# CONFIGURED BY ANSIBLE worker_processes auto; {% if nginx_type == 'debian' %} user www-data www-data; include modules-enabled/*.conf; {% else %} # upstream repo or from source user nginx nginx; {%endif %} error_log /var/log/nginx/error.log info; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type text/html; sendfile on; keepalive_timeout 65; server_tokens off; {% if brotli == 'yes' %} brotli on; {% endif %} gzip on; # PFS-only key exchange ssl_protocols TLSv1.3 TLSv1.2; ssl_prefer_server_ciphers off; ssl_ciphers ECDHE:DHE:kGOST:AEAD:!aNULL:!eNULL:!RC4:!MD5:!3DES:!AES256-GCM-SHA384:!ECDHE-RSA-AES256-SHA:!ECDHE-ECDSA-AES256-SHA; ssl_dhparam /etc/nginx/dhparms.pem; # no restriction on ssl_ecdh_curve # without includeSubDomains # 15552000 seconds (180 days) # 31536000 seconds (365 days) # 63072000 seconds (730 days) add_header Strict-Transport-Security "max-age=15552000" always; add_header X-Frame-Options DENY; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; # happy log collectors log_format json escape=json '{' '"bytes_sent": "$bytes_sent", ' '"connection_requests": "$connection_requests", ' '"gzip_ratio": "$gzip_ratio", ' '"host": "$host", ' '"http_referrer":"$http_referer", ' '"http_user_agent": "$http_user_agent", ' '"remote_addr": "$remote_addr", ' '"remote_port": "$remote_port", ' '"remote_user": "$remote_user", ' '"request_length": "$request_length", ' '"request_method":"$request_method", ' '"request_time":"$request_time", ' '"request_uri":"$request_uri", ' '"scheme": "$scheme", ' '"server_protocol": "$server_protocol", ' '"ssl_cipher": "$ssl_cipher", ' '"ssl_curves": "$ssl_curves", ' '"ssl_curve": "$ssl_curve", ' '"ssl_protocol": "$ssl_protocol", ' '"ssl_server_name": "$ssl_server_name", ' '"status": "$status", ' '"time_iso8601":"$time_iso8601"' '}'; #'"ssl_ciphers": "$ssl_ciphers", ' access_log /var/log/nginx/access.log json; include conf.d/*.conf; }