mirror of
https://github.com/NginxProxyManager/nginx-proxy-manager.git
synced 2025-08-04 16:33:32 +00:00
4d491b2d76
This commit changes access-list IP directives to be implemented using the nginx "geo" directive. This allows IP-based blocks to return 444 (drop connection) on authorization failure when the "Drop Unauthorized" is enabled. It also allows the implementation of "Satisfy Any" with the new client CA certificate support - i.e. Satisfy Any can allow clients from the local network to skip client certificate challenge, or drop down to requesting basic authentication. It should be noted that including basic authentication requirements in Satisfy Any mode does prevent a 444 response from being sent, as the basic auth challenge requires the server to respond.
97 lines
3.1 KiB
Nginx Configuration File
97 lines
3.1 KiB
Nginx Configuration File
# run nginx in foreground
|
|
daemon off;
|
|
pid /run/nginx/nginx.pid;
|
|
user npm;
|
|
|
|
# Set number of worker processes automatically based on number of CPU cores.
|
|
worker_processes auto;
|
|
|
|
# Enables the use of JIT for regular expressions to speed-up their processing.
|
|
pcre_jit on;
|
|
|
|
error_log /data/logs/fallback_error.log warn;
|
|
|
|
# Includes files with directives to load dynamic modules.
|
|
include /etc/nginx/modules/*.conf;
|
|
|
|
events {
|
|
include /data/nginx/custom/events[.]conf;
|
|
}
|
|
|
|
http {
|
|
include /etc/nginx/mime.types;
|
|
default_type application/octet-stream;
|
|
sendfile on;
|
|
server_tokens off;
|
|
tcp_nopush on;
|
|
tcp_nodelay on;
|
|
client_body_temp_path /tmp/nginx/body 1 2;
|
|
keepalive_timeout 90s;
|
|
proxy_connect_timeout 90s;
|
|
proxy_send_timeout 90s;
|
|
proxy_read_timeout 90s;
|
|
ssl_prefer_server_ciphers on;
|
|
gzip on;
|
|
proxy_ignore_client_abort off;
|
|
client_max_body_size 2000m;
|
|
server_names_hash_bucket_size 1024;
|
|
proxy_http_version 1.1;
|
|
proxy_set_header X-Forwarded-Scheme $scheme;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header Accept-Encoding "";
|
|
proxy_cache off;
|
|
proxy_cache_path /var/lib/nginx/cache/public levels=1:2 keys_zone=public-cache:30m max_size=192m;
|
|
proxy_cache_path /var/lib/nginx/cache/private levels=1:2 keys_zone=private-cache:5m max_size=1024m;
|
|
|
|
log_format proxy '[$time_local] $upstream_cache_status $upstream_status $status - $request_method $scheme $host "$request_uri" [Client $remote_addr] [Length $body_bytes_sent] [Gzip $gzip_ratio] [Sent-to $server] "$http_user_agent" "$http_referer"';
|
|
log_format standard '[$time_local] $status - $request_method $scheme $host "$request_uri" [Client $remote_addr] [Length $body_bytes_sent] [Gzip $gzip_ratio] "$http_user_agent" "$http_referer"';
|
|
|
|
access_log /data/logs/fallback_access.log proxy;
|
|
|
|
# Dynamically generated resolvers file
|
|
include /etc/nginx/conf.d/include/resolvers.conf;
|
|
|
|
# Default upstream scheme
|
|
map $host $forward_scheme {
|
|
default http;
|
|
}
|
|
|
|
# Real IP Determination
|
|
|
|
# Local subnets:
|
|
set_real_ip_from 10.0.0.0/8;
|
|
set_real_ip_from 172.16.0.0/12; # Includes Docker subnet
|
|
set_real_ip_from 192.168.0.0/16;
|
|
# NPM generated CDN ip ranges:
|
|
include conf.d/include/ip_ranges.conf;
|
|
# always put the following 2 lines after ip subnets:
|
|
real_ip_header X-Real-IP;
|
|
real_ip_recursive on;
|
|
|
|
# Custom
|
|
include /data/nginx/custom/http_top[.]conf;
|
|
|
|
# Files generated by NPM
|
|
include /etc/nginx/conf.d/*.conf;
|
|
include /data/nginx/client/*.conf;
|
|
include /data/nginx/default_host/*.conf;
|
|
include /data/nginx/proxy_host/*.conf;
|
|
include /data/nginx/redirection_host/*.conf;
|
|
include /data/nginx/dead_host/*.conf;
|
|
include /data/nginx/temp/*.conf;
|
|
|
|
# Custom
|
|
include /data/nginx/custom/http[.]conf;
|
|
}
|
|
|
|
stream {
|
|
# Files generated by NPM
|
|
include /data/nginx/stream/*.conf;
|
|
|
|
# Custom
|
|
include /data/nginx/custom/stream[.]conf;
|
|
}
|
|
|
|
# Custom
|
|
include /data/nginx/custom/root[.]conf;
|