user nginx nginx;
worker_processes 2;

events {
	worker_connections 1024;
	use epoll;
}

error_log /var/log/nginx/error.log;

http {
	include /etc/nginx/mime.types;

	add_header          Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
	add_header          X-Content-Type-Options nosniff;
	add_header          X-Frame-Options SAMEORIGIN;
	add_header          X-XSS-Protection "1; mode=block";

	default_type application/octet-stream;

	log_format main
		'$remote_addr - $remote_user [$time_local] '
		'"$request" $status $bytes_sent '
		'"$http_referer" "$http_user_agent" '
		'"$gzip_ratio"';

	client_header_timeout 10m;
	client_body_timeout 10m;
	send_timeout 10m;

	connection_pool_size 256;
	client_header_buffer_size 1k;
	large_client_header_buffers 4 16k;
	request_pool_size 4k;

	output_buffers 1 32k;
	postpone_output 1460;

	sendfile on;
	server_tokens off;
	tcp_nopush on;
	tcp_nodelay on;

	server_names_hash_bucket_size 128;

	keepalive_timeout 75 20;

	ignore_invalid_headers on;


	ssl_protocols TLSv1.2 TLSv1.3; # Requires nginx >= 1.13.0 else use TLSv1.2
	ssl_prefer_server_ciphers on;
	ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
	
	ssl_dhparam /etc/ssl/nginx/dhparam.pem;
	ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0

	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 77.88.8.8 77.88.8.1 valid=300s;
	resolver_timeout 5s;

	gzip on;
	gzip_min_length 10240;
	gzip_proxied expired no-cache no-store private auth;
	gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
	gzip_disable "MSIE [1-6]\.";

	access_log off;

	include /etc/nginx/sites-enabled/*.conf;
}