From 37475fd3b891b814bd6765ae17a6b82ee7ae5c70 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jes=C3=BAs?= Date: Mon, 25 Oct 2021 11:57:56 -0500 Subject: nginx: improve conf --- gitolite-cgit/entrypoint.sh | 39 ++++++++++++++++++++++++++++++++++++++- 1 file changed, 38 insertions(+), 1 deletion(-) (limited to 'gitolite-cgit') diff --git a/gitolite-cgit/entrypoint.sh b/gitolite-cgit/entrypoint.sh index a37edc0..66d37cc 100755 --- a/gitolite-cgit/entrypoint.sh +++ b/gitolite-cgit/entrypoint.sh @@ -318,12 +318,29 @@ EOF # /usr/lib/cgit/filters/syntax-highlighting.sh # Nginx configuration - rm -v /etc/nginx/http.d/default.conf || true + rm -f /etc/nginx/http.d/default.conf || true cat > /etc/nginx/http.d/cgit.conf <<- EOF server { listen 80 default_server; server_name localhost; + # Logs + access_log off; + error_log off; + + # Aditional Security Headers + # ref: https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + + # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options + add_header X-Frame-Options DENY always; + + # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options + add_header X-Content-Type-Options nosniff always; + + # ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection + add_header X-Xss-Protection "1; mode=block" always; + root /usr/share/webapps/cgit; try_files \$uri @cgit; @@ -355,6 +372,26 @@ EOF font/opentype application/vnd.ms-fontobject image/svg+xml; + gzip_min_length 1000; # default is 20 bytes + gzip_buffers 16 8k; + gzip_comp_level 2; # default is 1 + + client_body_timeout 30s; # default is 60 + client_header_timeout 10s; # default is 60 + send_timeout 10s; # default is 60 + keepalive_timeout 10s; # default is 75 + resolver_timeout 10s; # default is 30 + reset_timedout_connection on; + proxy_ignore_client_abort on; + + tcp_nopush on; # send headers in one piece + tcp_nodelay on; # don't buffer data sent, good for small data bursts in real time + + # Enabling the sendfile directive eliminates the step of copying the data into the buffer + # and enables direct copying data from one file descriptor to another. + sendfile on; + sendfile_max_chunk 1M; # prevent one fast connection from entirely occupying the worker process. should be > 800k. + aio threads; } EOF -- cgit v1.2.3