Optimized nginx config from hestiacp github project

nginx.conf

# Server globals
user                    admin;
worker_processes        1;
worker_rlimit_nofile    65535;
error_log               /var/log/hestia/nginx-error.log;
pid                     /var/run/hestia-nginx.pid;

# Worker config
events {
        worker_connections  128;
        use                 epoll;
        multi_accept        on;
}

http {
    # Main settings
    sendfile                        on;
    tcp_nopush                      on;
    tcp_nodelay                     on;
    client_header_timeout           180s;
    client_body_timeout             180s;
    client_header_buffer_size       2k;
    client_body_buffer_size         256k;
    client_max_body_size            256m;
    large_client_header_buffers     4 8k;
    send_timeout                    60s;
    keepalive_timeout               30s;
    keepalive_requests              100000;
    reset_timedout_connection       on;
    server_tokens                   off;
    server_name_in_redirect         off;
    server_names_hash_max_size      512;
    server_names_hash_bucket_size   512;
    charset                         utf-8;

    # FastCGI settings
    fastcgi_buffers                 8 256k;
    fastcgi_buffer_size             256k;
    fastcgi_busy_buffers_size       256k;
    fastcgi_temp_file_write_size    256k;
    fastcgi_connect_timeout         30s;
    fastcgi_read_timeout            600s;
    fastcgi_send_timeout            600s;

    # Proxy settings
    proxy_redirect                  off;
    proxy_set_header                Host $host;
    proxy_set_header                X-Real-IP $remote_addr;
    proxy_set_header                X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass_header               Set-Cookie;
    proxy_buffers                   32 4k;
    proxy_buffer_size               8k;
    proxy_connect_timeout           30s;
    proxy_read_timeout              300s;
    proxy_send_timeout              180s;

    # Log format
    log_format  main    '$remote_addr - $remote_user [$time_local] $request '
                        '"$status" $body_bytes_sent "$http_referer" '
                        '"$http_user_agent" "$http_x_forwarded_for"';
    log_format  bytes   '$body_bytes_sent';
    access_log          /var/log/hestia/nginx-access.log main;

    # Mime settings
    include             /usr/local/hestia/nginx/conf/mime.types;
    default_type        application/octet-stream;

    # Compression
    gzip                on;
    gzip_vary           on;
    gzip_comp_level     6;
    gzip_min_length     1024;
    gzip_buffers        16 8k;
    gzip_http_version   1.1;
    gzip_types          text/plain text/css text/javascript text/js text/xml application/json application/javascript application/x-javascript application/xml application/xml+rss application/x-font-ttf image/svg+xml font/opentype;
    gzip_proxied        any;
    gzip_disable        "MSIE [1-6]\.";

    # SSL PCI compliance
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 60m;
    ssl_buffer_size     1400;
    ssl_protocols       TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers         "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
    ssl_dhparam         /etc/ssl/dhparam.pem;
    ssl_ecdh_curve      secp384r1;
    # ssl_reject_handshake on;
    ssl_session_tickets off;
    resolver 1.0.0.1 1.1.1.1 valid=300s ipv6=off;
    resolver_timeout    5s;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header          X-Frame-Options SAMEORIGIN;
    add_header          X-Content-Type-Options nosniff;
    add_header          X-XSS-Protection "1; mode=block";

    # Vhost
    server {
        listen          8083 ssl;
        server_name     _;
        root            /usr/local/hestia/web;

        # Fix error "The plain HTTP request was sent to HTTPS port"
        error_page 497 https://$host:$server_port$request_uri;
        error_page 403 /error/404.html;
        error_page 404 /error/404.html;
        error_page 410 /error/410.html;
        error_page 500 501 502 503 504 505 /error/50x.html;

        ssl_certificate      /usr/local/hestia/ssl/certificate.crt;
        ssl_certificate_key  /usr/local/hestia/ssl/certificate.key;

        location / {
            expires off;
            index index.php;
        }

        location /error/ {
            expires off;
            internal;
        }

        location /rrd/ {
            expires off;
            internal;
        }

        location /backup/ {
            root /;
            internal;
        }

        location /fm/ {
            alias /usr/local/hestia/web/fm/dist/;
            index index.php;
            location ~ /([^/]+\.php)$ {
                try_files /$1 =404;
                fastcgi_pass    unix:/var/run/hestia-php.sock;
                fastcgi_index index.php;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME /usr/local/hestia/web/fm/dist/index.php;
            }
        }

        location ~ \.php$ {
            include         /usr/local/hestia/nginx/conf/fastcgi_params;
            fastcgi_param   SCRIPT_FILENAME /usr/local/hestia/web/$fastcgi_script_name;
            fastcgi_param   QUERY_STRING    $query_string;
            fastcgi_pass    unix:/var/run/hestia-php.sock;
            fastcgi_intercept_errors on;
            break;
        }
    }
}