boring-nginx: update Dockerfile, optimisations

2025-07-01 22:55:39 +00:00 · 2017-08-08 04:54:27 +02:00
parent d39cd31854
commit 54982bdc04
10 changed files with 44 additions and 26 deletions
--- a/boring-nginx/rootfs/etc/nginx/conf/headers_params
+++ b/boring-nginx/rootfs/etc/nginx/conf/headers_params
@ -0,0 +1,3 @@
+add_header X-Frame-Options SAMEORIGIN;
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";
--- a/boring-nginx/rootfs/etc/nginx/conf/nginx.conf
+++ b/boring-nginx/rootfs/etc/nginx/conf/nginx.conf
@ -0,0 +1,89 @@
+worker_processes auto;
+pid /tmp/nginx.pid;
+daemon off;
+pcre_jit on;
+
+events {
+    worker_connections 2048;
+    use epoll;
+}
+
+http {
+    limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m;
+    limit_conn limit_per_ip 128;
+    limit_req_zone $binary_remote_addr zone=allips:10m rate=150r/s;
+    limit_req zone=allips burst=150 nodelay;
+
+    more_set_headers 'Server: secret';
+
+    ssl_dyn_rec_enable on;
+
+    include /etc/nginx/conf/mime.types;
+    default_type application/octet-stream;
+
+    access_log /var/log/nginx/access.log combined;
+    error_log /var/log/nginx/error.log crit;
+
+    fastcgi_temp_path /tmp/fastcgi 1 2;
+    proxy_temp_path /tmp/proxy 1 2;
+    client_body_temp_path /tmp/client_body 1 2;
+
+    client_body_buffer_size 10K;
+    client_header_buffer_size 1k;
+    client_max_body_size 8m;
+    large_client_header_buffers 2 1k;
+
+    aio threads;
+    sendfile on;
+    keepalive_timeout 15;
+    keepalive_disable msie6;
+    keepalive_requests 100;
+    tcp_nopush on;
+    tcp_nodelay on;
+    server_tokens off;
+
+    gzip on;
+    gzip_comp_level 5;
+    gzip_min_length 512;
+    gzip_buffers 4 8k;
+    gzip_proxied any;
+    gzip_vary on;
+    gzip_disable "msie6";
+    gzip_types
+        text/css
+        text/javascript
+        text/xml
+        text/plain
+        text/x-component
+        application/javascript
+        application/x-javascript
+        application/json
+        application/xml
+        application/rss+xml
+        application/vnd.ms-fontobject
+        font/truetype
+        font/opentype
+        image/svg+xml;
+
+    brotli on;
+    brotli_static on;
+    brotli_buffers 16 8k;
+    brotli_comp_level 6;
+    brotli_types
+        text/css
+        text/javascript
+        text/xml
+        text/plain
+        text/x-component
+        application/javascript
+        application/x-javascript
+        application/json
+        application/xml
+        application/rss+xml
+        application/vnd.ms-fontobject
+        font/truetype
+        font/opentype
+        image/svg+xml;
+
+    include /sites-enabled/*.conf;
+}
--- a/boring-nginx/rootfs/etc/nginx/conf/proxy_params
+++ b/boring-nginx/rootfs/etc/nginx/conf/proxy_params
@ -0,0 +1,6 @@
+proxy_set_header        Host                 $host;
+proxy_set_header        X-Real-IP            $remote_addr;
+proxy_set_header        X-Forwarded-For      $proxy_add_x_forwarded_for;
+proxy_set_header        X-Remote-Port        $remote_port;
+proxy_set_header        X-Forwarded-Proto    $scheme;
+proxy_redirect          off;
--- a/boring-nginx/rootfs/etc/nginx/conf/ssl_params
+++ b/boring-nginx/rootfs/etc/nginx/conf/ssl_params
@ -0,0 +1,8 @@
+ssl_protocols TLSv1.2;
+ssl_ecdh_curve X25519:P-521:P-384;
+ssl_ciphers [ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-CHACHA20-POLY1305|ECDHE-ECDSA-AES256-GCM-SHA384|ECDHE-RSA-AES256-GCM-SHA384]:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
+ssl_prefer_server_ciphers on;
+
+ssl_session_cache shared:SSL:20m;
+ssl_session_timeout 15m;
+ssl_session_tickets off;
--- a/boring-nginx/rootfs/etc/nginx/conf/vhost_http.conf
+++ b/boring-nginx/rootfs/etc/nginx/conf/vhost_http.conf
@ -0,0 +1,14 @@
+server {
+  listen 8000;
+  server_name <DOMAIN>;
+
+  #client_max_body_size <MAX_BODY_SIZE>M;
+
+  #auth_basic "Who's this?";
+  #auth_basic_user_file /passwds/<NAME>.htpasswd;
+
+  location <WEBROOT> {
+    proxy_pass http://<CONTAINER>:<PORT>;
+    include /etc/nginx/conf/proxy_params;
+  }
+}
--- a/boring-nginx/rootfs/etc/nginx/conf/vhost_https.conf
+++ b/boring-nginx/rootfs/etc/nginx/conf/vhost_https.conf
@ -0,0 +1,27 @@
+server {
+  listen 8000;
+  server_name <DOMAIN>;
+  return 301 https://$host$request_uri;
+}
+
+server {
+  listen 4430 ssl http2;
+  server_name <DOMAIN>;
+
+  ssl_certificate <CERTIFICATE_PATH>;
+  ssl_certificate_key <KEY_PATH>;
+
+  include /etc/nginx/conf/ssl_params;
+  include /etc/nginx/conf/headers_params;
+
+  #add_header Strict-Transport-Security "max-age=<HSTS_MAX_AGE>;<HSTS_SUBDOMAINS><HSTS_PRELOAD>";
+  #client_max_body_size <MAX_BODY_SIZE>M;
+
+  #auth_basic "Who's this?";
+  #auth_basic_user_file /passwds/<NAME>.htpasswd;
+
+  location <WEBROOT> {
+    proxy_pass http://<CONTAINER>:<PORT>;
+    include /etc/nginx/conf/proxy_params;
+  }
+}