perfekte NGINX HTTP/2 Konfiguration
tobi85
- webserver
Hallo,
im Netz gibt es die verschiedensten NGINX Config-Empfehlungen, allerdings sind diese sehr unterschiedlich, weshalb ich keine Ahnung habe, welche ideal ist - in kombination mit HTTP/2.
Anbei mal meine aktuelle Konfig - was fehlt und was könnte optimiert werden. Leistung/Speicher etc. ist reichlich vorhanden. Aktuell kommt der Server nicht über 10% Auslastung.
Um so mehr ich im Netz lese, um so weniger Ahnung habe ich...
user www-data;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log crit;
worker_processes auto;
worker_rlimit_nofile 100000;
events {
worker_connections 1024;
use epoll;
multi_accept on;
}
http {
server_name_in_redirect off;
server_names_hash_max_size 10240;
server_names_hash_bucket_size 1024;
include /etc/nginx/mime.types;
default_type application/octet-stream;
server_tokens off;
open_file_cache max=200000 inactive=20s;
open_file_cache_valid 30s;
open_file_cache_min_uses 2;
open_file_cache_errors on;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 30;
keepalive_requests 100000;
reset_timedout_connection on;
client_body_timeout 10;
client_max_body_size 50M;
send_timeout 10;
gzip on;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
gzip_comp_level 5;
gzip_min_length 1000;
gzip_buffers 16 8k;
gzip_vary on;
gzip_proxied expired no-cache no-store private auth;
gzip_static on;
gzip_types
application/atom+xml
application/javascript
application/json
application/ld+json
application/manifest+json
application/rdf+xml
application/rss+xml
application/schema+json
application/vnd.geo+json
application/vnd.ms-fontobject
application/x-font-ttf
application/x-javascript
application/x-web-app-manifest+json
application/xhtml+xml
application/xml
font/eot
font/opentype
image/bmp
image/svg+xml
image/vnd.microsoft.icon
image/x-icon
image/png
image/gif
image/jpeg
text/cache-manifest
text/css
text/js
text/javascript
text/plain
text/vcard
text/vnd.rim.location.xloc
text/vtt
text/x-component
text/x-cross-domain-policy
text/xml;
upstream php {
server unix:/var/run/php5-fpm.sock;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/nginx/ssl/certificate.crt;
ssl_certificate_key /etc/nginx/ssl/ssl.key;
ssl_trusted_certificate /etc/nginx/ssl/ca.crt;
ssl_stapling on;
ssl_stapling_verify on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_prefer_server_ciphers on;
ssl_buffer_size 1400;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 4h;
ssl_session_tickets on;
resolver 8.8.4.4 8.8.8.8 valid=300s;
add_header Alternate-Protocol 443:npn-spdy/3;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options SAMEORIGIN;
}
}