-
-
Save alsyundawy/5b54f8c6023ffbdc5af272d09c51e9c2 to your computer and use it in GitHub Desktop.
Nginx CDN Server Configuration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ============================================================ | |
| # REDIRECT HTTP → HTTPS | |
| # ============================================================ | |
| server { | |
| listen 80; | |
| listen [::]:80; | |
| server_name cdn.domain.org; | |
| # Redirect semua traffic HTTP ke HTTPS | |
| return 301 https://$host$request_uri; | |
| } | |
| # ============================================================ | |
| # SERVER CDN UTAMA (HTTPS) | |
| # ============================================================ | |
| server { | |
| listen 443 ssl http2; | |
| listen [::]:443 ssl http2; | |
| server_name cdn.domain.org; | |
| # ── SSL Certificate (sesuaikan path) ────────────────────── | |
| ssl_certificate /etc/letsencrypt/live/cdn.domain.org/fullchain.pem; | |
| ssl_certificate_key /etc/letsencrypt/live/cdn.domain.org/privkey.pem; | |
| ssl_protocols TLSv1.2 TLSv1.3; | |
| ssl_prefer_server_ciphers on; | |
| ssl_session_cache shared:SSL:10m; | |
| ssl_session_timeout 1d; | |
| ssl_session_tickets off; | |
| root /usr/share/nginx/cdn; | |
| # ── Logging ─────────────────────────────────────────────── | |
| access_log /var/log/nginx/cdn.access.log combined buffer=512k flush=1m; | |
| error_log /var/log/nginx/cdn.error.log warn; | |
| # ── Security Headers (2026 Best Practice) ───────────────── | |
| add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; | |
| add_header X-Content-Type-Options "nosniff" always; | |
| add_header X-Frame-Options "SAMEORIGIN" always; | |
| add_header X-XSS-Protection "1; mode=block" always; | |
| add_header Referrer-Policy "strict-origin-when-cross-origin" always; | |
| add_header Permissions-Policy "geolocation=(), microphone=(), camera=()" always; | |
| # ── Proxy Global Settings ───────────────────────────────── | |
| proxy_http_version 1.1; | |
| proxy_set_header Host $host; | |
| proxy_set_header Connection ""; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header True-Client-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header X-Forwarded-Proto $scheme; | |
| # Timeout settings | |
| proxy_connect_timeout 10s; | |
| proxy_send_timeout 30s; | |
| proxy_read_timeout 30s; | |
| # Buffer settings | |
| proxy_buffer_size 128k; | |
| proxy_buffers 4 256k; | |
| proxy_busy_buffers_size 256k; | |
| # ── Location: Aset Statis (Cache Agresif) ───────────────── | |
| location ~* \.(jpg|jpeg|png|gif|webp|avif|svg|ico|css|js|woff|woff2|ttf|eot|mp3|wav|mp4|mov|pdf|doc|docx|xls|xlsx|ppt|pptx|swf)$ { | |
| proxy_pass http://domain.org; | |
| proxy_cache cdn_cache; | |
| proxy_cache_key "$scheme$host$request_uri"; | |
| proxy_cache_valid 200 301 302 7d; | |
| proxy_cache_valid 404 1m; | |
| proxy_cache_use_stale error timeout updating | |
| http_500 http_502 http_503 http_504; | |
| proxy_cache_lock on; | |
| proxy_cache_background_update on; | |
| proxy_cache_min_uses 1; | |
| # Jangan override Cache-Control dari upstream, kecuali tidak ada | |
| proxy_ignore_headers Set-Cookie; | |
| proxy_hide_header Set-Cookie; | |
| # Cache-Control untuk browser & CDN edge | |
| expires 365d; | |
| add_header Cache-Control "public, max-age=31536000, immutable" always; | |
| add_header Vary "Accept-Encoding" always; | |
| add_header X-Cache-Status $upstream_cache_status always; | |
| # Teruskan security headers (override location reset) | |
| add_header X-Content-Type-Options "nosniff" always; | |
| add_header X-Frame-Options "SAMEORIGIN" always; | |
| } | |
| # ── Location: Proxy Umum ────────────────────────────────── | |
| location / { | |
| proxy_pass http://domain.org; | |
| proxy_cache cdn_cache; | |
| proxy_cache_key "$scheme$host$request_uri"; | |
| proxy_cache_valid 200 1h; | |
| proxy_cache_valid 404 1m; | |
| proxy_cache_use_stale error timeout http_500 http_502 http_503 http_504; | |
| proxy_cache_lock on; | |
| add_header X-Cache-Status $upstream_cache_status always; | |
| } | |
| # ── Keamanan: Blokir file berbahaya ─────────────────────── | |
| # Blokir akses ke .htaccess dan file tersembunyi | |
| location ~ /\. { | |
| deny all; | |
| access_log off; | |
| log_not_found off; | |
| } | |
| # Blokir temp/backup file (~file, file.bak, file.old) | |
| location ~* (\.bak|\.old|\.tmp|~)$ { | |
| deny all; | |
| access_log off; | |
| log_not_found off; | |
| } | |
| # Blokir eksekusi PHP (CDN tidak perlu PHP) | |
| location ~ \.php$ { | |
| deny all; | |
| access_log off; | |
| log_not_found off; | |
| } | |
| # Blokir metode request berbahaya | |
| if ($request_method !~ ^(GET|HEAD|OPTIONS)$) { | |
| return 405; | |
| } | |
| } |
Author
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
mkdir -p /var/cache/nginx/cdn
chown nginx:nginx /var/cache/nginx/cdn
nginx -t && systemctl reload nginx