wcp/src/deb/nginx/nginx.conf at main · ghzhost/wcp · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
# Server globals
user                 hestiaweb;
worker_processes     1;
worker_rlimit_nofile 65535;
error_log            /var/log/hestia/nginx-error.log;
pid                  /run/hestia-nginx.pid;
pcre_jit             on;

# Worker config
events {
	worker_connections 128;
	use                epoll;
	multi_accept       on;
}

http {
	# Main settings
	http2                         on;
	sendfile                      on;
	tcp_nopush                    on;
	tcp_nodelay                   on;
	client_header_timeout         180s;
	client_body_timeout           180s;
	client_header_buffer_size     2k;
	client_body_buffer_size       256k;
	client_max_body_size          1024m;
	large_client_header_buffers   4 8k;
	send_timeout                  60s;
	keepalive_timeout             30s;
	keepalive_requests            1000;
	reset_timedout_connection     on;
	server_tokens                 off;
	server_name_in_redirect       off;
	server_names_hash_max_size    512;
	server_names_hash_bucket_size 512;
	charset                       utf-8;
	# FastCGI settings
	fastcgi_buffers               512 4k;
	fastcgi_buffer_size           256k;
	fastcgi_busy_buffers_size     256k;
	fastcgi_temp_file_write_size  256k;
	fastcgi_connect_timeout       30s;
	fastcgi_read_timeout          600s;
	fastcgi_send_timeout          600s;
	# Proxy settings
	proxy_redirect                off;
	proxy_set_header              Host $host;
	proxy_set_header              Early-Data $rfc_early_data;
	proxy_set_header              X-Real-IP $remote_addr;
	proxy_set_header              X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_pass_header             Set-Cookie;
	proxy_buffers                 256 4k;
	proxy_buffer_size             32k;
	proxy_busy_buffers_size       32k;
	proxy_temp_file_write_size    256k;
	proxy_connect_timeout         30s;
	proxy_read_timeout            300s;
	proxy_send_timeout            180s;
	# Log format
	log_format                    main '$remote_addr - $remote_user [$time_local] $request "$status" $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
	access_log                    /var/log/hestia/nginx-access.log main;
	# Mime settings
	include                       mime.types;
	default_type                  application/octet-stream;
	# Compression
	gzip                          on;
	gzip_vary                     on;
	gzip_comp_level               6;
	gzip_min_length               1024;
	gzip_buffers                  128 4k;
	gzip_http_version             1.1;
	gzip_types                    text/css text/javascript text/js text/plain text/richtext text/shtml text/x-component text/x-java-source text/x-markdown text/x-script text/xml image/bmp image/svg+xml image/vnd.microsoft.icon image/x-icon font/otf font/ttf font/x-woff multipart/bag multipart/mixed application/eot application/font application/font-sfnt application/font-woff application/javascript application/javascript-binast application/json application/ld+json application/manifest+json application/opentype application/otf application/rss+xml application/ttf application/truetype application/vnd.api+json application/vnd.ms-fontobject application/wasm application/xhtml+xml application/xml application/xml+rss application/x-httpd-cgi application/x-javascript application/x-opentype application/x-otf application/x-perl application/x-protobuf application/x-ttf;
	gzip_proxied                  any;
	# SSL PCI compliance
	ssl_buffer_size               1369;
	ssl_ciphers                   "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256";
	ssl_conf_command              Ciphersuites TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384;
	ssl_conf_command              Options PrioritizeChaCha;
	ssl_dhparam                   /etc/ssl/dhparam.pem;
	ssl_early_data                on;
	ssl_ecdh_curve                auto;
	ssl_prefer_server_ciphers     on;
	ssl_protocols                 TLSv1.2 TLSv1.3;
	ssl_session_cache             shared:SSL:10m;
	ssl_session_tickets           on;
	ssl_session_timeout           7d;
	#Commented out ssl_stapling directives due to Lets Encrypt ending OCSP support in 2025
	#ssl_stapling                  on;
	#ssl_stapling_verify           on;
	resolver                      1.0.0.1 8.8.4.4 1.1.1.1 8.8.8.8 valid=300s ipv6=off;
	resolver_timeout              5s;
	# Security headers
	add_header                    X-Content-Type-Options nosniff;
	add_header                    X-Frame-Options SAMEORIGIN;
	add_header                    X-XSS-Protection "1; mode=block";

	# TLS 1.3 0-RTT anti-replay
	map "$request_method:$is_args" $ar_idempotent {
		default 0;
		"~^GET:$|^(HEAD|OPTIONS|TRACE):\?*$" 1;
	}

	map $http_user_agent $ar_support_425 {
		default 0;
		"~Firefox/((58|59)|([6-9]\d)|([1-9]\d{2,}))\.\d+" 1;
	}

	map "$ssl_early_data:$ar_idempotent:$ar_support_425" $anti_replay {
		1:0:0 307;
		1:0:1 425;
	}

	map "$ssl_early_data:$ar_support_425" $rfc_early_data {
		1:1 1;
	}

	# Vhost
	server {
		listen              8083 ssl;
		listen              [::]:8083 ssl;
		server_name         _;
		root                /usr/local/hestia/web;
		# Fix error "The plain HTTP request was sent to HTTPS port"
		error_page          497 https://$host:$server_port$request_uri;
		error_page          403 /error/404.html;
		error_page          404 /error/404.html;
		error_page          410 /error/410.html;
		error_page          500 501 502 503 504 505 /error/50x.html;

		ssl_certificate     /usr/local/hestia/ssl/certificate.crt;
		ssl_certificate_key /usr/local/hestia/ssl/certificate.key;

		# TLS 1.3 0-RTT anti-replay
		if ($anti_replay = 307) { return 307 https://$host:$server_port$request_uri; }
		if ($anti_replay = 425) { return 425; }

		location / {
			expires off;
			index index.php;
		}

		location /error/ {
			expires off;
			internal;
		}

		location /rrd/ {
			expires off;
			internal;
		}

		location /backup/ {
			root /;
			internal;
		}

		location /fm/ {
			alias /usr/local/hestia/web/fm/dist/;
			index index.php;

			location ~ /([^/]+\.php)$ {
				try_files     /$1 =404;
				include       fastcgi_params;
				fastcgi_param HTTP_EARLY_DATA $rfc_early_data if_not_empty;
				fastcgi_param SCRIPT_FILENAME /usr/local/hestia/web/fm/dist/index.php;
				fastcgi_pass  unix:/run/hestia-php.sock;
				fastcgi_index index.php;
			}
		}

		location /_shell/ {
			proxy_pass http://localhost:8085;
			proxy_http_version 1.1;
			proxy_set_header Upgrade $http_upgrade;
			proxy_set_header Connection "Upgrade";
			proxy_set_header X-Real-IP $remote_addr;
		}

		location ~ \.php$ {
			include                  fastcgi_params;
			fastcgi_param            HTTP_EARLY_DATA $rfc_early_data if_not_empty;
			fastcgi_param            SCRIPT_FILENAME /usr/local/hestia/web/$fastcgi_script_name;
			fastcgi_pass             unix:/run/hestia-php.sock;
			fastcgi_intercept_errors on;
			break;
		}
	}
}