user www-data;
worker_processes 4;
pid /run/nginx.pid;

include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 4096;
	use epoll;
	multi_accept on;
}

http {
	# General
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;

	client_body_timeout 15s;
	client_header_timeout 15s;
	keepalive_timeout 75s;
	send_timeout 15s;

	types_hash_max_size 2048;

	server_names_hash_max_size 2048;
	server_names_hash_bucket_size 128;

	proxy_buffer_size 16k;
	proxy_buffers 8 16k;
	proxy_busy_buffers_size 16k;

	client_body_buffer_size 16k;
	client_header_buffer_size 1k;
	client_max_body_size 8m;
	large_client_header_buffers 4 8k;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	# Security
	server_tokens off;
	
	more_set_headers "X-Frame-Options: SAMEORIGIN";
	more_set_headers "X-Content-Type-Options: nosniff";
	more_set_headers "X-XSS-Protection: 1; mode=block";

	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ecdh_curve X25519:secp384r1;
	ssl_ciphers ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256;
	ssl_prefer_server_ciphers on;

	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;
	ssl_session_tickets off;

	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 10.20.61.1;

	# Gzip
	gzip on;
	gzip_comp_level 4;
	gzip_min_length 1000;
	gzip_types text/plain text/css text/javascript application/javascript application/json image/svg+xml;
	gzip_vary on;

	# Logging
	log_format main '$remote_addr ($http_x_forwarded_for) - $remote_user [$time_local] '
	                '"$request" $status $body_bytes_sent '
	                '"$http_referer" "$http_user_agent"';

	access_log /var/log/nginx/access.log main;
	error_log /var/log/nginx/error.log;

	# Virtual Hosts
	include /etc/nginx/sites-enabled/*;
}
