user www-data;
worker_processes 8; # Number of CPU Cores
pid /run/nginx.pid;

events {
        worker_connections 16384;
        multi_accept on;
        use epoll;
}

# worker_rlimit_nofile = (worker_connections * 1) + 500
# worker_rlimit_nofile = (worker_connections * 2) + 500 if you use nginx as reverse proxy

worker_rlimit_nofile 16884;

http {
        ##
        # Basic Settings
        ##

        server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##VirtualHosts and configs includes
        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;

        #NAXSI
        include /etc/nginx/naxsi/naxsi_core.rules;

        ##
        # TLS
        ##

        ssl_protocols TLSv1.2;
        ssl_ecdh_curve X25519:sect571r1:secp521r1:secp384r1;
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
        ssl_ciphers 'EECDH+AESGCM:EECDH+CHACHA20';
        ssl_prefer_server_ciphers on;


        ##
        # Headers
        ##

	##Less Verbose for Nginx headers
	server_tokens off;

	##Common headers for security

        more_set_headers "Strict-Transport-Security : max-age=15768000; includeSubDomains; preload";
        more_set_headers "X-Frame-Options : SAMEORIGIN";
        more_set_headers "Content-Security-Policy : default-src https: data: 'unsafe-inline' 'unsafe-eval' always";
        more_set_headers "X-Xss-Protection : 1; mode=block";
        more_set_headers "X-Content-Type-Options : nosniff";
        more_set_headers "Referrer-Policy : strict-origin-when-cross-origin";
        more_set_headers "Server : Follow the white rabbit.";

	##OCSP settings
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/ssl/private/ocsp-certs.pem;
        resolver 8.8.4.4 8.8.8.8 valid=300s;
        resolver_timeout 5s;

        ##
        # Logging
        ##

        access_log /var/log/nginx/access.log; #Disabled for performance

        #access_log off;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip
        ##

        gzip on;
        gzip_disable "msie6";
        gzip_vary on;
        gzip_proxied any;
        gzip_comp_level 6;
        gzip_buffers 16 8k;
        gzip_http_version 1.1;
        gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;


        ##
        # GeoIP
        ##

        #GeoIP (optional)
        geoip_country  /usr/local/share/GeoIP/GeoIP.dat;
        geoip_city     /usr/local/share/GeoIP/GeoLiteCity.dat;


        ##
        # Performance and Cache
        ##

	#See - https://www.nginx.com/blog/thread-pools-boost-performance-9x/
        aio threads;

	#Simple DOS mitigation
        ##Max c/s by ip
        limit_conn_zone $binary_remote_addr zone=limit_per_ip:4m;
        limit_conn limit_per_ip 2000;

        ##Max rq/s by ip
        limit_req_zone $binary_remote_addr zone=allips:4m rate=2000r/s;
        limit_req zone=allips burst=3000 nodelay;

        #PHP
        fastcgi_buffers 256 32k;
        fastcgi_buffer_size 256k;
        fastcgi_connect_timeout 4s;
        fastcgi_send_timeout 120s;
        fastcgi_read_timeout 120s;
        fastcgi_busy_buffers_size 512k;
        fastcgi_temp_file_write_size 512K;
        reset_timedout_connection on;

        #Others
        open_file_cache max=2000 inactive=20s;
        open_file_cache_valid 60s;
        open_file_cache_min_uses 5;
        open_file_cache_errors off;

        client_max_body_size 50M;
        client_body_buffer_size 1m;
        client_body_timeout 15;
        client_header_timeout 15;
        keepalive_timeout 65;
        send_timeout 15;
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
}