cryptofuture · seonghobae · Sep 2, 2019 · Sep 2, 2019 · Sep 2, 2019 · Sep 2, 2019
diff --git a/debian/nginx.conf b/debian/nginx.conf
@@ -2,55 +2,81 @@ user www-data;
 # www-data for php-fpm, nginx user works with static content only
 worker_processes auto;
 pid /var/run/nginx.pid;
+
 # Note: Use only modules you need to use. With dynamic modules this is pretty easy.
-#load_module modules/ndk_http_module.so;
-#load_module modules/ngx_http_geoip_module.so;
-#load_module modules/ngx_stream_geoip_module.so;
-#load_module modules/ngx_http_headers_more_filter_module.so;
-#load_module modules/ngx_http_image_filter_module.so;
-#load_module modules/ngx_http_length_hiding_filter_module.so;
-#load_module modules/ngx_http_lua_module.so;
-#load_module modules/ngx_http_naxsi_module.so;
-#load_module modules/ngx_http_js_module.so;
-#load_module modules/ngx_stream_js_module.so;
-#load_module modules/ngx_pagespeed.so;
-#load_module modules/ngx_http_perl_module.so;
-#load_module modules/ngx_stream_module.so;
-#load_module modules/ngx_mail_module.so;
-#load_module modules/ngx_http_rds_json_filter_module.so;
-#load_module modules/ngx_http_session_binding_proxy_module.so;
-#load_module modules/ngx_http_testcookie_access_module.so;
-#load_module modules/ngx_http_upstream_order_module.so;
-#load_module modules/ngx_http_xslt_filter_module.so;
-## ngx_brotli filter module - used to compress responses on-the-fly.
-#load_module modules/ngx_http_brotli_filter_module.so;
-## ngx_brotli static module - used to serve pre-compressed files.
-## Both ngx_brotli modules could be used separately, but part of nginx-module-brotli package
-#load_module modules/ngx_http_brotli_static_module.so;
-#load_module modules/ngx_postgres_module.so;
-#load_module modules/ngx_nchan_module.so;
-#load_module modules/ngx_http_auth_pam_module.so;
-#load_module modules/ngx_http_echo_module.so;
-#load_module modules/ngx_http_upstream_fair_module.so;
-#load_module modules/ngx_http_cache_purge_module.so;
-#load_module modules/ngx_http_fancyindex_module.so;
-#load_module modules/ngx_http_uploadprogress_module.so;
-#load_module modules/ngx_http_subs_filter_module.so;
-#load_module modules/ngx_http_graphite_module.so;
-#load_module modules/ngx_http_vhost_traffic_status_module.so;
-#load_module modules/ngx_ssl_ct_module.so 
-#load_module modules/ngx_http_ssl_ct_module.so 
-#load_module modules/ngx_mail_ssl_ct_module.so 
-#load_module modules/ngx_stream_ssl_ct_module.so
-#load_module modules/ngx_rtmp_module.so;
-#load_module modules/ngx_http_ts_module.so.so;
-#load_module modules/ngx_http_stream_server_traffic_status_module.so;
-#load_module modules/ngx_stream_server_traffic_status_module.so;
-#load_module modules/ngx_http_geoip2_module.so;
-#load_module modules/ngx_stream_geoip2_module.so;
+
+    # HTTP related modules first
+        #load_module modules/ndk_http_module.so;
+        #load_module modules/ngx_http_headers_more_filter_module.so;
+        #load_module modules/ngx_http_image_filter_module.so;
+        #load_module modules/ngx_http_length_hiding_filter_module.so;
+        #load_module modules/ngx_http_lua_module.so;
+        #load_module modules/ngx_http_naxsi_module.so;
+        #load_module modules/ngx_http_js_module.so;
+        #load_module modules/ngx_http_perl_module.so;
+        #load_module modules/ngx_http_rds_json_filter_module.so;
+        #load_module modules/ngx_http_session_binding_proxy_module.so;
+        #load_module modules/ngx_http_testcookie_access_module.so;
+        #load_module modules/ngx_http_xslt_filter_module.so;
+        #load_module modules/ngx_http_auth_pam_module.so;
+        #load_module modules/ngx_http_echo_module.so;
+        #load_module modules/ngx_http_cache_purge_module.so;
+        #load_module modules/ngx_http_fancyindex_module.so;
+        #load_module modules/ngx_http_uploadprogress_module.so;
+        #load_module modules/ngx_http_subs_filter_module.so;
+        #load_module modules/ngx_http_graphite_module.so;
+        #load_module modules/ngx_http_ts_module.so;
+
+        ## ngx_brotli filter module - used to compress responses on-the-fly.
+            #load_module modules/ngx_http_brotli_filter_module.so;
+        ## ngx_brotli static module - used to serve pre-compressed files.
+        ## Both ngx_brotli modules could be used separately, but part of nginx-module-brotli package
+            #load_module modules/ngx_http_brotli_static_module.so;
+
+    # GeoIP related
+        #load_module modules/ngx_http_geoip_module.so;
+        #load_module modules/ngx_stream_geoip_module.so;
+        #load_module modules/ngx_http_geoip2_module.so;
+        #load_module modules/ngx_stream_geoip2_module.so;
+
+    # HTTPS PROXY related
+        #load_module modules/ngx_http_proxy_connect_module.so;
+
+    # TCP Stream related modules
+        #load_module modules/ngx_stream_module.so;
+        #load_module modules/ngx_stream_js_module.so;
+        #load_module modules/ngx_http_stream_server_traffic_status_module.so;
+        #load_module modules/ngx_stream_server_traffic_status_module.so;
+
+    # Upstream related modules
+        #load_module modules/ngx_http_upstream_fair_module.so;
+        #load_module modules/ngx_http_upstream_order_module.so;
+
+    # Mail related modules
+        #load_module modules/ngx_mail_module.so;
+
+    # SSL
+        #load_module modules/ngx_ssl_ct_module.so;
+        #load_module modules/ngx_http_ssl_ct_module.so;
+        #load_module modules/ngx_mail_ssl_ct_module.so;
+        #load_module modules/ngx_stream_ssl_ct_module.so;
+
+    # Webpage optimization
+        #load_module modules/ngx_pagespeed.so;
+        #load_module modules/ngx_http_vhost_traffic_status_module.so;
+
+    # Database    
+        #load_module modules/ngx_postgres_module.so;
+
+    # ETC
+        #load_module modules/ngx_nchan_module.so;
+        #load_module modules/ngx_rtmp_module.so;
+
 
 events {
     worker_connections 768;
+    # multi_accept  on;
+    # use epoll;
 }
 
 # Separate stream location files
@@ -59,63 +85,75 @@ include /etc/nginx/sites-enabled/*.stream;
 http {
 
     # Basic Settings
-    sendfile on;
-    tcp_nopush on;
-    tcp_nodelay on;
-    types_hash_max_size 2048;
-    server_tokens off;
-    ignore_invalid_headers on;
+        sendfile on;
+        tcp_nopush on;
+        tcp_nodelay on;
+        types_hash_max_size 2048;
+        server_tokens off;
+        ignore_invalid_headers on;
 
     # Decrease default timeouts to drop slow clients
-    keepalive_timeout 40s;
-    send_timeout 20s;
-    client_header_timeout 20s;
-    client_body_timeout 20s;
-    reset_timedout_connection on;
+        keepalive_timeout 40s;
+        send_timeout 20s;
+        client_header_timeout 20s;
+        client_body_timeout 20s;
+        reset_timedout_connection on;
+
+    # Hash sizes
+        server_names_hash_bucket_size 64;
 
-    server_names_hash_bucket_size 64;
+    # mine types
+        default_type  application/octet-stream;
+        include /etc/nginx/mime.types;
 
-    default_type  application/octet-stream;
-    include /etc/nginx/mime.types;
+    # aio threads
+        # aio threads=default;
 
-    log_format main '$remote_addr - $remote_user [$time_local] "$request" $status $bytes_sent "$http_referer" "$http_user_agent" "$gzip_ratio"';
-    access_log /var/log/nginx/access.log main;
-    error_log /var/log/nginx/error.log warn;
+    # log
+        log_format main '$remote_addr - $remote_user [$time_local] "$request" $status $bytes_sent "$http_referer" "$http_user_agent" "$gzip_ratio"';
+        access_log /var/log/nginx/access.log main;
+        error_log /var/log/nginx/error.log warn;
 
     # Limits
-    limit_req_zone  $binary_remote_addr  zone=dos_attack:20m   rate=30r/m;
-
-    gzip on;
-    gzip_disable "msie6";
-    gzip_vary off;
-    gzip_proxied any;
-    gzip_comp_level 2;
-    gzip_min_length 1000;
-    gzip_buffers 16 8k;
-    gzip_http_version 1.1;
-    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/atom+xml;
+        limit_req_zone  $binary_remote_addr  zone=dos_attack:20m   rate=30r/m;
+
+    # Gzip
+        gzip on;
+        gzip_disable "msie6";
+        gzip_vary off;
+        gzip_proxied any;
+        gzip_comp_level 2;
+        gzip_min_length 1000;
+        gzip_buffers 16 8k;
+        gzip_http_version 1.1;
+        gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/atom+xml;
+
+    # Brotli
+        # brotli on;
+        # brotli_static on;
 
     # Virtual Host Configs
-    include /etc/nginx/sites-enabled/*.conf;
-
-    # Only allow save protocols
-    #ssl_protocols TLSv1.2 TLSv1.3;
-    # Prefer server side protocols for SSLv3 and TLSv1
-    #ssl_prefer_server_ciphers on;
-    #ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
-    # SSL session cache
-    #ssl_session_cache shared:SSL:50m;
-    #ssl_session_timeout 5m;
-    #ssl_buffer_size 4k;
-    #ssl_session_tickets on;
-
-    # Problem with sect571 and ecdhe ciphers
-    #ssl_ecdh_curve secp384r1:secp521r1;
-
-    #add_header Content-Security-Policy "";
-    #add_header Strict-Transport-Security "max-age=15768000;includeSubDomains;preload";
-    #add_header X-Frame-Options DENY;
-    #add_header X-Content-Type-Options nosniff;
-    #add_header X-XSS-Protection "1; mode=block";
-    #add_header Public-Key-Pins '';
+        include /etc/nginx/sites-enabled/*.conf;
+
+    # SSL and HSTS
+        # Only allow save protocols
+            # ssl_protocols TLSv1.2 TLSv1.3;
+        # Prefer server side protocols for SSLv3 and TLSv1
+            # ssl_prefer_server_ciphers on;
+            # ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256";
+        # SSL session cache
+            # ssl_session_cache shared:SSL:50m;
+            # ssl_session_timeout 5m;
+            # ssl_buffer_size 4k;
+            # ssl_session_tickets on;
+
+        # Problem with sect571 and ecdhe ciphers
+            # ssl_ecdh_curve secp384r1:secp521r1;
+
+        # add_header Content-Security-Policy "";
+        # add_header Strict-Transport-Security "max-age=15768000;includeSubDomains;preload";
+        # add_header X-Frame-Options DENY;
+        # add_header X-Content-Type-Options nosniff;
+        # add_header X-XSS-Protection "1; mode=block";
+        # add_header Public-Key-Pins '';
 }