# /etc/nginx/nginx.conf # load dynamic modules load_module /usr/lib/nginx/modules/ngx_http_cookie_flag_filter_module.so; load_module /usr/lib/nginx/modules/ngx_http_geoip2_module.so; load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so; load_module /usr/lib/nginx/modules/ngx_http_lua_module.so; load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so; load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so; load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so; load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so; # run in foreground daemon off; # PID file pid /tmp/nginx.pid; # worker number = CPU core(s) worker_processes auto; # faster regexp pcre_jit on; # config files for dynamic modules include /etc/nginx/modules/*.conf; # max open files for each worker worker_rlimit_nofile {{ WORKER_RLIMIT_NOFILE }}; events { # max connections per worker worker_connections {{ WORKER_CONNECTIONS }}; # epoll seems to be the best on Linux use epoll; } http { # zero copy within the kernel sendfile on; # send packets only if filled tcp_nopush on; # remove 200ms delay tcp_nodelay on; # load mime types and set default one include /etc/nginx/mime.types; default_type application/octet-stream; # write logs to local syslog log_format logf '{{ LOG_FORMAT }}'; access_log /var/log/access.log logf; error_log /var/log/error.log {{ LOG_LEVEL }}; # temp paths proxy_temp_path /tmp/proxy_temp; client_body_temp_path /tmp/client_temp; fastcgi_temp_path /tmp/fastcgi_temp; uwsgi_temp_path /tmp/uwsgi_temp; scgi_temp_path /tmp/scgi_temp; # close connections in FIN_WAIT1 state reset_timedout_connection on; # timeouts client_body_timeout 10; client_header_timeout 10; keepalive_timeout 15; send_timeout 10; # resolvers to use resolver {{ DNS_RESOLVERS }} ipv6=off; # remove ports when sending redirects port_in_redirect off; # lua path and dicts lua_package_path "/usr/local/lib/lua/?.lua;;"; {% if has_value("USE_WHITELIST_IP", "yes") %}lua_shared_dict whitelist_ip_cache 10m;{% endif %} {% if has_value("USE_WHITELIST_REVERSE", "yes") %}lua_shared_dict whitelist_reverse_cache 10m;{% endif %} {% if has_value("USE_BLACKLIST_IP", "yes") %}lua_shared_dict blacklist_ip_cache 10m;{% endif %} {% if has_value("USE_BLACKLIST_REVERSE", "yes") %}lua_shared_dict blacklist_reverse_cache 10m;{% endif %} {% if has_value("USE_DNSBL", "yes") %}lua_shared_dict dnsbl_cache 10m;{% endif %} {% if has_value("BLOCK_PROXIES", "yes") %}lua_shared_dict proxies_data 250m;{% endif %} {% if has_value("BLOCK_ABUSERS", "yes") %}lua_shared_dict abusers_data 50m;{% endif %} {% if has_value("BLOCK_TOR_EXIT_NODE", "yes") %}lua_shared_dict tor_exit_nodes_data 1m;{% endif %} {% if has_value("BLOCK_USER_AGENT", "yes") %}lua_shared_dict user_agents_data 1m;{% endif %} {% if has_value("BLOCK_USER_AGENT", "yes") %}lua_shared_dict user_agents_cache 10m;{% endif %} {% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_data 1m;{% endif %} {% if has_value("BLOCK_REFERRER", "yes") %}lua_shared_dict referrers_cache 10m;{% endif %} {% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_ban 10m;{% endif %} {% if has_value("USE_BAD_BEHAVIOR", "yes") %}lua_shared_dict behavior_count 10m;{% endif %} # shared memory zone for limit_req {% if has_value("USE_LIMIT_REQ", "yes") %}limit_req_zone $binary_remote_addr$uri zone=limit:{{ LIMIT_REQ_CACHE }} rate={{ LIMIT_REQ_RATE }};{% endif %} # shared memory zone for limit_conn {% if has_value("USE_LIMIT_CONN", "yes") %}limit_conn_zone $binary_remote_addr zone=ddos:{{ LIMIT_CONN_CACHE }};{% endif %} # whitelist or blacklist country {% if BLACKLIST_COUNTRY != "" or WHITELIST_COUNTRY != "" %}include /etc/nginx/geoip.conf;{% endif %} # zone for proxy_cache {% if has_value("USE_PROXY_CACHE", "yes") %}proxy_cache_path /tmp/proxy_cache keys_zone=proxycache:{{ PROXY_CACHE_PATH_ZONE_SIZE }} {{ PROXY_CACHE_PATH_PARAMS }};{% endif %} # custom http confs include /http-confs/*.conf; # LUA init block include /etc/nginx/init-lua.conf; # default server when MULTISITE=yes {% if MULTISITE == "yes" %}include /etc/nginx/multisite-default-server.conf;{% endif %} # server config(s) {% if SWARM_MODE == "no" %} {% if MULTISITE == "yes" %} {% for server_name in SERVER_NAME.split(" ") %} include /etc/nginx/{{ server_name }}/server.conf; {% endfor %} {% else %} include /etc/nginx/server.conf; {% endif %} {% endif %} # API {% if USE_API == "yes" %}include /etc/nginx/api.conf;{% endif %} }