# -------------------------------------------------------------------------------------------------------------------- # # GENERAL # -------------------------------------------------------------------------------------------------------------------- # client_body_timeout 10; client_max_body_size 64m; keepalive_requests 100; large_client_header_buffers 8 512k; real_ip_header 'X-Real-IP'; real_ip_recursive off; reset_timedout_connection on; resolver 8.8.8.8 8.8.4.4 ipv6=off; send_timeout 2; sendfile on; server_tokens off; tcp_nopush on; types_hash_max_size 4096; # -------------------------------------------------------------------------------------------------------------------- # # ACME # -------------------------------------------------------------------------------------------------------------------- # acme_client example 'https://acme-v02.api.letsencrypt.org/directory' enabled=off challenge=http; acme_client_path '/etc/ssl/acme'; # -------------------------------------------------------------------------------------------------------------------- # # HTTP 2/3 # -------------------------------------------------------------------------------------------------------------------- # http2 on; http3 on; quic_gso on; quic_retry on; add_header 'Alt-Svc' 'h3=":$server_port"; ma=86400'; # -------------------------------------------------------------------------------------------------------------------- # # SSL # -------------------------------------------------------------------------------------------------------------------- # ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305'; ssl_dhparam '/etc/ssl/_ssc/dhparam.pem'; ssl_ecdh_curve 'X25519:prime256v1:secp384r1'; ssl_protocols TLSv1.2 TLSv1.3; ssl_buffer_size 8k; ssl_early_data on; ssl_prefer_server_ciphers off; ssl_stapling on; ssl_stapling_verify on; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_session_timeout 1d; # -------------------------------------------------------------------------------------------------------------------- # # HEADERS # -------------------------------------------------------------------------------------------------------------------- # add_header 'Strict-Transport-Security' 'max-age=63072000; includeSubDomains; preload' always; add_header 'X-Content-Type-Options' 'nosniff'; add_header 'X-Frame-Options' 'SAMEORIGIN'; add_header 'X-XSS-Protection' '1; mode=block'; # -------------------------------------------------------------------------------------------------------------------- # # PROXY # -------------------------------------------------------------------------------------------------------------------- # # proxy_connect_timeout 300; # proxy_http_version '1.1'; # proxy_read_timeout 300; # proxy_redirect off; # proxy_set_header 'Host' $http_host; # proxy_set_header 'Upgrade' $http_upgrade; # proxy_set_header 'X-Forwarded-For' $proxy_add_x_forwarded_for; # proxy_set_header 'X-Forwarded-Proto' $scheme; # proxy_set_header 'X-Forwarded-Ssl' on; # proxy_set_header 'X-Real-IP' $remote_addr; # -------------------------------------------------------------------------------------------------------------------- # # BROTLI # -------------------------------------------------------------------------------------------------------------------- # brotli on; brotli_comp_level 6; brotli_types application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml text/$; # -------------------------------------------------------------------------------------------------------------------- # # GZIP # -------------------------------------------------------------------------------------------------------------------- # gzip on; gzip_buffers 16 8k; gzip_comp_level 5; gzip_disable 'msie6'; gzip_http_version '1.1'; gzip_proxied any; gzip_static on; gzip_vary off; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/javascript text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy text/$; # -------------------------------------------------------------------------------------------------------------------- # # ZSTD # -------------------------------------------------------------------------------------------------------------------- # zstd on; zstd_comp_level 3; zstd_types application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/x-javascript application/xhtml+xml application/xml font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml text/$;