#user www-data; worker_processes auto; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf; worker_rlimit_nofile 65535; events { worker_connections 10000; # multi_accept on; } http { ## # Main ## sendfile on; tcp_nopush on; tcp_nodelay on; client_header_timeout 180s; client_body_timeout 180s; client_header_buffer_size 2k; client_body_buffer_size 256k; client_max_body_size 1024m; large_client_header_buffers 4 8k; send_timeout 60s; keepalive_timeout 30s; keepalive_requests 1000; reset_timedout_connection on; server_tokens off; add_header X-XSS-Protection "1; mode=block"; server_name_in_redirect off; server_names_hash_max_size 512; server_names_hash_bucket_size 512; charset utf-8; ## # Proxy ## proxy_buffers 256 4k; proxy_buffer_size 32k; proxy_busy_buffers_size 56k; proxy_temp_file_write_size 256k; proxy_connect_timeout 30s; proxy_read_timeout 300s; proxy_send_timeout 180s; set_real_ip_from 172.16.0.0/12; real_ip_header X-Forwarded-For; proxy_hide_header X-Powered-By; ## # Limits # limit_conn_zone $server_name zone=perserver:100m; limit_conn_status 503; limit_req_zone $binary_remote_addr zone=one:100m rate=500r/s; limit_req zone=one burst=100; types_hash_max_size 2048; ## # Mime ## include /etc/nginx/mime.types; default_type application/octet-stream; ## # SSL ## ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ## # Logging ## log_not_found off; access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; ## # Compression ## gzip on; gzip_vary on; gzip_static on; gzip_proxied any; gzip_comp_level 6; gzip_buffers 128 4k; gzip_http_version 1.1; gzip_min_length 1024; gzip_types application/atom+xml application/geo+json application/javascript application/x-javascript application/json application/ld+json application/manifest+json application/rdf+xml application/rss+xml application/xhtml+xml application/xml font/eot font/otf font/ttf image/svg+xml text/css text/javascript text/plain text/xml; ## # Cloudflare ## #include /etc/openpanel/nginx/cloudflare.inc; ## # SSL PCI compliance ## #ssl_buffer_size 1369; #ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256"; #ssl_dhparam /etc/ssl/dhparam.pem; #ssl_early_data on; #ssl_ecdh_curve auto; #ssl_prefer_server_ciphers on; #ssl_protocols TLSv1.2 TLSv1.3; #ssl_session_cache shared:SSL:20m; #ssl_session_tickets on; #ssl_session_timeout 7d; #resolver 1.0.0.1 8.8.4.4 1.1.1.1 8.8.8.8 valid=300s ipv6=off; #resolver_timeout 5s; ## # Bypass ## map $http_cookie $no_cache { default 0; ~SESS 1; ~wordpress_logged_in 1; } ## # Wildcard include ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; }