user nginx; worker_processes auto; error_log /var/log/nginx/error.log notice; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_user [$time_local] "$request" ' '$status $body_bytes_sent bytes "$http_referer" ' '"$http_x_forwarded_for"'; # While I removed PII from the above log format, still better not logging access_log /dev/null main; # /var/log/nginx/access.log main; server_tokens off; sendfile on; tcp_nopush on; quic_retry on; quic_gso on; ssl_early_data on; # READ https://blog.cloudflare.com/introducing-0-rtt/#whats-the-catch keepalive_timeout 65; gzip on; gzip_types *; gzip_min_length 1000; gzip_proxied any; http2 on; add_header Alt-Svc 'h3=":443"; ma=86400'; # modern configuration ssl_protocols TLSv1.3; ssl_ecdh_curve X25519:prime256v1:secp384r1; ssl_prefer_server_ciphers off; # Make sure to generate it first ssl_dhparam /etc/ssl/dhparam.pem; # OCSP stapling ssl_stapling on; ssl_stapling_verify on; # replace with the IP address of your resolver; # async 'resolver' is important for proper operation of OCSP stapling resolver 2001:4860:4860::8888 2001:4860:4860::8844; # If certificates are marked OCSP Must-Staple, consider managing the # OCSP stapling cache with an external script, e.g. certbot-ocsp-fetcher # HTTPS redirect server { listen 80 default_server; listen [::]:80 default_server; return 301 https://$host$request_uri; } # default HTTPS server server { listen 443 ssl default_server; listen 443 quic reuseport default_server; listen [::]:443 ssl default_server; server_name _; # Make sure to generate ssl_certificate snakeoil.pem; ssl_certificate_key snakeoil.key; } include /etc/nginx/conf.d/*.conf; }