user www-data; worker_processes auto; worker_rlimit_nofile 1024; include /etc/nginx/modules-enabled/*.conf; events { worker_connections 512; multi_accept off; } http { ## # Basic Settings ## sendfile on; tcp_nopush on; tcp_nodelay on; gzip off; server_tokens off; keepalive_timeout 30; include /etc/nginx/mime.types; ## # SSL Settings ## ssl_certificate {{ reverse_proxy['ssl_certificate_file'] }}; ssl_certificate_key {{ reverse_proxy['ssl_certificate_key_file'] }}; ssl_trusted_certificate {{ reverse_proxy['ssl_trusted_certificate_file'] }}; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam ssl_dhparam /etc/nginx/dhparam.txt; ssl_prefer_server_ciphers on; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; ## # Logging Settings ## access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; ## # Headers ## resolver {{ reverse_proxy['resolver'] }}; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Scheme $scheme; # Needed to support websocket connections # See: https://nginx.org/en/docs/http/websocket.html # Instead of "close" as stated in the above link we send an empty value. # Else all keepalive connections will not work. map $http_upgrade $connection_upgrade { default upgrade; '' ""; } ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; }