nginx.conf

worker_processes auto;
pid /var/run/nginx.pid;

events {
	use epoll;
	worker_connections 1024;
	multi_accept on;
}

http {

	limit_req_zone $binary_remote_addr zone=ddos:10m rate=50r/s;
	log_format superadmin '{"method":"$request_method","url":"$request_uri","created":"$time_iso8601","ip":"$remote_addr","duration":"$request_time","status":$status,"referrer":"$http_referrer","useragent":"$http_user_agent","response":$body_bytes_sent,"request":$request_length}';

	server {
		location / {
			limit_req zone=ddos burst=20 nodelay;
		}
	}

	underscores_in_headers on;
	client_body_buffer_size 10K;
	client_header_buffer_size 1k;
	client_max_body_size 2m;
	large_client_header_buffers 2 1k;
	server_names_hash_bucket_size 100;
	sendfile on;
	# tcp_nopush on;
	tcp_nodelay on;
	proxy_buffering off;
	keepalive_timeout 15;
	keepalive_requests 200;
	reset_timedout_connection on;
	client_body_timeout 10;
	send_timeout 5;
	server_tokens off;
	types_hash_max_size 2048;
	include /etc/nginx/mime.types;
	default_type application/octet-stream;
	access_log off;
	# access_log /www/logs/nginx.log;
	error_log /var/log/nginx/error.log;

	# TLS configuration based on:
	# https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=intermediate&openssl=1.1.1g&guideline=5.6
	# https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28recommended.29

	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;

	# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
	ssl_dhparam /etc/nginx/ffdhe2048.pem;

	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
	ssl_prefer_server_ciphers off;

	proxy_http_version 1.1;

	include /www/nginx/*.conf;
}