forked from macbre/docker-nginx-http3
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnginx.conf
200 lines (188 loc) · 17.4 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
# vim: sw=2 et filetype=nginx
include 'modules/*.conf';
include 'nginx/*.conf';
error_log '$NGINX_LOG_PATH_ERROR' $NGINX_LOG_ERROR_LEVEL;
pcre_jit on;
pid '/var/run/nginx/nginx.pid';
worker_cpu_affinity auto;
worker_priority 10;
worker_processes $NGINX_WORKER_PROCESSES;
user $USER_NAME $GROUP_NAME;
events {
worker_connections 1024;
include 'debug_connection.conf';
}
http {
include 'mime.types';
log_format main '[$time_iso8601] status:$status domain:$host port:$server_port request_time:$request_time upstream_response_time:$upstream_response_time request_length:$request_length bytes_sent:$body_bytes_sent client_ip:$remote_addr request:"$request" referer:"$http_referer" user_agent:"$http_user_agent"';
# Examples mentioned in readme below
# '"sent_http_name": "$sent_http_name", ' # arbitrary response header field; the last part of a variable name is the field name converted to lower case with dashes replaced by underscores
# '"upstream_http_name": "$upstream_http_name", ' # keep server response header fields. For example, the "Server" response header field is available through the $upstream_http_server variable. The rules of converting header field names to variable names are the same as for the variables that start with the "$http_" prefix. Only the header fields from the response of the last server are saved.
# Pass HTTP request cookies to the log
# '"cookie_name": "$cookie_name", ' # the cookie value
# '"upstream_cookie_name": "$upstream_cookie_name", ' # cookie with the specified name sent by the upstream server in the "Set-Cookie" response header field (1.7.1). Only the cookies from the response of the last server are saved.
# Disabled because json encoded object becomes invalid
# '"binary_remote_addr": "$binary_remote_addr", ' # client address in a binary form, value’s length is always 4 bytes for IPv4 addresses or 16 bytes for IPv6 addresses
# Available as part of the commercial subscription:
# '"session_log_binary_id": "$session_log_binary_id", ' # current session ID in binary form (16 bytes).
# '"session_log_id": "$session_log_id", ' # current session ID;
# '"upstream_queue_time": "$upstream_queue_time", ' # keeps time the request spent in the upstream queue (1.13.9); the time is kept in seconds with millisecond resolution. Times of several responses are separated by commas and colons like addresses in the $upstream_addr variable.
log_format json escape=json '{'
'"body_bytes_sent": "$body_bytes_sent", ' # number of bytes sent to a client, not counting the response header; this variable is compatible with the "%B" parameter of the mod_log_config Apache module
'"brotli_ratio": "$brotli_ratio", ' # Achieved compression ratio, computed as the ratio between the original and compressed response sizes.
'"bytes_sent": "$bytes_sent", ' # number of bytes sent to a client (1.3.8, 1.2.5)
'"connection": "$connection", ' # connection serial number (1.3.8, 1.2.5)
'"connection_requests": "$connection_requests", ' # current number of requests made through a connection (1.3.8, 1.2.5)
'"connection_time": "$connection_time", ' # connection time in seconds with a milliseconds resolution (1.19.10)
'"content_length": "$content_length", ' # "Content-Length" request header field
'"content_type": "$content_type", ' # "Content-Type" request header field
'"document_root": "$document_root", ' # root or alias directive’s value for the current request
'"fastcgi_path_info": "$fastcgi_path_info", ' # the value of the second capture set by the fastcgi_split_path_info directive.
'"fastcgi_script_name": "$fastcgi_script_name", ' # request URI or, if a URI ends with a slash, request URI with an index file name configured by the fastcgi_index directive appended to it.
'"gzip_ratio": "$gzip_ratio", ' # achieved compression ratio, computed as the ratio between the original and compressed response sizes.
'"host": "$host", ' # in this order of precedence: host name from the request line, or host name from the "Host" request header field, or the server name matching a request
'"hostname": "$hostname", ' # host name
'"http2": "$http2", ' # negotiated protocol identifier: "h2" for HTTP/2 over TLS, "h2c" for HTTP/2 over cleartext TCP, or an empty string.
'"http3": "$http3", ' # negotiated protocol identifier: "h3" for HTTP/3 over TLS or an empty string.
'"http_host": "$http_host", ' # the request Host: header
'"http_name": "$http_name", ' # arbitrary request header field; the last part of a variable name is the field name converted to lower case with dashes replaced by underscores
'"http_referer": "$http_referer", ' # HTTP referer
'"http_user_agent": "$http_user_agent", ' # user agent
'"http_x_forwarded_for": "$http_x_forwarded_for", ' # http_x_forwarded_for
'"https": "$https", ' # "on" if connection operates in SSL mode, or an empty string otherwise
'"invalid_referer": "$invalid_referer", ' # Empty string, if the "Referer" request header field value is considered valid, otherwise "1".
'"limit_conn_status": "$limit_conn_status", ' # keeps the result of limiting the number of connections (1.17.6): PASSED, REJECTED, or REJECTED_DRY_RUN
'"limit_rate": "$limit_rate", ' # setting this variable enables response rate limiting; see https://nginx.org/en/docs/http/ngx_http_core_module.html#limit_rate
'"limit_req_status": "$limit_req_status", ' # keeps the result of limiting the request processing rate (1.17.6): PASSED, DELAYED, REJECTED, DELAYED_DRY_RUN, or REJECTED_DRY_RUN
'"msec": "$msec", ' # time in seconds with a milliseconds resolution at the time of the log write
'"nginx_version": "$nginx_version", ' # nginx version
'"pid": "$pid", ' # PID of the worker process
'"pipe": "$pipe", ' # "p" if request was pipelined, "." otherwise
'"proxy_add_x_forwarded_for": "$proxy_add_x_forwarded_for", ' # the "X-Forwarded-For" client request header field with the $remote_addr variable appended to it, separated by a comma. If the "X-Forwarded-For" field is not present in the client request header, the $proxy_add_x_forwarded_for variable is equal to the $remote_addr variable.
'"proxy_host": "$proxy_host", ' # name and port of a proxied server as specified in the proxy_pass directive;
'"proxy_port": "$proxy_port", ' # port of a proxied server as specified in the proxy_pass directive, or the protocol’s default port;
'"query_string": "$query_string", ' # arguments in the request line
'"realip_remote_addr": "$realip_remote_addr", ' # keeps the original client address (1.9.7)
'"realip_remote_port": "$realip_remote_port", ' # keeps the original client port (1.11.0)
'"realpath_root": "$realpath_root", ' # an absolute pathname corresponding to the root or alias directive’s value for the current request, with all symbolic links resolved to real paths
'"remote_addr": "$remote_addr", ' # client address
'"remote_port": "$remote_port", ' # client port
'"remote_user": "$remote_user", ' # user name supplied with the Basic authentication
'"request": "$request", ' # full path no arguments if the request
'"request_body": "$request_body", ' # request body
'"request_body_file": "$request_body_file", ' # name of a temporary file with the request body. At the end of processing, the file needs to be removed.
'"request_completion": "$request_completion", ' # "OK" if a request has completed, or an empty string otherwise
'"request_filename": "$request_filename", ' # file path for the current request, based on the root or alias directives, and the request URI
'"request_id": "$request_id", ' # unique request identifier generated from 16 random bytes, in hexadecimal (1.11.0)
'"request_length": "$request_length", ' # request length (including request line, header, and request body) (1.3.12, 1.2.7)
'"request_method": "$request_method", ' # request method, usually "GET" or "POST"
'"request_time": "$request_time", ' # request processing time in seconds with a milliseconds resolution (1.3.9, 1.2.6); time elapsed between the first bytes were read from the client and the log write after the last bytes were sent to the client
'"request_uri": "$request_uri", ' # full original request URI (with arguments)
'"scheme": "$scheme", ' # request scheme, "http" or "https"
'"server_name": "$server_name", ' # name of the server which accepted a request
'"server_port": "$server_port", ' # port of the server which accepted a request
'"server_protocol": "$server_protocol", ' # request protocol, usually "HTTP/1.0", "HTTP/1.1", "HTTP/2.0", or "HTTP/3.0"
'"ssl_alpn_protocol": "$ssl_alpn_protocol", ' # returns the protocol selected by ALPN during the SSL handshake, or an empty string otherwise (1.21.4);
'"ssl_cipher": "$ssl_cipher", ' # returns the name of the cipher used for an established SSL connection;
'"ssl_ciphers": "$ssl_ciphers", ' # returns the list of ciphers supported by the client (1.11.7).
'"ssl_client_escaped_cert": "$ssl_client_escaped_cert", ' # returns the client certificate in the PEM format (urlencoded) for an established SSL connection (1.13.5);
'"ssl_client_fingerprint": "$ssl_client_fingerprint", ' # returns the SHA1 fingerprint of the client certificate for an established SSL connection (1.7.1);
'"ssl_client_i_dn": "$ssl_client_i_dn", ' # returns the "issuer DN" string of the client certificate for an established SSL connection according to RFC 2253 (1.11.6);
'"ssl_client_raw_cert": "$ssl_client_raw_cert", ' # returns the client certificate in the PEM format for an established SSL connection;
'"ssl_client_s_dn": "$ssl_client_s_dn", ' # returns the "subject DN" string of the client certificate for an established SSL connection according to RFC 2253 (1.11.6);
'"ssl_client_serial": "$ssl_client_serial", ' # returns the serial number of the client certificate for an established SSL connection;
'"ssl_client_v_end": "$ssl_client_v_end", ' # returns the end date of the client certificate (1.11.7);
'"ssl_client_v_remain": "$ssl_client_v_remain", ' # returns the number of days until the client certificate expires (1.11.7);
'"ssl_client_v_start": "$ssl_client_v_start", ' # returns the start date of the client certificate (1.11.7);
'"ssl_client_verify": "$ssl_client_verify", ' # returns the result of client certificate verification: "SUCCESS", "FAILED:reason", and "NONE" if a certificate was not present;
'"ssl_curve": "$ssl_curve", ' # returns the negotiated curve used for SSL handshake key exchange process (1.21.5). Known curves are listed by names, unknown are shown in hexadecimal, for example: prime256v1
'"ssl_curves": "$ssl_curves", ' # returns the list of curves supported by the client (1.11.7). Known curves are listed by names, unknown are shown in hexadecimal, for example: 0x001d:prime256v1:secp521r1:secp384r1
'"ssl_early_data": "$ssl_early_data", ' # returns "1" if TLS 1.3 early data is used and the handshake is not complete, otherwise "" (1.15.3).
'"ssl_protocol": "$ssl_protocol", ' # returns the protocol of an established SSL connection;
'"ssl_server_name": "$ssl_server_name", ' # returns the server name requested through SNI (1.7.0);
'"ssl_session_id": "$ssl_session_id", ' # returns the session identifier of an established SSL connection;
'"ssl_session_reused": "$ssl_session_reused", ' # returns "r" if an SSL session was reused, or "." otherwise (1.5.11).
'"status": "$status", ' # response status (1.3.2, 1.2.2)
'"tcpinfo_rcv_space": "$tcpinfo_rcv_space", ' # Size of the receive buffer in bytes.
'"tcpinfo_rtt": "$tcpinfo_rtt", ' # Round Trip Time measured in microseconds.
'"tcpinfo_rttvar": "$tcpinfo_rttvar", ' # Smoothed Round Trip Time mean deviation maximum measured in microseconds.
'"tcpinfo_snd_cwnd": "$tcpinfo_snd_cwnd", ' # Sending Congestion Window in bytes.
'"time_iso8601": "$time_iso8601", ' # local time in the ISO 8601 standard format (1.3.12, 1.2.7)
'"time_local": "$time_local", ' # local time in the Common Log Format (1.3.12, 1.2.7)
'"uid_got": "$uid_got", ' # The cookie name and received client identifier.
'"uid_reset": "$uid_reset", ' # If the variable is set to a non-empty string that is not "0", the client identifiers are reset. The special value "log" additionally leads to the output of messages about the reset identifiers to the error_log.
'"uid_set": "$uid_set", ' # The cookie name and sent client identifier.
'"upstream": "$upstream_addr", ' # upstream backend server for proxied requests
'"upstream_addr": "$upstream_addr", ' # keeps the IP address and port, or the path to the UNIX-domain socket of the upstream server. If several servers were contacted during request processing, their addresses are separated by commas, e.g. "192.168.1.1:80, 192.168.1.2:80, unix:/tmp/sock". If an internal redirect from one server group to another happens, initiated by "X-Accel-Redirect" or error_page, then the server addresses from different groups are separated by colons, e.g. "192.168.1.1:80, 192.168.1.2:80, unix:/tmp/sock : 192.168.10.1:80, 192.168.10.2:80". If a server cannot be selected, the variable keeps the name of the server group.
'"upstream_bytes_received": "$upstream_bytes_received", ' # number of bytes received from an upstream server (1.11.4). Values from several connections are separated by commas and colons like addresses in the $upstream_addr variable.
'"upstream_bytes_sent": "$upstream_bytes_sent", ' # number of bytes sent to an upstream server (1.15.8). Values from several connections are separated by commas and colons like addresses in the $upstream_addr variable.
'"upstream_cache_status": "$upstream_cache_status", ' # keeps the status of accessing a response cache (0.8.3). The status can be either "MISS", "BYPASS", "EXPIRED", "STALE", "UPDATING", "REVALIDATED", or "HIT".
'"upstream_connect_time": "$upstream_connect_time", ' # keeps time spent on establishing a connection with the upstream server (1.9.1); the time is kept in seconds with millisecond resolution. In case of SSL, includes time spent on handshake. Times of several connections are separated by commas and colons like addresses in the $upstream_addr variable.
'"upstream_header_time": "$upstream_header_time", ' # keeps time spent on receiving the response header from the upstream server (1.7.10); the time is kept in seconds with millisecond resolution. Times of several responses are separated by commas and colons like addresses in the $upstream_addr variable.
'"upstream_response_length": "$upstream_response_length", ' # keeps the length of the response obtained from the upstream server (0.7.27); the length is kept in bytes. Lengths of several responses are separated by commas and colons like addresses in the $upstream_addr variable.
'"upstream_response_time": "$upstream_response_time", ' # keeps time spent on receiving the response from the upstream server; the time is kept in seconds with millisecond resolution. Times of several responses are separated by commas and colons like addresses in the $upstream_addr variable.
'"upstream_status": "$upstream_status", ' # keeps status code of the response obtained from the upstream server. Status codes of several responses are separated by commas and colons like addresses in the $upstream_addr variable. If a server cannot be selected, the variable keeps the 502 (Bad Gateway) status code.
'"uri": "$uri"' # current URI in request, normalized. The value of $uri may change during request processing, e.g. when doing internal redirects, or when using index files.
'"zstd_ratio": "$zstd_ratio"' # Achieved compression ratio, computed as the ratio between the original and compressed response sizes.
'}';
access_log '$NGINX_LOG_PATH_ACCESS' $NGINX_LOG_FORMAT_NAME buffer=64K flush=500ms;
brotli off;
brotli_static on;
client_body_buffer_size 8k;
client_body_timeout 10s;
client_header_buffer_size 8k;
client_header_timeout 5s;
client_max_body_size 0;
default_type 'application/octet-stream';
directio 4m;
etag on;
gzip off;
gzip_static on;
gzip_vary off;
if_modified_since exact;
ignore_invalid_headers on;
keepalive_timeout 300;
log_not_found on;
log_subrequest off;
more_clear_headers 'X-Powered-By';
more_set_headers 'Server: $NGINX_SERVER_HEADER';
proxy_buffering on;
proxy_http_version 1.1;
proxy_redirect off;
proxy_set_header Connection '';
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
resolver $DNS_RESOLVER;
resolver_timeout 3s;
root '/var/www/html';
sendfile on;
server_tokens off;
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 192.168.0.0/16;
ssl_buffer_size 4k;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_conf_command Options KTLS;
ssl_conf_command Options KTLSTxZerocopySendfile;
ssl_early_data off; # Requests sent within early data are subject to replay attacks. https://datatracker.ietf.org/doc/html/rfc8470
ssl_ocsp_cache shared:OCSP:10m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:10m; # about 40_000 sessions
ssl_session_tickets on;
ssl_session_timeout 1d;
ssl_stapling on;
ssl_stapling_verify on;
tcp_nodelay off;
zstd off;
zstd_static on;
include 'njs.conf';
include 'perl.conf';
include 'sites/*.conf';
}