azer · October 27, 2024 07:36
diff --git a/nginx_main.conf b/nginx_main.conf
 user www-data;
 worker_processes auto;
 worker_rlimit_nofile 65535;
 pid /run/nginx.pid;

 events {
    multi_accept on;
    worker_connections 65535;
 }

 http {
    # MIME
    include mime.types;
    default_type application/octet-stream;

    # Logging
    access_log /var/log/nginx/access.log combined buffer=512k flush=1m;
    error_log /var/log/nginx/error.log warn;

    # Limits & Timeouts
    client_max_body_size 16M;
    client_body_buffer_size 128k;
    client_header_buffer_size 1k;
    large_client_header_buffers 4 4k;
    client_body_timeout 12;
    client_header_timeout 12;
    keepalive_timeout 15;
    send_timeout 10;
    keepalive_requests 100;

    # Hash sizes
    types_hash_max_size 2048;
    server_names_hash_bucket_size 64;

    # Performance
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    aio threads;
    directio 512;

    # Compression
    gzip on;
    gzip_vary on;
    gzip_comp_level 6;
    gzip_min_length 256;
    gzip_proxied any;
    gzip_types
        application/atom+xml
        application/geo+json
        application/javascript
        application/x-javascript
        application/json
        application/ld+json
        application/manifest+json
        application/rdf+xml
        application/rss+xml
        application/xhtml+xml
        application/xml
        font/eot
        font/otf
        font/ttf
        image/svg+xml
        text/css
        text/javascript
        text/plain
        text/xml;

    # SSL
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers off;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_buffer_size 4k;

    # Modern configuration
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

    # OCSP Stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 valid=60s;
    resolver_timeout 2s;

    # Load configs
    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;
 }
	user www-data;
	worker_processes auto;
	worker_rlimit_nofile 65535;
	pid /run/nginx.pid;

	events {
	multi_accept on;
	worker_connections 65535;
	}

	http {
	# MIME
	include mime.types;
	default_type application/octet-stream;

	# Logging
	access_log /var/log/nginx/access.log combined buffer=512k flush=1m;
	error_log /var/log/nginx/error.log warn;

	# Limits & Timeouts
	client_max_body_size 16M;
	client_body_buffer_size 128k;
	client_header_buffer_size 1k;
	large_client_header_buffers 4 4k;
	client_body_timeout 12;
	client_header_timeout 12;
	keepalive_timeout 15;
	send_timeout 10;
	keepalive_requests 100;

	# Hash sizes
	types_hash_max_size 2048;
	server_names_hash_bucket_size 64;

	# Performance
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	aio threads;
	directio 512;

	# Compression
	gzip on;
	gzip_vary on;
	gzip_comp_level 6;
	gzip_min_length 256;
	gzip_proxied any;
	gzip_types
	application/atom+xml
	application/geo+json
	application/javascript
	application/x-javascript
	application/json
	application/ld+json
	application/manifest+json
	application/rdf+xml
	application/rss+xml
	application/xhtml+xml
	application/xml
	font/eot
	font/otf
	font/ttf
	image/svg+xml
	text/css
	text/javascript
	text/plain
	text/xml;

	# SSL
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_prefer_server_ciphers off;
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;
	ssl_buffer_size 4k;

	# Modern configuration
	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

	# OCSP Stapling
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4 valid=60s;
	resolver_timeout 2s;

	# Load configs
	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
	}