# configuration file /etc/nginx/nginx.conf: # nginx.conf user www-data; # attach worker to 80% of the cpu-cores avoiding context-switches as possible - and leaving space for f2b and such stuff worker_processes 16; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf; events { worker_connections 32768; multi_accept on; use epoll; } # must be >= worker_connections! Better double it... worker_rlimit_nofile 65535; http { sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 30; types_hash_max_size 2048; server_tokens off; server_names_hash_bucket_size 128; server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK'; ssl_prefer_server_ciphers on; log_format combined_servername '$remote_addr / $http_x_forwarded_for $server_name - $remote_user [$time_local] ' '$ssl_protocol/$ssl_cipher ' '"$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent"'; log_format upstream_log '[$time_local] $remote_addr - $remote_user - $server_name ' '$ssl_protocol/$ssl_cipher ' '"$request" $status $body_bytes_sent ' '$host to=$upstream_addr upstream_response_time=$upstream_response_time msec=$msec request_time=$request_time ' '"$http_referer" "$http_user_agent"'; access_log /var/log/nginx/access.log upstream_log; error_log /var/log/nginx/error.log; gzip on; gzip_disable "msie6"; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; gzip_types text/plain text/css text/js text/xml text/javascript image/svg+xml application/javascript application/x-javascript application/json application/xml application/xml+rss; map_hash_bucket_size 128; include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; } load_module modules/ngx_http_auth_pam_module.so; load_module modules/ngx_http_dav_ext_module.so; load_module modules/ngx_http_echo_module.so; load_module modules/ngx_http_geoip_module.so; load_module modules/ngx_http_geoip2_module.so; load_module modules/ngx_http_image_filter_module.so; load_module modules/ngx_http_subs_filter_module.so; load_module modules/ngx_http_upstream_fair_module.so; load_module modules/ngx_http_xslt_filter_module.so; load_module modules/ngx_mail_module.so; load_module modules/ngx_ssl_ct_module.so; load_module modules/ngx_http_ssl_ct_module.so; load_module modules/ngx_stream_module.so; load_module modules/ngx_stream_geoip_module.so; load_module modules/ngx_stream_geoip2_module.so; # configuration file /etc/nginx/mime.types: types { text/html html htm shtml; text/css css; text/xml xml; image/gif gif; image/jpeg jpeg jpg; application/javascript js; application/atom+xml atom; application/rss+xml rss; text/mathml mml; text/plain txt; text/vnd.sun.j2me.app-descriptor jad; text/vnd.wap.wml wml; text/x-component htc; image/png png; image/tiff tif tiff; image/vnd.wap.wbmp wbmp; image/x-icon ico; image/x-jng jng; image/x-ms-bmp bmp; image/svg+xml svg svgz; image/webp webp; application/font-woff woff; application/java-archive jar war ear; application/json json; application/mac-binhex40 hqx; application/msword doc; application/pdf pdf; application/postscript ps eps ai; application/rtf rtf; application/vnd.apple.mpegurl m3u8; application/vnd.ms-excel xls; application/vnd.ms-fontobject eot; application/vnd.ms-powerpoint ppt; application/vnd.wap.wmlc wmlc; application/vnd.google-earth.kml+xml kml; application/vnd.google-earth.kmz kmz; application/x-7z-compressed 7z; application/x-cocoa cco; application/x-java-archive-diff jardiff; application/x-java-jnlp-file jnlp; application/x-makeself run; application/x-perl pl pm; application/x-pilot prc pdb; application/x-rar-compressed rar; application/x-redhat-package-manager rpm; application/x-sea sea; application/x-shockwave-flash swf; application/x-stuffit sit; application/x-tcl tcl tk; application/x-x509-ca-cert der pem crt; application/x-xpinstall xpi; application/xhtml+xml xhtml; application/xspf+xml xspf; application/zip zip; application/octet-stream bin exe dll; application/octet-stream deb; application/octet-stream dmg; application/octet-stream iso img; application/octet-stream msi msp msm; application/vnd.openxmlformats-officedocument.wordprocessingml.document docx; application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx; application/vnd.openxmlformats-officedocument.presentationml.presentation pptx; audio/midi mid midi kar; audio/mpeg mp3; audio/ogg ogg; audio/x-m4a m4a; audio/x-realaudio ra; video/3gpp 3gpp 3gp; video/mp2t ts; video/mp4 mp4; video/mpeg mpeg mpg; video/quicktime mov; video/webm webm; video/x-flv flv; video/x-m4v m4v; video/x-mng mng; video/x-ms-asf asx asf; video/x-ms-wmv wmv; video/x-msvideo avi; } # configuration file /etc/nginx/conf.d/cluster.conf: # all configs on clusters are in one-file-per-cluster here below include /etc/nginx/conf.d/cluster/*.conf; # configuration file /etc/nginx/conf.d/cluster/fe-nodes.conf: upstream fe-nodes { server 10.111.55.104:80 fail_timeout=10 weight=2; # fe-01 server 10.111.55.102:80 fail_timeout=10 weight=2; # fe-02 server 10.111.55.103:80 fail_timeout=10 weight=2; # fe-03 } # configuration file /etc/nginx/conf.d/forward_proto.conf: map $http_x_forwarded_proto $real_scheme { default $http_x_forwarded_proto; '' $scheme; } # configuration file /etc/nginx/conf.d/header.conf: add_header X-LB $hostname always; # configuration file /etc/nginx/conf.d/proxy.conf: proxy_temp_path /var/lib/nginx/proxy; proxy_cache_path /var/lib/nginx/cache levels=1:2 keys_zone=STATIC:10m inactive=10m max_size=10g; proxy_cache_key "$host$request_uri"; proxy_cache_use_stale error timeout invalid_header updating; proxy_ignore_client_abort on; proxy_http_version 1.1; map $scheme $is_https { default ''; http ''; https 'on'; } proxy_cache_path /var/cache/nginx/MAIL keys_zone=MAIL:512m levels=1:2 inactive=5m max_size=5g; # configuration file /etc/nginx/sites-enabled/postoffice: server { listen 443 ssl http2; server_name postoffice.test.me; server_tokens off; #access_log /var/log/nginx/postoffice.access.log combined_servername; access_log off; client_max_body_size 16M; include /etc/nginx/cert/star_cert.conf; # Restrict access from outside via basic_auth/ldap include /etc/nginx/conf.d/ldap_htaccess.list; location / { proxy_pass http://fe-nodes; include /etc/nginx/conf.d/proxy_header_settings; } } # configuration file /etc/nginx/cert/star_cert.conf: ssl_certificate cert/star_cert/star_cert.pem; ssl_certificate_key cert/star_cert/star_cert.key; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate cert/star_cert/CertCA.crt; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; include /etc/nginx/conf.d/ssl_settings; # configuration file /etc/nginx/conf.d/ssl_settings: ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK'; ssl_prefer_server_ciphers on; ssl_dhparam /etc/nginx/dhparams.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; # configuration file /etc/nginx/conf.d/ldap_htaccess.list: # LDAP/ou=Web-Access/postoffice satisfy any; allow 10.0.0.0/8; allow 127.0.0.1; # Access against the ldap auth_pam "Staff Area"; auth_pam_service_name "nginx.stgtest"; deny all; # configuration file /etc/nginx/conf.d/proxy_header_settings: proxy_set_header Host $host; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $real_scheme; proxy_set_header HTTPS $is_https; proxy_pass_header Set-Cookie; proxy_pass_header Expires; proxy_pass_header ETag; proxy_pass_header Last-Modified; proxy_pass_header Content-Length;