user geekplus; worker_processes auto; events { worker_connections 1024; # multi_accept on; } http { #-------------------------------------# # Basic Settings #-------------------------------------# sendfile on; tcp_nopush on; tcp_nodelay on; types_hash_max_size 2048; ## 2.4.3 Connection hold time (seconds) keepalive_timeout 10; ## 2.4.4 Send response timeout send_timeout 10; ## 2.5.1 Ensure server_tokens directive is set to `off` Do not display NGINX version and operating system version server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; #-------------------------------------# # Log Settings #-------------------------------------# ## 3.1 Log format log_format weblog '{"@timestamp":"$time_iso8601",' '"client_ip":"$remote_addr",' '"size":$body_bytes_sent,' '"responsetime":$request_time,' '"upstreamtime":"$upstream_response_time",' '"upstreamhost":"$upstream_addr",' '"http_host":"$host",' '"method":"$request_method",' '"request_uri":"$request_uri",' '"xff":"$http_x_forwarded_for",' '"referrer":"$http_referer",' '"agent":"$http_user_agent",' '"uri":"$uri",' '"request_body":"$request_body",' '"status":"$status"}'; ## 3.2 access logging is enabled access_log /var/log/geekplus/nginx/access-web.log weblog; ## 3.3 error logging is enabled and set to the info logging level error_log /var/log/geekplus/nginx/error_log.log info; ## 3.5 Ensure error logs are sent to a remote syslog server #error_log syslog:server= info; ## 3.6 Ensure access logs are sent to a remote syslog server #access_log syslog:server=,facility=local7,tag=nginx,severity=info combined; #-------------------------------------# # Request Limits Settings #-------------------------------------# ## 5.2.4 Ensure the number of connections per IP address is limited limit_conn_zone $binary_remote_addr zone=limitperip:10m; ## 5.2.5 Ensure rate limits by IP address are set limit_req_zone $binary_remote_addr zone=ratelimit:10m rate=5r/s; ## # Gzip Settings ## gzip on; # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; # gzip_buffers 16 8k; # gzip_http_version 1.1; # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; ## # Virtual Host Configs ## #rms地图 map $http_upgrade $connection_upgrade { default upgrade; '' close; } #-------------------------------------# # server configuration #-------------------------------------# server { ## 4.1.13 Ensure HTTP/2.0 is used (webserver only) listen 80; http2 on; ## 2.4.2 Ensure requests for unknown host names are rejected server_name www.geekplus.cc; #Please change it to the actual domain name ## 4.1.2 Ensure a trusted certificate and trust chain is installed #ssl_certificate /etc/nginx/ssl/geekplus.com.crt; #Please change it to the actual certificate #ssl_certificate_key /etc/nginx/ssl/geekplus.com.key; #Please change it to the actual certificate key ## 5.1.1 Ensure allow and deny filters limit access to specific IP addresses 访问IP白名单 location / { rewrite ^/$ /portal permanent; ## Used when nginx is used as proxy or LB #include /etc/nginx/conf.d/secure_proxy.conf #try_files $uri $uri/ =404; #allow <10.1.1.1>; #Modify the IP according to the actual environment #deny all; } include /etc/nginx/conf.d/*.conf; include /etc/nginx/secure/secure-server.conf; } }