From 5477e36dec3389d5021a66923acbfb71b003edb0 Mon Sep 17 00:00:00 2001 From: Disassembler Date: Tue, 19 Dec 2017 10:09:33 +0100 Subject: [PATCH] Alpinize nginx configuration --- 01-basic.sh | 6 +- .../default => conf.d/default.conf} | 10 +- basic/etc/nginx/nginx.conf | 146 +++++++++--------- 3 files changed, 82 insertions(+), 80 deletions(-) rename basic/etc/nginx/{sites-available/default => conf.d/default.conf} (60%) diff --git a/01-basic.sh b/01-basic.sh index 68ff11f..de0afc2 100755 --- a/01-basic.sh +++ b/01-basic.sh @@ -24,7 +24,7 @@ rc-update add consolefont boot # Set legal banner with URL cp ${SOURCE_DIR}/etc/issue.template /etc/issue.template -cp ${SOURCE_DIR}/sbin/issue-gen /sbin/issue-gen # TODO: Make executable +cp ${SOURCE_DIR}/sbin/issue-gen /sbin/issue-gen # Configure Postfix # cp ${SOURCE_DIR}/etc/postfix/main.cf /etc/postfix/main.cf @@ -35,8 +35,8 @@ openssl req -x509 -new -out /etc/ssl/certs/services.pem -keyout /etc/ssl/private chmod 640 /etc/ssl/private/services.key # Configure nginx -# cp ${SOURCE_DIR}/etc/nginx/nginx.conf /etc/nginx/nginx.conf -# cp ${SOURCE_DIR}/etc/nginx/sites-available/default /etc/nginx/sites-available/default +cp ${SOURCE_DIR}/etc/nginx/nginx.conf /etc/nginx/nginx.conf +cp ${SOURCE_DIR}/etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf # Copy Portal resources cp ${SOURCE_DIR}/usr/local/bin/portal-app-manager /usr/local/bin/portal-app-manager diff --git a/basic/etc/nginx/sites-available/default b/basic/etc/nginx/conf.d/default.conf similarity index 60% rename from basic/etc/nginx/sites-available/default rename to basic/etc/nginx/conf.d/default.conf index 2845e41..1455d0b 100644 --- a/basic/etc/nginx/sites-available/default +++ b/basic/etc/nginx/conf.d/default.conf @@ -1,12 +1,12 @@ server { - listen 80; - listen [::]:80; + listen 80 default_server; + listen [::]:80 default_server; return 301 https://$host$request_uri; } server { - listen 443 ssl http2; - listen [::]:443 ssl http2; + listen 443 ssl http2 default_server; + listen [::]:443 ssl http2 default_server; add_header Strict-Transport-Security "max-age=31536000;"; @@ -16,6 +16,4 @@ server { location / { try_files $uri $uri/ =404; } - - include /etc/nginx/apps-enabled/*; } diff --git a/basic/etc/nginx/nginx.conf b/basic/etc/nginx/nginx.conf index b2295bc..48123f6 100644 --- a/basic/etc/nginx/nginx.conf +++ b/basic/etc/nginx/nginx.conf @@ -1,94 +1,98 @@ -user www-data; +# /etc/nginx/nginx.conf + +user nginx; + +# Set number of worker processes automatically based on number of CPU cores. worker_processes auto; -pid /run/nginx.pid; -include /etc/nginx/modules-enabled/*.conf; + +# Enables the use of JIT for regular expressions to speed-up their processing. +pcre_jit on; + +# Configures default error logger. +error_log /var/log/nginx/error.log warn; + +# Includes files with directives to load dynamic modules. +include /etc/nginx/modules/*.conf; + events { - worker_connections 768; - # multi_accept on; + # The maximum number of simultaneous connections that can be opened by + # a worker process. + worker_connections 1024; } http { - - ## - # Basic Settings - ## - - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - # server_tokens off; - - # server_names_hash_bucket_size 64; - # server_name_in_redirect off; - + # Includes mapping of file name extensions to MIME types of responses + # and defines the default type. include /etc/nginx/mime.types; default_type application/octet-stream; + # Name servers used to resolve names of upstream servers into addresses. + # It's also needed when using tcpsocket and udpsocket in Lua modules. + #resolver 208.67.222.222 208.67.220.220; + + # Don't tell nginx version to clients. + server_tokens off; + + # Specifies the maximum accepted body size of a client request, as + # indicated by the request header Content-Length. If the stated content + # length is greater than this size, then the client receives the HTTP + # error code 413. Set to 0 to disable. client_max_body_size 100m; - ## - # SSL Settings - ## + # Timeout for keep-alive connections. Server will close connections after + # this time. + keepalive_timeout 65; - ssl_protocols TLSv1.2; - ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + # Sendfile copies data between one FD and other from within the kernel, + # which is more efficient than read() + write(). + sendfile on; + + # Don't buffer data-sends (disable Nagle algorithm). + # Good for sending frequent small bursts of data in real time. + tcp_nodelay on; + + # Causes nginx to attempt to send its HTTP response head in one packet, + # instead of using partial frames. + #tcp_nopush on; + + + # Path of the file with Diffie-Hellman parameters for EDH ciphers. + #ssl_dhparam /etc/ssl/nginx/dh2048.pem; + + # Specifies that our cipher suits should be preferred over client ciphers. ssl_prefer_server_ciphers on; + + # Enables a shared SSL cache with size that can hold around 4000 sessions. ssl_session_cache shared:SSL:1m; - ssl_session_timeout 1d; - ssl_session_tickets off; - ssl_certificate /etc/ssl/certs/services.pem; - ssl_certificate_key /etc/ssl/private/services.key; - ## - # Logging Settings - ## + # Set SSL certificate + ssl_certificate /etc/ssl/certs/services.pem; + ssl_certificate_key /etc/ssl/private/services.key; - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log; + # Set SSL protocols and ciphers + ssl_protocols TLSv1.2; + ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; - ## - # Gzip Settings - ## + # Enable gzipping of responses. + #gzip on; - gzip on; - gzip_disable "msie6"; + # Set the Vary HTTP header as defined in the RFC 2616. + gzip_vary on; - # gzip_vary on; - # gzip_proxied any; - # gzip_comp_level 6; - # gzip_buffers 16 8k; - # gzip_http_version 1.1; - # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; + # Enable checking the existence of precompressed files. + #gzip_static on; - ## - # Virtual Host Configs - ## + # Specifies the main log format. + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + # Sets the path, format, and configuration for a buffered log write. + access_log /var/log/nginx/access.log main; + + + # Includes virtual hosts configs. include /etc/nginx/conf.d/*.conf; - include /etc/nginx/sites-enabled/*; } - - -#mail { -# # See sample authentication script at: -# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript -# -# # auth_http localhost/auth.php; -# # pop3_capabilities "TOP" "USER"; -# # imap_capabilities "IMAP4rev1" "UIDPLUS"; -# -# server { -# listen localhost:110; -# protocol pop3; -# proxy on; -# } -# -# server { -# listen localhost:143; -# protocol imap; -# proxy on; -# } -#}