user www-data; worker_processes auto; worker_cpu_affinity auto; worker_rlimit_nofile 100000; pid /run/nginx.pid; pcre_jit on; events { multi_accept on; worker_connections 50000; accept_mutex on; use epoll; } http { ## # EasyEngine Settings ## sendfile on; sendfile_max_chunk 512k; tcp_nopush on; tcp_nodelay on; keepalive_timeout 8; keepalive_requests 500; keepalive_disable msie6; lingering_time 20s; lingering_timeout 5s; server_tokens off; reset_timedout_connection on; add_header X-Powered-By "WordOps v3.9.4 - Optimized by VirtuBox"; add_header rt-Fastcgi-Cache $upstream_cache_status; # Limit Request limit_req_status 403; limit_req_zone $remote_addr_ipscrub zone=one:10m rate=1r/s; ## # Simple DOS mitigation ## # Max c/s by ip #limit_conn_zone $binary_remote_addr zone=limit_per_ip:10m; #limit_conn limit_per_ip 80; # Max rq/s by ip #limit_req_zone $binary_remote_addr zone=allips:10m rate=400r/s; #limit_req zone=allips burst=400 nodelay; # Proxy Settings # set_real_ip_from proxy-server-ip; # real_ip_header X-Forwarded-For; fastcgi_read_timeout 120s; client_max_body_size 100m; # See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/ aio threads; # tls dynamic records patch directive ssl_dyn_rec_enable on; ssl_dyn_rec_size_hi 4229; ssl_dyn_rec_size_lo 1369; ssl_dyn_rec_threshold 40; ssl_dyn_rec_timeout 1000; # nginx-vts-status module vhost_traffic_status_zone; # oscp settings resolver 8.8.8.8 1.1.1.1 valid=300s; resolver_timeout 10; ## # GeoIP module configuration, before removing comments # read the tutorial : https://gist.github.com/VirtuBox/9ed03c9bd9169202c358a8be181b7840 ## #geoip_country /usr/share/GeoIP/GeoIP.dat; #geoip_city /usr/share/GeoIP/GeoIPCity.dat; ## # SSL Settings ## # SSL Early Data ssl_early_data off; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'TLS13+AESGCM+AES128:TLS13+AESGCM+AES256:TLS13+CHACHA20:EECDH+AESGCM:EECDH+CHACHA20'; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:50m; ssl_session_timeout 1d; ssl_session_tickets off; ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1; # Common security headers more_set_headers "X-Frame-Options : SAMEORIGIN"; more_set_headers "X-Xss-Protection : 1; mode=block"; more_set_headers "X-Content-Type-Options : nosniff"; more_set_headers "Referrer-Policy : strict-origin-when-cross-origin"; more_set_headers "X-Download-Options : noopen"; ## # Basic Settings ## # server_names_hash_bucket_size 64; # server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; ## # Logging Settings ## # disable access_log for performance access_log off; error_log /var/log/nginx/error.log; # Log format Settings - user IP hashed with the module ipscrub log_format rt_cache '$remote_addr_ipscrub $upstream_response_time $upstream_cache_status [$time_local] ' '$http_host "$request" $status $body_bytes_sent ' '"$http_referer" "$http_user_agent" $server_protocol'; # ipscrub settings ipscrub_period_seconds 3600; ## # Gzip Settings ## # mitigation of CRIME/BREACH attacks gzip off; ## # Brotli Settings ## brotli on; brotli_static on; brotli_buffers 16 8k; brotli_comp_level 4; brotli_types *; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; } #mail { # # See sample authentication script at: # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript # # # auth_http localhost/auth.php; # # pop3_capabilities "TOP" "USER"; # # imap_capabilities "IMAP4rev1" "UIDPLUS"; # # server { # listen localhost:110; # protocol pop3; # proxy on; # } # # server { # listen localhost:143; # protocol imap; # proxy on; # } #}