nginx_core.txt

user www-data www-data;
worker_processes  2;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
    worker_connections  2048;
}

worker_rlimit_nofile 4096;

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
#    tcp_nopush     on;

    ssl_dhparam                /var/local/dhparam2048.pem;
    ssl_buffer_size            4k;
    ssl_session_cache          shared:SSL:50m;
    ssl_session_timeout        10m;
    ssl_session_tickets        off;
    ssl_stapling               on;
    ssl_stapling_verify        on;
    ssl_protocols              TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers  on;
    ssl_ciphers                ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

    resolver 8.8.8.8 8.8.4.4;
    resolver_timeout 10s;

    keepalive_timeout  65;

    # Note that there are known attacks against SSL-enabled compression.  Enabling this is not recommended.
    #gzip  on;

    large_client_header_buffers 8 16k;
    client_max_body_size 100m;
    index              index.php index.html index.htm;

    # Upstream to abstract backend connection(s) for PHP.
    upstream php {
#        server unix:/tmp/php-fpm.sock;
        server 127.0.0.1:9000;
    }

    map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
    }

    include /etc/nginx/sites-enabled/*.conf;
}