dream-setup/nginx/nginx.conf

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent bytes "$http_referer" '
                      '"$http_x_forwarded_for"';

    # While I removed PII from the above log format, still better not logging
    access_log  /dev/null main; # /var/log/nginx/access.log main;


    server_tokens off;

    sendfile        on;
    tcp_nopush     on;

    quic_retry on;
    quic_gso on;
    ssl_early_data on; # READ https://blog.cloudflare.com/introducing-0-rtt/#whats-the-catch

    keepalive_timeout  65;

    gzip  on;
    gzip_types *;
    gzip_min_length 1000;
    gzip_proxied any;

    http2 on;

    add_header Alt-Svc 'h3=":443"; ma=86400';

    # modern configuration
    ssl_protocols TLSv1.3;
    ssl_ecdh_curve X25519:prime256v1:secp384r1;
    ssl_prefer_server_ciphers off;

    # Make sure to generate it first
    ssl_dhparam /etc/ssl/dhparam.pem;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;

    # replace with the IP address of your resolver;
    # async 'resolver' is important for proper operation of OCSP stapling
    resolver 2001:4860:4860::8888 2001:4860:4860::8844;

    # If certificates are marked OCSP Must-Staple, consider managing the
    # OCSP stapling cache with an external script, e.g. certbot-ocsp-fetcher

    # HTTPS redirect
    server {
        listen 80 default_server;
        listen [::]:80 default_server;

        return 301 https://$host$request_uri;
    }

    # default HTTPS server
    server {
        listen 443 ssl default_server;
        listen 443 quic reuseport default_server;
        listen [::]:443 ssl default_server;

        server_name _;

        # Make sure to generate
        ssl_certificate snakeoil.pem;
        ssl_certificate_key snakeoil.key;
    }

    include /etc/nginx/conf.d/*.conf;
}
Add nginx/nginx.conf 2025-01-07 15:27:56 +01:00			`user nginx;`
			`worker_processes auto;`

Update nginx/nginx.conf 2025-01-07 16:17:23 +01:00			`error_log /var/log/nginx/error.log notice;`
Add nginx/nginx.conf 2025-01-07 15:27:56 +01:00			`pid /var/run/nginx.pid;`

			`events {`
			`worker_connections 1024;`
			`}`


			`http {`
			`include /etc/nginx/mime.types;`
			`default_type application/octet-stream;`

			`log_format main '$remote_user [$time_local] "$request" '`
Update nginx/nginx.conf 2025-01-07 16:17:23 +01:00			`'$status $body_bytes_sent bytes "$http_referer" '`
			`'"$http_x_forwarded_for"';`

			`# While I removed PII from the above log format, still better not logging`
			`access_log /dev/null main; # /var/log/nginx/access.log main;`
Add nginx/nginx.conf 2025-01-07 15:27:56 +01:00

			`server_tokens off;`

			`sendfile on;`
			`tcp_nopush on;`

			`quic_retry on;`
			`quic_gso on;`
Update nginx/nginx.conf 2025-01-08 11:06:09 +01:00			`ssl_early_data on; # READ https://blog.cloudflare.com/introducing-0-rtt/#whats-the-catch`
Add nginx/nginx.conf 2025-01-07 15:27:56 +01:00
			`keepalive_timeout 65;`

			`gzip on;`
Update nginx/nginx.conf 2025-01-08 10:41:03 +01:00			`gzip_types *;`
			`gzip_min_length 1000;`
			`gzip_proxied any;`

Update nginx/nginx.conf 2025-01-07 16:08:34 +01:00			`http2 on;`

			`add_header Alt-Svc 'h3=":443"; ma=86400';`

Update nginx/nginx.conf 2025-01-07 15:39:12 +01:00			`# modern configuration`
			`ssl_protocols TLSv1.3;`
			`ssl_ecdh_curve X25519:prime256v1:secp384r1;`
			`ssl_prefer_server_ciphers off;`

Update nginx/nginx.conf 2025-01-07 16:08:34 +01:00			`# Make sure to generate it first`
			`ssl_dhparam /etc/ssl/dhparam.pem;`

Update nginx/nginx.conf 2025-01-07 15:39:12 +01:00			`# OCSP stapling`
			`ssl_stapling on;`
			`ssl_stapling_verify on;`

			`# replace with the IP address of your resolver;`
			`# async 'resolver' is important for proper operation of OCSP stapling`
			`resolver 2001:4860:4860::8888 2001:4860:4860::8844;`

			`# If certificates are marked OCSP Must-Staple, consider managing the`
			`# OCSP stapling cache with an external script, e.g. certbot-ocsp-fetcher`

			`# HTTPS redirect`
			`server {`
			`listen 80 default_server;`
			`listen [::]:80 default_server;`

			`return 301 https://$host$request_uri;`
			`}`

Update nginx/nginx.conf 2025-01-07 15:41:27 +01:00			`# default HTTPS server`
			`server {`
			`listen 443 ssl default_server;`
			`listen 443 quic reuseport default_server;`
			`listen [::]:443 ssl default_server;`

Update nginx/nginx.conf 2025-01-07 17:31:52 +01:00			`server_name _;`

Update nginx/nginx.conf 2025-01-07 16:08:34 +01:00			`# Make sure to generate`
			`ssl_certificate snakeoil.pem;`
			`ssl_certificate_key snakeoil.key;`
Update nginx/nginx.conf 2025-01-07 15:41:27 +01:00			`}`

Add nginx/nginx.conf 2025-01-07 15:27:56 +01:00			`include /etc/nginx/conf.d/*.conf;`
			`}`