nyan

###
## This file comes with the "NGINX Mainline and modules" on https://deb.paranoid.nl/nginx-modules
## It contains various optimizations, examples and tweaks.
####

user www-data;

worker_processes auto;
worker_rlimit_nofile 10000;

pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 65535;
    multi_accept on;
    use epoll;
}

http {

##
    # Basic Settings
    ##

aio threads;
    aio_write on;
    sendfile on;
    directio 256k;
    sendfile_max_chunk 256k;

tcp_nopush off;
    tcp_nodelay on;
    types_hash_max_size 2048;
    server_names_hash_bucket_size 128;
    variables_hash_max_size 1024;
    # server_name_in_redirect off;

include /etc/nginx/mime.types;
    default_type application/octet-stream;

###
    ## Enable security_headers only if you installed/enabled the module
    ###
    #  security_headers on;
    #  hide_server_tokens on;
    #  fastcgi_hide_header X-Powered-By;
    #  server_tokens off;

##
    # Optimizing TLS over TCP to reduce latency (Cloudflare patch)
    ##
    #ssl_dyn_rec_enable on;

##
    # Enable HTTP2 and HTTP3
    #
    http2 on;
    #http3 on;
    #
    ##

##
    # SSL Settings
    ##

# Enable only if you are running on a openssl3 build and kernel 4.17 or higher
    # You need to do `modprobe tls` to load the kernel TLS module
    #ssl_conf_command Options KTLS;

ssl_protocols TLSv1.3 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;

ssl_dhparam /etc/nginx/dhparam.pem;
    ssl_ecdh_curve secp521r1:secp384r1;
    ssl_session_tickets off;
    ssl_early_data on;

ssl_session_cache shared:SSL:10m;
    ssl_session_cache shared:le_nginx_SSL:10m; #letsencrypt only
    ssl_session_timeout 1440m;

# OCSP Stapling
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 1.1.1.1 8.8.8.8 valid=300;

##
    # Logging Settings
    ##

## Log Format
    log_format main '$remote_addr $host $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $ssl_cipher $request_time';

access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

##
    # Gzip Settings
    ##

gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

###
    ## Miscellaneous
    ###

keepalive_disable none; # allow all browsers to use keepalive connections
    keepalive_requests 50; # number of requests per connection, does not affect SPDY
    max_ranges 1; # allow a single range header for resumed downloads and to stop large range header DoS attacks
    msie_padding off;
    #open_file_cache max=10000 inactive=2h;
    #open_file_cache_errors on;
    #open_file_cache_min_uses 1;
    #open_file_cache_valid 1h;
    output_buffers 2 512k;
    #postpone_output 1440; # postpone sends to match our machine's MSS
    read_ahead 512K; # kernel read head set to the output_buffers
    server_name_in_redirect off; # if off, nginx will use the requested Host header
    source_charset utf-8; # same value as "charset"

# Buffer size for POST submissions
    client_body_buffer_size 10K;
    client_max_body_size 16m;

# Buffer size for Headers
    client_header_buffer_size 1k;

# Allow the server to close the connection after a client stops
    # responding.
    # Frees up socket-associated memory.
    #
    reset_timedout_connection on;

# Timeouts, do not keep connections open longer then necessary to reduce
    # resource usage and deny Slowloris type attacks.
    client_body_timeout 10s; # maximum time between packets the client can pause when sending nginx any data
    client_header_timeout 10s; # maximum time the client has to send the entire header to nginx
    keepalive_timeout 120s; # timeout which a single keep-alive client connection will stay open

##
    # Virtual Host Configs
    ##

include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
}

#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
#
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}