user nginx nginx; worker_processes 2; events { worker_connections 1024; use epoll; } error_log /var/log/nginx/error.log; http { include /etc/nginx/mime.types; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options SAMEORIGIN; add_header X-XSS-Protection "1; mode=block"; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] ' '"$request" $status $bytes_sent ' '"$http_referer" "$http_user_agent" ' '"$gzip_ratio"'; client_header_timeout 10m; client_body_timeout 10m; send_timeout 10m; connection_pool_size 256; client_header_buffer_size 1k; large_client_header_buffers 4 16k; request_pool_size 4k; output_buffers 1 32k; postpone_output 1460; sendfile on; server_tokens off; tcp_nopush on; tcp_nodelay on; server_names_hash_bucket_size 128; keepalive_timeout 75 20; ignore_invalid_headers on; ssl_protocols TLSv1.2 TLSv1.3; # Requires nginx >= 1.13.0 else use TLSv1.2 ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384; ssl_dhparam /etc/ssl/nginx/dhparam.pem; ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_stapling on; ssl_stapling_verify on; resolver 77.88.8.8 77.88.8.1 valid=300s; resolver_timeout 5s; gzip on; gzip_min_length 10240; gzip_proxied expired no-cache no-store private auth; gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml; gzip_disable "MSIE [1-6]\."; access_log off; include /etc/nginx/sites-enabled/*.conf; }