comp_level 6;
brotli_static on;
brotli_types application/atom+xml application/javascript application/json application/vnd.api+json application/rss+xml
application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype
application/x-font-ttf application/x-javascript application/xhtml+xml application/xml
font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon
image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;
default_type application/octet-stream;
include /etc/nginx/mime.types;
client_body_temp_path /tmp/client_temp;
proxy_temp_path /tmp/proxy_temp_path;
fastcgi_temp_path /tmp/fastcgi_temp;
proxy_buffering on;
proxy_buffer_size 16k;
proxy_busy_buffers_size 24k;
proxy_buffers 384 4k;
proxy_max_temp_file_size 0;
server {
listen 8080 default_server fastopen=256;
listen [::]:8080 default_server fastopen=256;
listen 8443 default_server quic reuseport;
listen [::]:8443 default_server quic reuseport;
listen 8443 default_server ssl fastopen=256;
listen [::]:8443 default_server ssl fastopen=256;
server_name test.example.com;
if ($scheme = http) {
return 308 https://test.example.com$request_uri;
}
if ($host = 'www.test.example.com') {
rewrite ^/(.*)$ https://test.example.com/$1 permanent;
}
if ($host != 'test.example.com') {
return 308 https://test.example.com$request_uri;
}
if ($request_method !~ ^(GET|POST|PUT)$) {
return '405';
}
location / {
root /var/www/html;
index index.html index.htm;
limit_except GET POST PUT {
deny all;
}
}
location /robots.txt {
return 200 "User-agent: *\nDisallow: /\n";
}
}
}