# /etc/nginx/nginx.conf # load dynamic modules load_module /usr/lib/nginx/modules/ngx_http_cookie_flag_filter_module.so; load_module /usr/lib/nginx/modules/ngx_http_geoip2_module.so; load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so; load_module /usr/lib/nginx/modules/ngx_http_lua_module.so; load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so; load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so; load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; # PID file pid /tmp/nginx.pid; # worker number (default = auto) worker_processes {{ WORKER_PROCESSES }}; # faster regexp pcre_jit on; # config files for dynamic modules include /etc/nginx/modules/*.conf; # max open files for each worker worker_rlimit_nofile {{ WORKER_RLIMIT_NOFILE }}; events { # max connections per worker worker_connections {{ WORKER_CONNECTIONS }}; # epoll seems to be the best on Linux use epoll; } http { # zero copy within the kernel sendfile on; # send packets only if filled tcp_nopush on; # remove 200ms delay tcp_nodelay on; # load mime types and set default one include /etc/nginx/mime-types.conf; default_type application/octet-stream; # write logs to local syslog log_format logf '{{ LOG_FORMAT }}'; access_log /var/log/nginx/access.log logf; error_log /var/log/nginx/error.log {{ LOG_LEVEL }}; # temp paths proxy_temp_path /tmp/proxy_temp; client_body_temp_path /tmp/client_temp; fastcgi_temp_path /tmp/fastcgi_temp; uwsgi_temp_path /tmp/uwsgi_temp; scgi_temp_path /tmp/scgi_temp; # close connections in FIN_WAIT1 state reset_timedout_connection on; # timeouts client_body_timeout 10; client_header_timeout 10; keepalive_timeout 15; send_timeout 10; # resolvers to use resolver {{ DNS_RESOLVERS }} ipv6=off; # remove ports when sending redirects port_in_redirect off; # lua path and dicts lua_package_path "/opt/bunkerized-nginx/lua/?.lua;/opt/bunkerized-nginx/plugins/?.lua;/opt/bunkerized-nginx/deps/lib/lua/?.lua;;"; lua_package_cpath "/opt/bunkerized-nginx/deps/lib/?.so;/opt/bunkerized-nginx/deps/lib/lua/?.so;;"; lua_ssl_trusted_certificate "/opt/bunkerized-nginx/lua/misc/root-ca.pem"; lua_ssl_verify_depth 2; {% if has_value("USE_WHITELIST_IP", "yes") %}lua_shared_dict whitelist_ip_cache 10m;{% endif +%} {% if has_value("USE_WHITELIST_REVERSE", "yes") %}lua_shared_dict whitelist_reverse_cache 10m;{% endif +%} {% if has_value("USE_BLACKLIST_IP", "yes") %}lua_shared_dict blacklist_ip_cache 10m;{% endif +%} {% if has_value("USE_BLACKLIST_REVERSE", "yes") %}lua_shared_dict blacklist_reverse_cache 10m;{% endif +%} {% if has_value("USE_DNSBL", "yes") %}lua_shared_dict dnsbl_cache 10m;{% endif +%} {% if has_value("BLOCK_PROXIES", "yes") %}lua_shared_dict proxies_data 250m;{% endif +%} {% if has_value("BLOCK_ABUSERS", "yes") %}lua_shared_dict abusers_data 50m;{% endif +%} {% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}lua_shared_dict tor_exit_nodes_data 1m;{% endif +%} {% if has_value("BLOCK_USER_AGENT", "yes") %}lua_shared_dict user_agents_data 1m;{% endif +%} {% if has_value("BLOCK_USER_AGENT", "yes") %}lua_shared_dict user_agents_cache 10m;{% endif +%} {% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_data 1m;{% endif +%} {% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_cache 10m;{% endif +%} {% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_ban 10m;{% endif +%} {% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_count 10m;{% endif +%} {% if has_value("USE_LIMIT_REQ", "yes") %}lua_shared_dict limit_req {{ LIMIT_REQ_CACHE }};{% endif +%} lua_shared_dict plugins_data 10m; lua_shared_dict reserved_ips 1m; {% if has_value("USE_REMOTE_API", "yes") %}lua_shared_dict remote_api 1m;{% endif +%} {% if has_value("USE_REMOTE_API", "yes") %}lua_shared_dict remote_api_db 10m;{% endif +%} # shared memory zone for limit_req #{% if has_value("USE_LIMIT_REQ", "yes") %}limit_req_zone $binary_remote_addr$uri zone=limit:{{ LIMIT_REQ_CACHE }} rate={{ LIMIT_REQ_RATE }};{% endif +%} # shared memory zone for limit_conn {% if has_value("USE_LIMIT_CONN", "yes") %}limit_conn_zone $binary_remote_addr zone=ddos:{{ LIMIT_CONN_CACHE }};{% endif +%} # whitelist or blacklist country {% if BLACKLIST_COUNTRY != "" or WHITELIST_COUNTRY != "" %}include /etc/nginx/geoip.conf;{% endif +%} # zone for proxy_cache {% if has_value("USE_PROXY_CACHE", "yes") %}proxy_cache_path /tmp/proxy_cache keys_zone=proxycache:{{ PROXY_CACHE_PATH_ZONE_SIZE }} {{ PROXY_CACHE_PATH_PARAMS }};{% endif +%} # custom http confs include /opt/bunkerized-nginx/http-confs/*.conf; # LUA init block include /etc/nginx/init-lua.conf; # default server when MULTISITE=yes {% if MULTISITE == "yes" %}include /etc/nginx/multisite-default-server.conf;{% endif +%} # server config(s) {% if MULTISITE == "yes" and SERVER_NAME != "" %} {% set map_servers = {} %} {% for server_name in SERVER_NAME.split(" ") %} {% if server_name + "_SERVER_NAME" in all %} {% set x = map_servers.update({server_name : all[server_name + "_SERVER_NAME"].split(" ")}) %} {% endif %} {% endfor %} {% for server_name in SERVER_NAME.split(" ") %} {% if not server_name in map_servers %} {% set found = {"res": false} %} {% for first_server, servers in map_servers.items() %} {% if server_name in servers %} {% set x = found.update({"res" : true}) %} {% endif %} {% endfor %} {% if not found["res"] %} {% set x = map_servers.update({server_name : [server_name]}) %} {% endif %} {% endif %} {% endfor %} {% for first_server in map_servers +%} include /etc/nginx/{{ first_server }}/server.conf; {% endfor %} {% elif MULTISITE == "no" +%} include /etc/nginx/server.conf; {% endif %} # API {% if USE_API == "yes" %}include /etc/nginx/api.conf;{% endif +%} }