# Copyright (c) 2000-2017 Synology Inc. All rights reserved. worker_processes auto; #worker_cpu_affinity auto; worker_rlimit_nofile 65535; include conf.d/main.conf; events { use epoll; multi_accept on; accept_mutex off; worker_connections 1024; include conf.d/events.conf; } http { include mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log off; #access_log syslog:server=unix:/dev/log,facility=local7,tag=nginx_access,nohostname main; error_log syslog:server=unix:/dev/log,facility=local7,tag=nginx_error,nohostname error; tcp_nopush on; tcp_nodelay on; sendfile on; server_tokens off; proxy_request_buffering off; fastcgi_request_buffering off; scgi_request_buffering off; proxy_buffering off; fastcgi_buffering off; scgi_buffering off; resolver_timeout 5s; client_header_timeout 10s; client_body_timeout 60s; send_timeout 60s; keepalive_timeout 65s 20s; client_max_body_size 0; server_names_hash_max_size 8192; server_names_hash_bucket_size 128; ssl_certificate /usr/syno/etc/certificate/system/default/fullchain.pem; ssl_certificate_key /usr/syno/etc/certificate/system/default/privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS; ssl_dhparam /usr/syno/etc/ssl/dh2048.pem; ssl_prefer_server_ciphers on; ssl_session_tickets off; ssl_session_cache shared:SSL:1m; ssl_session_timeout 3600s; real_ip_header X-Forwarded-For; real_ip_recursive on; set_real_ip_from 127.0.0.1; include /var/tmp/nginx/trusted_proxy/*.conf; map $http_upgrade $connection_upgrade { default upgrade; '' close; } server_tag "nginx"; gzip_disable "msie6"; gzip_min_length 1000; gzip_types text/plain text/css application/javascript application/json; gzip_vary on; gzip_static on; open_file_cache max=1000 inactive=60s; open_file_cache_valid 3s; open_file_cache_min_uses 2; open_file_cache_errors on; upstream synoscgi { server unix:/run/synoscgi.sock; } index index.html index.htm index.php; server { listen 5000 default_server; listen [::]:5000 default_server; server_name _; gzip on; include app.d/alias.*.conf; root /usr/syno/synoman; index index.cgi; ignore_invalid_headers off; include app.d/dsm.*.conf; include /usr/syno/share/nginx/conf.d/dsm.*.conf; include conf.d/dsm.*.conf; location = / { try_files $uri /index.cgi$is_args$query_string; } location ~ ^/volume(?:X|USB|SATA|Gluster)?\d+/ { internal; root /; open_file_cache off; include app.d/x-accel.*.conf; include conf.d/x-accel.*.conf; } location ~ /webman/modules/(PersonalSettings|ExternalDevices|FileBrowser)/index_ds.php$ { alias /usr/syno/share/OAuth/index_ds.php; default_type text/html; } location ~ \.cgi { include scgi_params; scgi_pass synoscgi; scgi_read_timeout 3600s; } error_page 403 404 500 502 503 504 @error_page; location @error_page { root /usr/syno/share/nginx; rewrite (.*) /error.html break; allow all; } location ~ ^/webman/modules/Indexer/ { deny all; } location ~ ^/webapi/lib/ { deny all; } location ~ ^/webapi/(:?(:?.*)\.lib|(:?.*)\.api|(:?.*)\.auth|lib.def)$ { deny all; } location ~ /\. { access_log off; log_not_found off; deny all; } location ~* \.(?:js|css|png|jpg|gif|ico)$ { access_log off; log_not_found off; } location = /favicon.ico { access_log off; log_not_found off; } location = /robots.txt { allow all; access_log off; log_not_found off; } } server { listen 5001 default_server ssl; listen [::]:5001 default_server ssl; server_name _; include app.d/alias.*.conf; root /usr/syno/synoman; index index.cgi; ignore_invalid_headers off; include app.d/dsm.*.conf; include /usr/syno/share/nginx/conf.d/dsm.*.conf; include conf.d/dsm.*.conf; location = / { try_files $uri /index.cgi$is_args$query_string; } location ~ ^/volume(?:X|USB|SATA|Gluster)?\d+/ { internal; root /; open_file_cache off; include app.d/x-accel.*.conf; include conf.d/x-accel.*.conf; } location ~ /webman/modules/(PersonalSettings|ExternalDevices|FileBrowser)/index_ds.php$ { alias /usr/syno/share/OAuth/index_ds.php; default_type text/html; } location ~ \.cgi { include scgi_params; scgi_pass synoscgi; scgi_read_timeout 3600s; } error_page 403 404 500 502 503 504 @error_page; location @error_page { root /usr/syno/share/nginx; rewrite (.*) /error.html break; allow all; } location ~ ^/webman/modules/Indexer/ { deny all; } location ~ ^/webapi/lib/ { deny all; } location ~ ^/webapi/(:?(:?.*)\.lib|(:?.*)\.api|(:?.*)\.auth|lib.def)$ { deny all; } location ~ /\. { access_log off; log_not_found off; deny all; } location ~* \.(?:js|css|png|jpg|gif|ico)$ { access_log off; log_not_found off; } location = /favicon.ico { access_log off; log_not_found off; } location = /robots.txt { allow all; access_log off; log_not_found off; } } server { listen 80 default_server; listen [::]:80 default_server; gzip on; server_name _; location ~ ^/volume(?:X|USB|SATA|Gluster)?\d+/ { internal; root /; open_file_cache off; include app.d/x-accel.*.conf; include conf.d/x-accel.*.conf; } include app.d/www.*.conf; include app.d/alias.*.conf; include /usr/syno/share/nginx/conf.d/www.*.conf; include conf.d/www.*.conf; location = /webdefault/images/logo.jpg { alias /usr/syno/share/nginx/logo.jpg; } error_page 403 404 500 502 503 504 @error_page; location @error_page { root /usr/syno/share/nginx; rewrite (.*) /error.html break; allow all; } location ^~ /.well-known/acme-challenge { root /var/lib/letsencrypt; default_type text/plain; } include app.d/.location.webstation.conf*; location / { rewrite ^ / redirect; } location ~ ^/$ { rewrite / http://$host:5000/ redirect; } } server { listen 443 default_server ssl; listen [::]:443 default_server ssl; server_name _; location ~ ^/volume(?:X|USB|SATA|Gluster)?\d+/ { internal; root /; open_file_cache off; include app.d/x-accel.*.conf; include conf.d/x-accel.*.conf; } include app.d/www.*.conf; include app.d/alias.*.conf; include /usr/syno/share/nginx/conf.d/www.*.conf; include conf.d/www.*.conf; location = /webdefault/images/logo.jpg { alias /usr/syno/share/nginx/logo.jpg; } error_page 403 404 500 502 503 504 @error_page; location @error_page { root /usr/syno/share/nginx; rewrite (.*) /error.html break; allow all; } location ^~ /.well-known/acme-challenge { root /var/lib/letsencrypt; default_type text/plain; } include app.d/.location.webstation.conf*; location / { rewrite ^ / redirect; } location ~ ^/$ { rewrite / https://$host:5001/ redirect; } } include conf.d/http.*.conf; include app.d/server.*.conf; include sites-enabled/*; }