Configuration of Nginx web reverse proxy server

NGINX version

nginx/1.18.0

Compiled parameter

–prefix=/usr/local/nginx \
–user=nobody \
–group=nobody \
–with-http_stub_status_module \
–with-http_ssl_module \
–with-http_v2_module \
–with-http_gzip_static_module \
–with-http_sub_module \
–with-stream \
–with-stream_ssl_module \
–with-openssl=/usr/local/openssl-1.1.1c \
–with-openssl-opt=’enable-tls1_3 enable-weak-ssl-ciphers’ \
–with-http_flv_module \
–with-http_mp4_module \
–with-http_realip_module \
–with-cc-opt=-DTCP_FASTOPEN=23 \
–with-file-aio \
–add-module=/usr/local/nginx-ct \
–add-module=/usr/local/ngx_brotli/ \
–add-module=/usr/local/nginx_upstream_check \
–http-client-body-temp-path=/var/tmp/nginx/client/ \
–http-proxy-temp-path=/var/tmp/nginx/proxy \
–without-mail_pop3_module \
–without-mail_imap_module \
–without-mail_smtp_module \
–without-http_uwsgi_module \
–without-http_scgi_module

HTTP part of nginx.conf

http
{
include mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 5m;
sendfile on;
tcp_nopush on;
keepalive_timeout 15;
tcp_nodelay on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 256k;
include vhost/*.conf;
upstream http {
server IP:80;
check interval=3000 rise=2 fall=4 timeout=1000;
}
upstream https {
server IP:443;
check interval=3000 rise=2 fall=4 timeout=1000;
}
}

HTTP protocol parameter

server {
listen 80;
server_name domain www.domain;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
proxy_pass http://http;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;
}
}

HTTPS protocol parameter

proxy_cache_path /../path/../domain/static levels=1:2 keys_zone=local_cache:100m inactive=1d use_temp_path=off max_size=2g;
server {
server_name domain www.domain;
listen 443 ssl http2;
ssl_certificate /../path/../nginx/conf/certificate/domain.crt;
ssl_certificate_key /../path/../nginx/conf/certificate/domain.key;
ssl_session_cache shared:SSL:18m;
ssl_session_timeout 20m;
ssl_session_tickets on;
ssl_ciphers “ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4”;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
proxy_pass https://https;
#proxy_set_header Host $http_host;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;
}
location ~ .*.(mp3|gif|jpg|jpeg|bmp|png|ico|txt|js|css|woff2|woff|ttf|svg|eot)$ {
proxy_pass https://https;
proxy_cache local_cache;
proxy_cache_key $uri$is_args$args;
add_header X-Cache $upstream_cache_status;
proxy_cache_valid 200 30d;
proxy_cache_valid 301 302 30d;
#proxy_cache_valid any 1m;
expires 30d;
}
access_log /../path/../domain.log;
}