user root; worker_processes auto; pid /run/nginx.pid; error_log /var/log/nginx/error.log notice; worker_rlimit_nofile 65535; include /etc/nginx/modules-enabled/*.conf; events { use epoll; worker_connections 65535; # multi_accept on; epoll_events 512; } http { ## # Basic Settings ## geoip_country /etc/nginx/geoip/GeoIP.dat; # the country IP database geoip_city /etc/nginx/geoip/GeoLiteCity.dat; # the city IP database real_ip_recursive on; set_real_ip_from 127.0.0.1; set_real_ip_from 10.0.0.0/8; set_real_ip_from 172.16.0.0/12; set_real_ip_from 192.168.0.0/16; #real_ip_header X-Forwarded-For; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; log_format cloudflare '$http_cf_connecting_ip - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; ## # Define fastcgi_cache settings ## # FastCGI Cache Settings fastcgi_cache_key "$scheme$request_method$host$request_uri$cookie_pll_language"; fastcgi_cache_use_stale error timeout invalid_header updating http_500 http_503; fastcgi_cache_methods GET HEAD; fastcgi_buffers 256 32k; # Reduced number of buffers, still maintaining good performance fastcgi_buffer_size 256k; # Reduced to better match common response sizes fastcgi_connect_timeout 3s; # Reduced to fail faster fastcgi_send_timeout 180s; # Increased for better reliability with slow upstream fastcgi_busy_buffers_size 512k; fastcgi_temp_file_write_size 512k; fastcgi_param SERVER_NAME $http_host; fastcgi_ignore_headers Cache-Control Expires Set-Cookie; fastcgi_keep_conn on; fastcgi_cache_lock on; fastcgi_cache_lock_age 1s; # Increased to reduce cache stampede fastcgi_cache_lock_timeout 5s; # Increased for better reliability # Proxy Settings proxy_buffers 4 256k; # Optimized for typical response sizes proxy_buffer_size 128k; # Adjusted for headers proxy_busy_buffers_size 256k; # Reduced to save memory proxy_connect_timeout 600; # Reduced to fail faster proxy_send_timeout 600; # Balanced timeout proxy_read_timeout 600; # Balanced timeout # TCP Settings sendfile on; tcp_nopush on; tcp_nodelay on; # aio threads; # Enable async I/O with threads # directio 512; # Enable direct I/O for files > 512 bytes # Timeout Settings send_timeout 60; # Reduced to free resources faster keepalive_timeout 65; # Optimal for most cases keepalive_requests 2048; # Increased for better performance # Client Request Settings client_body_buffer_size 16k; # Increased for better performance client_header_buffer_size 2k; # Increased slightly large_client_header_buffers 4 8k; # Reduced buffer size client_body_timeout 15; # Reduced for faster failure detection client_header_timeout 15; # Reduced for faster failure detection client_max_body_size 100M; # Increased to handle larger uploads # Performance Settings server_tokens off; port_in_redirect off; access_log off; # File Cache Settings open_file_cache max=500000 inactive=60s; # Increased cache size open_file_cache_valid 120s; # Increased validity open_file_cache_min_uses 2; # Reduced to cache more files open_file_cache_errors on; types_hash_max_size 4096; # Increased for more MIME types map $scheme $fastcgi_https { ## Detect when HTTPS is used default off; https on; } include /etc/nginx/blocked_ips; # include /etc/nginx/blocked_bots; pagespeed off; pagespeed XHeaderValue 1; ## # SSL Settings - Hardened Configuration ## ssl_conf_command Options KTLS; # Kernel TLS for better performance # Strict ciphersuite selection - most secure TLS 1.3 ciphersuites only, prioritizing security ssl_conf_command Ciphersuites TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256; # TLS 1.3 only - no fallback to older versions ssl_protocols TLSv1.3; # Optimized session cache settings ssl_session_cache shared:SSL:10m; ssl_session_timeout 4h; ssl_session_tickets off; # Use only the strongest curve ssl_ecdh_curve secp384r1; ssl_prefer_server_ciphers on; # Use more reliable DNS resolvers with DNSSEC support resolver 9.9.9.9 149.112.112.112 valid=3600s; resolver_timeout 2s; # OCSP Stapling ssl_stapling on; ssl_stapling_verify on; ssl_dhparam /etc/nginx/ssl/dhparams.pem; # 0-RTT can be risky for some applications - disable if you handle sensitive data ssl_early_data on; # Strict security headers add_header Strict-Transport-Security "max-age=63072000" always; # HTTP/3 support with strict settings add_header alt-svc 'h3-27=":443"; ma=86400, h3-28=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400'; include /etc/nginx/mime.types; default_type application/octet-stream; ## # Logging Settings ## access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; ## # Limit the requests for php ## limit_conn_zone $binary_remote_addr zone=perip:10m; limit_req_zone $binary_remote_addr zone=limit:10m rate=1r/s; ## # Gzip Settings ## gzip on; # gzip_static on; gzip_min_length 1000; gzip_http_version 1.1; gzip_comp_level 5; gzip_disable "MSIE [4-6]\."; gzip_proxied any; gzip_vary on; gzip_types text/plain text/xml text/css text/javascript application/json application/javascript application/x-javascript application/ecmascript application/xml application/rss+xml application/atom+xml application/rdf+xml application/xml+rss application/xhtml+xml application/x-font-ttf application/x-font-opentype application/vnd.ms-fontobject image/svg+xml image/x-icon application/atom_xml; gzip_buffers 32 16k; ## # Brotli Settings ## brotli on; brotli_comp_level 8; brotli_static on; brotli_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript image/png image/gif image/jpeg application/javascript image/svg+xml; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*.conf; }