user www-data; # Defines the number of worker processes. Setting it to the number of # available CPU cores should be a good start. The value `auto` will try to # autodetect that. worker_processes auto; # Defines a file that will store the process ID of the main process. # This must match the Systemd unit file. pid /run/nginx.pid; # Load dynamic modules. See /usr/share/nginx/README.dynamic. include /etc/nginx/modules-enabled/*.conf; events { # Sets the maximum number of simultaneous connections that can be opened by # a worker process. worker_connections 1024; } http { # Include mime types for different file extensions. include /etc/nginx/mime.types; # Defines the default MIME type of a response. default_type application/octet-stream; # Sendfile copies data between one file descriptor and other from within the # kernel. This is more efficient than read() and write() since they require # transferring data to and from the user space. sendfile on; # Todo: Write explanation # https://t37.net/nginx-optimization-understanding-sendfile-tcp_nodelay-and-tcp_nopush.html tcp_nopush on; tcp_nodelay on; # Enable on-the-fly gzip compression for larger plain text files and for # proxies applications. gzip on; gzip_comp_level 2; gzip_min_length 1000; gzip_proxied expired no-cache no-store private auth; gzip_types application/javascript application/json application/x-javascript application/xml image/svg+xml text/css text/javascript text/js text/plain text/xml; # Do not send the nginx version number in error pages and Server header server_tokens off; # Ensure Nginx can handle long domain names server_names_hash_bucket_size 128; ## # SSL Settings ## # Turn off old and possibly unsafe SSL protocols. TLSv1 is still necessary # for some older devices but I do not care. ssl_protocols TLSv1.2 TLSv1.3; # Enable session resumption to improve https performance # http://vincent.bernat.im/en/blog/2011-ssl-session-reuse-rfc5077.html ssl_session_cache shared:SSL:50m; ssl_session_timeout 5m; # Enables server-side protection from BEAST attacks # http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html ssl_prefer_server_ciphers on; # Ciphers chosen for forward secrecy and compatibility # http://blog.ivanristic.com/2013/08/configuring-apache-nginx-and-openssl-for-forward-secrecy.html ssl_ciphers HIGH:!aNULL:!MD5:!3DES; ## # Logging Settings ## # Configure error log error_log /var/log/nginx/error.log; # Disable access log access_log off; # Virtual host configs include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; }