nginxconfig.io/src/nginxconfig/generators/conf/nginx.conf.js

import sslProfiles from '../../util/ssl_profiles';
import websiteConf from './website.conf';

export default (domains, global) => {
    const config = {};

    // Source
    config['# Generated by nginxconfig.io'] = '';
    config[`# ${window.location.protocol}//${window.location.host}${window.location.pathname}${window.location.search}`] = '';

    // Basic nginx conf
    config.user = global.nginx.user.computed;
    config.pid = global.nginx.pid.computed;
    config.worker_processes = global.nginx.workerProcesses.computed;
    config.worker_rlimit_nofile = 65535;
    config.events = {
        multi_accept: 'on',
        worker_connections: 65535,
    };

    // HTTP (kv so we can use the same key multiple times)
    config.http = [];

    if (global.php.phpBackupServer.computed)
        config.http.push(['upstream php', {
            server: [
                `${global.php.phpServer.computed[0] === '/' ? 'unix:' : ''}${global.php.phpServer.computed}`,
                `${global.php.phpBackupServer.computed[0] === '/' ? 'unix:' : ''}${global.php.phpBackupServer.computed} backup`,
            ],
        }]);

    config.http.push(['charset', 'utf-8']);
    config.http.push(['sendfile', 'on']);
    config.http.push(['tcp_nopush', 'on']);
    config.http.push(['tcp_nodelay', 'on']);
    if (!global.security.serverTokens.computed)
        config.http.push(['server_tokens', 'off']);
    if (!global.logging.logNotFound.computed)
        config.http.push(['log_not_found', 'off']);
    config.http.push(['types_hash_max_size', 2048]);
    config.http.push(['client_max_body_size', `${global.nginx.clientMaxBodySize.computed}M`]);

    config.http.push(['# MIME', '']);
    config.http.push(['include', 'mime.types']);
    config.http.push(['default_type', 'application/octet-stream']);

    config.http.push(['# Logging', '']);
    config.http.push(['access_log', global.logging.accessLog.computed.trim() || 'off']);
    config.http.push(['error_log', global.logging.errorLog.computed.trim() || '/dev/null']);

    if (global.security.limitReq.computed) {
        config.http.push(['# Limits', '']);
        config.http.push(['limit_req_log_level', 'warn']);
        config.http.push(['limit_req_zone', '$binary_remote_addr zone=login:10m rate=10r/m']);
    }

    // HTTPS
    let hasHttps = false;
    for (const domain of domains) {
        if (domain && domain.https && domain.https.https && domain.https.https.computed) {
            hasHttps = true;
            break;
        }
    }
    if (hasHttps) {
        config.http.push(['# SSL', '']);
        config.http.push(['ssl_session_timeout', '1d']);
        config.http.push(['ssl_session_cache', 'shared:SSL:10m']);
        config.http.push(['ssl_session_tickets', 'off']);

        if (sslProfiles[global.https.sslProfile.computed].dh_param_size) {
            config.http.push(['# Diffie-Hellman parameter for DHE ciphersuites', '']);
            config.http.push(['ssl_dhparam', `${global.nginx.nginxConfigDirectory.computed.replace(/\/+$/, '')}/dhparam.pem`]);
        }

        config.http.push([`# ${sslProfiles[global.https.sslProfile.computed].name} configuration`, '']);
        config.http.push(['ssl_protocols', sslProfiles[global.https.sslProfile.computed].protocols.join(' ')]);
        if (sslProfiles[global.https.sslProfile.computed].ciphers.length)
            config.http.push(['ssl_ciphers', sslProfiles[global.https.sslProfile.computed].ciphers.join(':')]);
        if (sslProfiles[global.https.sslProfile.computed].server_preferred_order)
            config.http.push(['ssl_prefer_server_ciphers', 'on']);

        config.http.push(['# OCSP Stapling', '']);
        config.http.push(['ssl_stapling', 'on']);
        config.http.push(['ssl_stapling_verify', 'on']);

        if (global.https.ocspCloudflare.computed
            || global.https.ocspGoogle.computed
            || global.https.ocspOpenDns.computed) {
            const ips = [];
            if (global.https.ocspCloudflare.computed) ips.push('1.1.1.1', '1.0.0.1');
            if (global.https.ocspGoogle.computed) ips.push('8.8.8.8', '8.8.4.4');
            if (global.https.ocspOpenDns.computed) ips.push('208.67.222.222', '208.67.220.220');

            config.http.push(['resolver', `${ips.join(' ')} valid=60s`]);
            config.http.push(['resolver_timeout', '2s']);
        }
    }

    // Configs!
    config.http.push(['# Load configs', '']);
    config.http.push(['include', [
        `${global.nginx.nginxConfigDirectory.computed.replace(/\/+$/, '')}/conf.d/*.conf`,
        global.tools.modularizedStructure.computed ? `${global.nginx.nginxConfigDirectory.computed.replace(/\/+$/, '')}/sites-enabled/*` : '',
    ].filter(x => x.length)]);

    // Single file configs
    if (!global.tools.modularizedStructure.computed) {
        for (const domain of domains) {
            config.http.push([`# ${domain.server.domain.computed}`, '']);
            config.http.push(...websiteConf(domain, domains, global));
        }
    }

    // Done!
    return config;
};