user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent bytes "$http_referer" '
                      '"$http_x_forwarded_for"';

    # While I removed PII from the above log format, still better not logging
    access_log  /dev/null main; # /var/log/nginx/access.log main;


    server_tokens off;

    sendfile        on;
    tcp_nopush     on;

    quic_retry on;
    ssl_early_data on;
    quic_gso on;

    keepalive_timeout  65;

    gzip  on;
    http2 on;

    add_header Alt-Svc 'h3=":443"; ma=86400';


    # modern configuration
    ssl_protocols TLSv1.3;
    ssl_ecdh_curve X25519:prime256v1:secp384r1;
    ssl_prefer_server_ciphers off;

    # Make sure to generate it first
    ssl_dhparam /etc/ssl/dhparam.pem;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;

    # replace with the IP address of your resolver;
    # async 'resolver' is important for proper operation of OCSP stapling
    resolver 2001:4860:4860::8888 2001:4860:4860::8844;

    # If certificates are marked OCSP Must-Staple, consider managing the
    # OCSP stapling cache with an external script, e.g. certbot-ocsp-fetcher

    # HTTPS redirect
    server {
        listen 80 default_server;
        listen [::]:80 default_server;

        return 301 https://$host$request_uri;
    }

    # default HTTPS server
    server {
        listen 443 ssl default_server;
        listen 443 quic reuseport default_server;
        listen [::]:443 ssl default_server;

        # Make sure to generate
        ssl_certificate snakeoil.pem;
        ssl_certificate_key snakeoil.key;
    }

    include /etc/nginx/conf.d/*.conf;
}