user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
  worker_connections 1024;
  multi_accept on;
  use epoll;
}

http {
  resolver 10.23.54.2 valid=300s;
  resolver_timeout 10s;
  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  keepalive_requests 20000;
  reset_timedout_connection on;
  types_hash_max_size 2048;
  server_tokens off;
  open_file_cache max=20000 inactive=30s;
  open_file_cache_valid 60s;
  open_file_cache_min_uses 2;
  open_file_cache_errors on;

  include /etc/nginx/mime.types;
  default_type application/octet-stream;

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;

  log_format main '[$time_local] [$host] [$remote_addr] [$server_name] $upstream_addr "$request" "$request_time" "$upstream_response_time" "$upstream_connect_time" "$upstream_header_time" $status "$http_user_agent" "$http_x_forwarded_for"';

  access_log /var/log/nginx/access.log main;
  error_log /var/log/nginx/error.log;

  map $http_user_agent $loggable {
    ~^ELB-HealthChecker 0;
    default             1;
  }

  gzip on;
  gzip_disable "msie6";
  gzip_vary off;
  gzip_proxied any;
  gzip_comp_level 6;
  gzip_buffers 16 8k;
  gzip_http_version 1.1;
  gzip_types
  application/atom+xml
  application/javascript
  application/x-javascript
  application/json
  application/ld+json
  application/manifest+json
  application/rss+xml
  application/vnd.geo+json
  application/vnd.ms-fontobject
  application/x-font-ttf
  application/x-web-app-manifest+json
  application/xhtml+xml
  application/xml
  application/xml+rss
  font/opentype
  image/bmp
  image/svg+xml
  image/x-icon
  text/cache-manifest
  text/css
  text/js
  text/javascript
  text/xml
  text/plain
  text/vcard
  text/vnd.rim.location.xloc
  text/vtt
  text/x-component
  text/x-cross-domain-policy
  font/otf
  application/otf
  application/x-otf;

  add_header X-Frame-Options SAMEORIGIN;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
 # add_header X-Frame-Options deny;
  add_header X-Permitted-Cross-Domain-Policies none;
  add_header Referrer-Policy same-origin;
  add_header Content-Security-Policy "default-src * 'unsafe-inline' 'unsafe-eval'; script-src * 'unsafe-inline' 'unsafe-eval'; connect-src * 'unsafe-inline'; img-src * data: blob: 'unsafe-inline'; frame-src *; style-src * 'unsafe-inline';";

  proxy_hide_header X-Powered-By;
  proxy_hide_header Server;
  proxy_hide_header server;
  proxy_hide_header X-Generator;
  fastcgi_hide_header X-Generator;

  port_in_redirect off;

  client_body_buffer_size 100K;
  client_header_buffer_size 1k;
  client_max_body_size 200M;
  large_client_header_buffers 4 256k;

  client_header_timeout 10;
  client_body_timeout 10;
  keepalive_timeout 5 5;
  send_timeout 10;

  include /etc/nginx/conf.d/*.conf;
  include /etc/nginx/sites-enabled/*;
}