worker_processes auto; error_log stderr warn; pid /run/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; # Define custom log format to include reponse times log_format main_timed '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" ' '$request_time $upstream_response_time $pipe $upstream_cache_status'; access_log /dev/stdout main_timed; error_log /dev/stderr notice; keepalive_timeout 65; ## ## Gzip Settings gzip on; gzip_disable "msie6"; gzip_vary on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 16 8k; gzip_http_version 1.1; gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; # file upload limit client_max_body_size 0; # Write temporary files to /tmp so they can be created as a non-privileged user client_body_temp_path /tmp/client_temp; proxy_temp_path /tmp/proxy_temp_path; fastcgi_temp_path /tmp/fastcgi_temp; uwsgi_temp_path /tmp/uwsgi_temp; scgi_temp_path /tmp/scgi_temp; # Hide nginx version in headers server_tokens off; # Default server definition server { listen [::]:8000 default_server; listen 8000 default_server; server_name _; sendfile off; root /sw6/public; index index.php index.html; location ~* ^.+\.(?:css|cur|js|jpe?g|gif|ico|png|svg|webp|woff|woff2)$ { expires 1y; add_header Cache-Control "public, must-revalidate, proxy-revalidate"; access_log off; # The directive enables or disables messages in error_log about files not found on disk. log_not_found off; tcp_nodelay off; ## Set the OS file cache. open_file_cache max=3000 inactive=120s; open_file_cache_valid 45s; open_file_cache_min_uses 2; open_file_cache_errors off; } location ~* ^.+\.svg$ { add_header Content-Security-Policy "script-src 'none'"; } location / { # First attempt to serve request as file, then # as directory, then fall back to index.php try_files $uri $uri/ /index.php?q=$uri&$args; } # Redirect server error pages to the static page /50x.html error_page 500 502 503 504 /50x.html; location = /50x.html { root /var/lib/nginx/html; } location ~ [^/]\.php(/|$) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; if (!-f $document_root$fastcgi_script_name) { return 404; } # Mitigate https://httpoxy.org/ vulnerabilities fastcgi_param HTTP_PROXY ""; proxy_http_version 1.1; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; fastcgi_buffers 8 16k; fastcgi_buffer_size 32k; fastcgi_read_timeout 300s; client_body_buffer_size 128k; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param SCRIPT_NAME $fastcgi_script_name; include fastcgi_params; http2_push_preload on; } # Deny access to . files, for security location ~ /\. { log_not_found off; deny all; } # Allow fpm ping and status from localhost location ~ ^/(fpm-status|fpm-ping)$ { access_log off; allow 127.0.0.1; deny all; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; fastcgi_pass 127.0.0.1:9000; } } # Include other server configs include /etc/nginx/conf.d/*.conf; }