user www-data; worker_processes auto; worker_cpu_affinity auto; worker_rlimit_nofile 100000; pid /run/nginx.pid; pcre_jit on; events { multi_accept on; worker_connections 50000; accept_mutex on; use epoll; } http { ## # WordOps Settings ## sendfile on; sendfile_max_chunk 512k; tcp_nopush on; tcp_nodelay on; keepalive_timeout 8; keepalive_requests 500; keepalive_disable msie6; lingering_time 20s; lingering_timeout 5s; # Nginx AIO : See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/ # http://nginx.org/en/docs/http/ngx_http_core_module.html#aio aio threads; server_tokens off; reset_timedout_connection on; more_set_headers "X-Powered-By : WordOps"; # Limit Request limit_req_status 403; limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; # Proxy Settings # set_real_ip_from proxy-server-ip; # real_ip_header X-Forwarded-For; fastcgi_read_timeout 300; client_max_body_size 100m; # ngx_vts_module vhost_traffic_status_zone; # tls dynamic records patch directive ssl_dyn_rec_enable on; ## # SSL Settings ## ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; ssl_prefer_server_ciphers on; ssl_ciphers 'TLS13+AESGCM+AES256:TLS13+AESGCM+AES128:TLS13+CHACHA20:EECDH+AESGCM:EECDH+CHACHA20'; ssl_protocols TLSv1.2 TLSv1.3; ssl_ecdh_curve X25519:P-521:P-384:P-256; # Previous TLS v1.2 configuration # ssl_protocols TLSv1.2; # ssl_ciphers EECDH+CHACHA20:EECDH+AESGCM:EECDH+AES; # Common security headers more_set_headers "X-Frame-Options : SAMEORIGIN"; more_set_headers "X-Xss-Protection : 1; mode=block"; more_set_headers "X-Content-Type-Options : nosniff"; more_set_headers "Referrer-Policy : strict-origin-when-cross-origin"; more_set_headers "X-Download-Options : noopen"; # oscp settings resolver 8.8.8.8 1.1.1.1 8.8.4.4 1.0.0.1 valid=300s; resolver_timeout 10; ssl_stapling on; ## # Basic Settings ## # server_names_hash_bucket_size 64; # server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; ## # Logging Settings ## access_log off; error_log /var/log/nginx/error.log; # Log format Settings log_format rt_cache '$remote_addr $upstream_response_time $upstream_cache_status [$time_local] ' '$http_host "$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" "$server_protocol"'; ## # Gzip Settings ## # mitigation for CRIME/BREACH attacks gzip off; ## # Brotli Settings ## brotli on; brotli_static on; brotli_buffers 16 8k; brotli_min_length 64000; brotli_comp_level 4; brotli_types application/atom+xml application/geo+json application/javascript application/json application/ld+json application/manifest+json application/rdf+xml application/rss+xml application/vnd.ms-fontobject application/wasm application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/x-web-app-manifest+json application/xhtml+xml application/xml application/xml+rss font/eot font/opentype font/otf image/bmp image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/cache-manifest text/calendar text/css text/javascript text/markdown text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy text/xml; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; } #mail { # # See sample authentication script at: # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript # # # auth_http localhost/auth.php; # # pop3_capabilities "TOP" "USER"; # # imap_capabilities "IMAP4rev1" "UIDPLUS"; # # server { # listen localhost:110; # protocol pop3; # proxy on; # } # # server { # listen localhost:143; # protocol imap; # proxy on; # } #}