vps/roles/reverse-proxy/templates/nginx.conf

user www-data;
worker_processes auto;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 768;
	multi_accept off;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;

	gzip off;
	types_hash_max_size 2048;
	server_tokens off;
	keepalive_timeout 65;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_certificate {{ reverse_proxy['ssl_certificate_file'] }};
	ssl_certificate_key {{ reverse_proxy['ssl_certificate_key_file'] }};
	ssl_trusted_certificate {{ reverse_proxy['ssl_trusted_certificate_file'] }};

	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
	# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
	ssl_dhparam /etc/nginx/dhparam.txt;

	ssl_prefer_server_ciphers on;

	ssl_session_timeout 1d;
	ssl_session_cache shared:MozSSL:10m;
	ssl_session_tickets off;

	ssl_stapling on;
	ssl_stapling_verify on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Headers
	##

	resolver {{ reverse_proxy['resolver'] }};

	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
	# add_header X-Robots-Tag "noindex, nofollow" always;
	add_header Set-Cookie "Path=/; HttpOnly; Secure";

	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-Port $server_port;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header X-Forwarded-Scheme $scheme;

	# Needed to support websocket connections
	# See: https://nginx.org/en/docs/http/websocket.html
	# Instead of "close" as stated in the above link we send an empty value.
	# Else all keepalive connections will not work.
	map $http_upgrade $connection_upgrade {
		default upgrade;
		''      "";
	}

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}