nginx 全局配置

#user  nobody;
worker_processes  auto;

# load_module /etc/nginx/modules/ngx_http_zstd_filter_module.so;
# load_module /etc/nginx/modules/ngx_http_zstd_static_module.so;
# load_module /etc/nginx/modules/ngx_http_brotli_filter_module.so;
# load_module /etc/nginx/modules/ngx_http_brotli_static_module.so;
# load_module /etc/nginx/modules/ngx_http_modsecurity_module.so;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;

worker_rlimit_nofile 65535;
thread_pool default threads=32 max_queue=65536;

events {
    multi_accept on;
    worker_connections  2048;
}


http {
    server_tokens off;

    # modsecurity on;
    # modsecurity_rules_file /etc/nginx/modsec/modsecurity.conf;

    include       mime.types;
    include	  /etc/nginx/sites-enabled/*;

    default_type  application/octet-stream;

    etag on;  
    http3 on;
    quic_gso on;
    # quic_bpf on;
    http3_max_concurrent_streams 512;
    http3_stream_buffer_size 256k;
    quic_active_connection_id_limit 8;

    http2 on;
    http2_max_concurrent_streams 512;
    http2_recv_buffer_size 512k;
    http2_chunk_size 16k;

    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1h;
    ssl_certificate_cache max=2000 inactive=5m valid=20m;


    ssl_buffer_size 32k;

    # ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE";
    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;

    # add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';";
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header X-Content-Type-Options nosniff always;
    add_header Referrer-Policy "no-referrer";
    add_header Permissions-Policy "geolocation=(), microphone=()";
    add_header Vary "Accept-Encoding" always;

    server_names_hash_max_size 1024;
    server_names_hash_bucket_size 128;
    types_hash_max_size 2048;
    types_hash_bucket_size 128;
    variables_hash_max_size 1024;
    variables_hash_bucket_size 128;
    proxy_headers_hash_max_size 1024;
    proxy_headers_hash_bucket_size 128;

    open_file_cache max=2000 inactive=30s;
    open_file_cache_valid 60s;
    open_file_cache_min_uses 2;
    open_file_cache_errors on;

    limit_req_zone $binary_remote_addr zone=example_zone:50m rate=50r/s;
    limit_req zone=example_zone burst=100 nodelay;
    limit_req_status 429;

    limit_conn_zone $binary_remote_addr zone=addr:20m;
    limit_conn addr 100;
    limit_conn_status 429;
    
    limit_rate_after 50m;
    limit_rate 20m;

    # fastcgi
    fastcgi_cache_path /var/cache/nginx/fastcgi levels=1:2 keys_zone=my_cache:20m max_size=1g inactive=30m;
    fastcgi_cache_key "$scheme$request_method$host$request_uri$http_accept_encoding";

    fastcgi_cache_methods GET HEAD;
    fastcgi_cache_bypass $http_cookie;
    fastcgi_no_cache $http_cookie;
    
    fastcgi_cache_valid 200 301 302 120m;
    fastcgi_cache_valid 404 10m;
    fastcgi_cache_valid 500 502 503 504 400 403 429 0;

    fastcgi_cache_lock on;
    fastcgi_cache_lock_timeout 5s;

    fastcgi_cache_background_update on;
    
    fastcgi_buffering on;
    fastcgi_buffer_size 128k;
    fastcgi_buffers 16 4m;
    fastcgi_busy_buffers_size 8m;
    fastcgi_keep_conn on;
    
    fastcgi_intercept_errors on; 
    fastcgi_hide_header X-Powered-By;

    # proxy
    proxy_cache_path /var/cache/nginx/proxy levels=1:2 keys_zone=my_proxy_cache:20m max_size=1g inactive=30m ;
    proxy_cache_key "$scheme$request_method$host$request_uri$http_accept_encoding";

    proxy_cache_methods GET HEAD;
    proxy_cache_bypass $http_cookie;
    proxy_no_cache $http_cookie;

    proxy_cache_valid 200 301 302 120m;
    proxy_cache_valid 404 10m;
    proxy_cache_valid 500 502 503 504 400 403 429 0;

    proxy_cache_lock on;
    proxy_cache_lock_timeout 5s;

    proxy_cache_background_update on;

    proxy_buffering on;
    proxy_buffer_size 128k;
    proxy_buffers 16 4m;
    proxy_busy_buffers_size 8m;
    proxy_socket_keepalive on;
    
    
    proxy_intercept_errors on;
    proxy_hide_header X-Powered-By;
    
    # include       /etc/nginx/mime.types;
    # default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /usr/local/nginx/logs/access.log main buffer=128k flush=5s;
    
    sendfile        on;

    tcp_nopush     on;
    tcp_nodelay    on;

    # zstd on;
    # zstd_static on;

    # zstd_comp_level 4;
    # zstd_buffers 8 256k;
    # zstd_min_length 50;
    # zstd_types application/atom+xml application/javascript application/json application/vnd.api+json application/rss+xml
    #             application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype
    #             application/x-font-ttf application/x-javascript application/xhtml+xml application/xml
    #             font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon
    #             image/x-icon image/x-win-bitmap text/css text/richtext text/plain text/x-script
    #             text/x-component text/x-java-source text/x-markdown text/javascript text/xml
    #             application/x-perl application/x-httpd-cgi multipart/bag multipart/mixed application/wasm;


    # brotli on;
    # brotli_static on;

    # brotli_comp_level 4;
    # brotli_buffers 8 256k;
    # brotli_min_length 50;
    # brotli_window 1024k;
    # brotli_types application/atom+xml application/javascript application/json application/vnd.api+json application/rss+xml
    #             application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype
    #             application/x-font-ttf application/x-javascript application/xhtml+xml application/xml
    #             font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon
    #             image/x-icon image/x-win-bitmap text/css text/richtext text/plain text/x-script
    #             text/x-component text/x-java-source text/x-markdown text/javascript text/xml
    #             application/x-perl application/x-httpd-cgi multipart/bag multipart/mixed application/wasm;




    gzip on;
    gzip_static on;

    gzip_comp_level 4;
    gzip_buffers 8 256k;
    gzip_min_length 50;
    gzip_types application/atom+xml application/javascript application/json application/vnd.api+json application/rss+xml
                application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype
                application/x-font-ttf application/x-javascript application/xhtml+xml application/xml
                font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon
                image/x-icon image/x-win-bitmap text/css text/richtext text/plain text/x-script
                text/x-component text/x-java-source text/x-markdown text/javascript text/xml
                application/x-perl application/x-httpd-cgi multipart/bag multipart/mixed application/wasm;


    client_header_buffer_size 4k;
    client_body_buffer_size 256k;
    large_client_header_buffers 8 16k;
    output_buffers 8 1024k;


    client_body_timeout 60s;
    client_header_timeout 60s;
    send_timeout 60s;
    keepalive_timeout 120s;
    keepalive_requests 8000;

    fastcgi_connect_timeout 300s;
    fastcgi_send_timeout 300s;
    fastcgi_read_timeout 300s;

    proxy_connect_timeout 300s;
    proxy_send_timeout 300s;
    proxy_read_timeout 300s;

}