-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
added: configuration file for enabling QUIC and HTTP3
- Loading branch information
Showing
1 changed file
with
171 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,171 @@ | ||
| # This is an example of a configuration file for enabling QUIC and HTTP3. Further configuration is required. | ||
| worker_processes auto; | ||
| worker_rlimit_nofile 65536; | ||
| pid /tmp/nginx.pid; | ||
| lock_file /tmp/nginx.lock; | ||
| pcre_jit on; | ||
|
|
||
| events { | ||
| worker_connections 8192; | ||
| multi_accept on; | ||
| accept_mutex on; | ||
| use epoll; | ||
| } | ||
|
|
||
| http { | ||
| sendfile on; | ||
| aio threads; | ||
| tcp_nopush on; | ||
| tcp_nodelay on; | ||
| reset_timedout_connection on; | ||
| send_timeout 2; | ||
| client_body_timeout 60; | ||
| client_body_buffer_size 10M; | ||
| client_max_body_size 10M; | ||
| keepalive_timeout 60; | ||
| server_tokens off; | ||
| types_hash_max_size 4096; | ||
| http2 on; | ||
| http3 on; | ||
| ssl_early_data on; | ||
| ssl_session_cache shared:SSL:60m; | ||
| ssl_session_tickets off; | ||
| ssl_session_timeout 1440m; | ||
| ssl_buffer_size 4k; | ||
| ssl_protocols TLSv1.3 TLSv1.2; | ||
| ssl_ecdh_curve X25519:secp521r1:secp384r1; | ||
| ssl_ciphers TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDH+AESGCM+AES256:ECDH+CHACHA20; | ||
| ssl_conf_command Options ServerPreference,PrioritizeChaCha; | ||
| ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:ECDH+AESGCM+AES256:ECDH+CHACHA20; | ||
| ssl_prefer_server_ciphers on; | ||
| ssl_certificate /etc/nginx/ssl/fullchain.pem; | ||
| ssl_certificate_key /etc/nginx/ssl/privkey.pem; | ||
| ssl_trusted_certificate /etc/nginx/ssl/fullchain.pem; | ||
| ssl_dhparam /etc/nginx/ssl/dhparam.pem; | ||
| ssl_stapling on; | ||
| ssl_stapling_verify on; | ||
| ssl_ocsp on; | ||
| ssl_ocsp_cache shared:ocspSSL:60m; | ||
| ssl_verify_depth 2; | ||
| resolver_timeout 300s; | ||
| add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; | ||
| add_header X-Content-Type-Options nosniff; | ||
| add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive" always; | ||
| add_header Content-Security-Policy upgrade-insecure-requests always; | ||
| add_header Alt-Svc 'h3=":443"; quic=":443"; ma=86400; persist=1' always; | ||
| add_header QUIC-Status $http3; | ||
| quic_retry on; | ||
| quic_gso on; | ||
| log_format simple '$ssl_server_name $scheme $ssl_alpn_protocol $status $ssl_protocol $server_protocol $ssl_curve $ssl_cipher'; | ||
| log_format main escape=json '{"@timestamp": "$time_iso8601","ssl_server_name": "$ssl_server_name","scheme": "$scheme","ssl_alpn_protocol": "$ssl_alpn_protocol","status": "$status","ssl_protocol": "$ssl_protocol","server_protocol": "$server_protocol","ssl_curve": "$ssl_curve","ssl_cipher": "$ssl_cipher"}'; | ||
| log_format debug escape=json '{' | ||
| '"@timestamp": "$time_iso8601", ' | ||
| '"msec": "$msec", ' | ||
| '"connection": "$connection", ' | ||
| '"connection_requests": "$connection_requests", ' | ||
| '"pid": "$pid", ' | ||
| '"request_id": "$request_id", ' | ||
| '"request_length": "$request_length", ' | ||
| '"remote_addr": "$remote_addr", ' | ||
| '"remote_user": "$remote_user", ' | ||
| '"remote_port": "$remote_port", ' | ||
| '"time_local": "$time_local", ' | ||
| '"request": "$request", ' | ||
| '"request_uri": "$request_uri", ' | ||
| '"args": "$args", ' | ||
| '"status": "$status", ' | ||
| '"body_bytes_sent": "$body_bytes_sent", ' | ||
| '"bytes_sent": "$bytes_sent", ' | ||
| '"http_referer": "$http_referer", ' | ||
| '"http_user_agent": "$http_user_agent", ' | ||
| '"http_x_forwarded_for": "$http_x_forwarded_for", ' | ||
| '"http_host": "$http_host", ' | ||
| '"host": "$host", ' | ||
| '"ssl_server_name": "$ssl_server_name", ' | ||
| '"ssl_alpn_protocol": "$ssl_alpn_protocol", ' | ||
| '"server_name": "$server_name", ' | ||
| '"request_time": "$request_time", ' | ||
| '"upstream": "$upstream_addr", ' | ||
| '"upstream_connect_time": "$upstream_connect_time", ' | ||
| '"upstream_header_time": "$upstream_header_time", ' | ||
| '"upstream_response_time": "$upstream_response_time", ' | ||
| '"upstream_response_length": "$upstream_response_length", ' | ||
| '"upstream_cache_status": "$upstream_cache_status", ' | ||
| '"ssl_protocol": "$ssl_protocol", ' | ||
| '"ssl_cipher": "$ssl_cipher", ' | ||
| '"ssl_curve": "$ssl_curve", ' | ||
| '"scheme": "$scheme", ' | ||
| '"request_method": "$request_method", ' | ||
| '"server_protocol": "$server_protocol", ' | ||
| '"pipe": "$pipe", ' | ||
| '"gzip_ratio": "$gzip_ratio", ' | ||
| '"http_cf_ray": "$http_cf_ray", ' | ||
| '"http_x_forwarded_proto": "$http_x_forwarded_proto" ' | ||
| '}'; | ||
| access_log /dev/stdout simple; | ||
| error_log stderr warn; | ||
| gzip on; | ||
| gzip_vary on; | ||
| gzip_proxied any; | ||
| gzip_comp_level 6; | ||
| gzip_buffers 16 8k; | ||
| gzip_http_version 1.1; | ||
| gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; | ||
|
|
||
| brotli on; | ||
| brotli_comp_level 6; | ||
| brotli_static on; | ||
| brotli_types application/atom+xml application/javascript application/json application/vnd.api+json application/rss+xml | ||
| application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype | ||
| application/x-font-ttf application/x-javascript application/xhtml+xml application/xml | ||
| font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon | ||
| image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml; | ||
|
|
||
| default_type application/octet-stream; | ||
| include /etc/nginx/mime.types; | ||
| client_body_temp_path /tmp/client_temp; | ||
| proxy_temp_path /tmp/proxy_temp_path; | ||
| fastcgi_temp_path /tmp/fastcgi_temp; | ||
|
|
||
| proxy_buffering on; | ||
| proxy_buffer_size 16k; | ||
| proxy_busy_buffers_size 24k; | ||
| proxy_buffers 384 4k; | ||
| proxy_max_temp_file_size 0; | ||
|
|
||
| server { | ||
| listen 8080 default_server fastopen=256; | ||
| listen [::]:8080 default_server fastopen=256; | ||
| listen 8443 default_server quic reuseport; | ||
| listen [::]:8443 default_server quic reuseport; | ||
| listen 8443 default_server ssl fastopen=256; | ||
| listen [::]:8443 default_server ssl fastopen=256; | ||
| server_name test.example.com; | ||
|
|
||
| if ($scheme = http) { | ||
| return 308 https://test.example.com$request_uri; | ||
| } | ||
| if ($host = 'www.test.example.com') { | ||
| rewrite ^/(.*)$ https://test.example.com/$1 permanent; | ||
| } | ||
| if ($host != 'test.example.com') { | ||
| return 308 https://test.example.com$request_uri; | ||
| } | ||
| if ($request_method !~ ^(GET|POST|PUT)$) { | ||
| return '405'; | ||
| } | ||
|
|
||
| location / { | ||
| root /var/www/html; | ||
| index index.html index.htm; | ||
|
|
||
| limit_except GET POST PUT { | ||
| deny all; | ||
| } | ||
| } | ||
|
|
||
| location /robots.txt { | ||
| return 200 "User-agent: *\nDisallow: /\n"; | ||
| } | ||
| } | ||
| } |