nginx.conf

worker_processes auto;
pid /run/nginx.pid;

events {
    worker_connections 768;
    # multi_accept on;
}

http {

      # Basic Settings
      sendfile on;
      tcp_nopush on;
      tcp_nodelay on;
      keepalive_timeout 65;
      types_hash_max_size 2048;
      server_tokens off;

      # server_names_hash_bucket_size 64;
      # server_name_in_redirect off;

      # Gzip Settings
      gzip on;
      gzip_disable "msie6";
      gzip_vary on;
      gzip_proxied any;
      gzip_comp_level 6;
      gzip_buffers 32 16k;
      gzip_http_version 1.1;
      gzip_min_length 250;
      gzip_types image/jpeg image/bmp image/svg+xml text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon;

      include /etc/nginx/mime.types;
      default_type application/octet-stream;

      # SSL Settings
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
      ssl_prefer_server_ciphers on;

      # Optimize session cache
      ssl_session_cache shared:SSL:50m;
      ssl_session_timeout 1d;

      # Enable session tickets
      ssl_session_tickets off;

      # OCSP Stapling
      ssl_stapling on;
      ssl_stapling_verify on;
      resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=60s;
      resolver_timeout 2s;

      # security headers
      add_header X-Frame-Options "SAMEORIGIN" always;
      add_header X-XSS-Protection "1; mode=block" always;
      add_header X-Content-Type-Options "nosniff" always;
      add_header Referrer-Policy "no-referrer-when-downgrade" always;
      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
      add_header X-Cache-Status $upstream_cache_status;

      # Logging Settings
      access_log /var/log/nginx/access.log;
      error_log /var/log/nginx/error.log;

      # limits
      limit_req_log_level warn;
      limit_req_zone $binary_remote_addr zone=reqlimit:10m rate=10r/m;
      limit_conn_zone $binary_remote_addr zone=connlimit:100m;

      include /etc/nginx/conf.d/*.conf;
      include /etc/nginx/sites-enabled/*;
}