nginx.conf

# Configuration File - Nginx Server Configs
# https://nginx.org/en/docs/

# Run as a unique, less privileged user for security reasons.
# Default: nobody nobody
# https://nginx.org/en/docs/ngx_core_module.html#user
# https://en.wikipedia.org/wiki/Principle_of_least_privilege
user www-data;

# Sets the worker threads to the number of CPU cores available in the system for
# best performance. Should be > the number of CPU cores.
# Maximum number of connections = worker_processes * worker_connections
# Default: 1
# https://nginx.org/en/docs/ngx_core_module.html#worker_processes
worker_processes auto;

# custom_dan
worker_cpu_affinity auto;
worker_priority -10;
timer_resolution 100ms;
pcre_jit on;

# Maximum number of open files per worker process.
# Should be > worker_connections.
# Default: no limit
# https://nginx.org/en/docs/ngx_core_module.html#worker_rlimit_nofile
worker_rlimit_nofile 520000;

# Log errors and warnings to this file
# This is only used when you don't override it on a `server` level
# Default: logs/error.log error
# https://nginx.org/en/docs/ngx_core_module.html#error_log
error_log /var/log/nginx/error.log warn;

# The file storing the process ID of the main process
# Default: logs/nginx.pid
# https://nginx.org/en/docs/ngx_core_module.html#pid
pid /run/nginx.pid;

# Nginx Modules
include /etc/nginx/modules-enabled/*.conf;

# Provides the configuration file context in which the directives that affect
# connection processing are specified.
# https://nginx.org/en/docs/ngx_core_module.html#events
events {

  # If you need more connections than this, you start optimizing your OS.
  # That's probably the point at which you hire people who are smarter than you
  # as this is *a lot* of requests.
  # Should be < worker_rlimit_nofile.
  # Default: 512
  # https://nginx.org/en/docs/ngx_core_module.html#worker_connections
  worker_connections 300000;
  
  # custom_dan
  multi_accept on;
}

# Include files in the custom.d folder.
# Custom configuration and value files should be placed in the custom.d
# folder.
# The configurations should be disabled by prefixing files with a dot.
include custom.d/*.conf;

http {
  
# custom_dan
map_hash_bucket_size 128;
map_hash_max_size 4096;
server_names_hash_bucket_size 128;
server_names_hash_max_size 2048;
variables_hash_max_size 2048;
types_hash_max_size 2048;
resolver 127.0.0.1 valid=1d;
resolver_timeout 10s;
index index.php index.html index.htm;
msie_padding off;
max_ranges 1;
limit_rate_after 8m;
limit_rate       8m;

# Upstream Groups
upstream local_php {
  zone localphp_zone 256k;
  server 127.0.0.1:9000;
  keepalive 3;
}

  # Hide Nginx version information.
  include h5bp/security/server_software_information.conf;

  # Specify media (MIME) types for files.
  include h5bp/media_types/media_types.conf;

  # Set character encodings.
  include h5bp/media_types/character_encodings.conf;

  # Include $http_x_forwarded_for within default format used in log files
  # https://nginx.org/en/docs/http/ngx_http_log_module.html#log_format
  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

  # Log access to this file
  # This is only used when you don't override it on a `server` level
  # Default: logs/access.log combined
  # https://nginx.org/en/docs/http/ngx_http_log_module.html#access_log
  access_log off;
  log_not_found off;

  # How long to allow each connection to stay idle.
  # Longer values are better for each individual client, particularly for SSL,
  # but means that worker connections are tied up longer.
  # Default: 75s
  # https://nginx.org/en/docs/http/ngx_http_core_module.html#keepalive_timeout
  keepalive_timeout 30s;
  keepalive_disable none;
  keepalive_requests 100000;

  # Speed up file transfers by using `sendfile()` to copy directly between
  # descriptors rather than using `read()`/`write()``.
  # For performance reasons, on FreeBSD systems w/ ZFS this option should be
  # disabled as ZFS's ARC caches frequently used files in RAM by default.
  # Default: off
  # https://nginx.org/en/docs/http/ngx_http_core_module.html#sendfile
  aio threads;
  aio_write on;
  sendfile on;

  # Don't send out partial frames; this increases throughput since TCP frames
  # are filled up before being sent out.
  # Default: off
  # https://nginx.org/en/docs/http/ngx_http_core_module.html#tcp_nopush
  tcp_nopush on;

  # custom_dan
  client_body_buffer_size 256k;
  client_body_timeout 30s;
  client_header_buffer_size 64k;
  client_header_timeout 30s;
  client_max_body_size 11m;
  directio 4m;
  directio_alignment 4096;
  large_client_header_buffers 8 64k;
  reset_timedout_connection on;
  
  # Enable gzip compression.
  include h5bp/web_performance/compression.conf;

  # Specify file cache expiration.
  include h5bp/web_performance/cache_expiration.conf;

  # Add Cache-Control.
  # h5bp/web_performance/cache-control.conf
  map $sent_http_content_type $cache_control {
    default                           "public, immutable, stale-while-revalidate";

    # No content
    ""                                "no-store";

    # Manifest files
    ~*application/manifest\+json      "public";
    ~*text/cache-manifest             ""; # `no-cache` (*)

    # Assets
    ~*image/svg\+xml                  "public, immutable, stale-while-revalidate";

    # Data interchange
    ~*application/(atom|rdf|rss)\+xml "public, stale-while-revalidate";

    # Custom Dan
    ~*application/octet-stream   "";

    # Documents
    ~*text/html                       "";
    ~*text/markdown                   "private, must-revalidate";
    ~*text/calendar                   "private, must-revalidate";

    # Data
    ~*json                            ""; # `no-cache` (*)
    ~*xml                             ""; # `no-cache` (*)
  }

  # Add X-Frame-Options for HTML documents.
  # h5bp/security/x-frame-options.conf
  map $sent_http_content_type $x_frame_options {
    ~*text/html SAMEORIGIN;
  }

  # Add Content-Security-Policy for HTML documents.
  # h5bp/security/content-security-policy.conf
  map $sent_http_content_type $content_security_policy {
    ~*text/(html|javascript)|application/pdf|xml "default-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'none'; object-src 'none'; upgrade-insecure-requests";
  }

  # Add Permissions-Policy for HTML documents.
  # h5bp/security/permissions-policy.conf
  map $sent_http_content_type $permissions_policy {
    ~*text/(html|javascript)|application/pdf|xml "accelerometer=(),autoplay=(),browsing-topics=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(self),usb=(),web-share=(),xr-spatial-tracking=()";
  }

  # Add Referrer-Policy for HTML documents.
  # h5bp/security/referrer-policy.conf
  map $sent_http_content_type $referrer_policy {
    ~*text/(css|html|javascript)|application\/pdf|xml "strict-origin-when-cross-origin";
  }

  # Add Cross-Origin-Policies for HTML documents.
  # h5bp/security/cross-origin-policy.conf
  # Cross-Origin-Embedder-Policy
  map $sent_http_content_type $coep_policy {
    ~*text/(html|javascript)|application/pdf|xml "require-corp";
  }
  # Cross-Origin-Opener-Policy
  map $sent_http_content_type $coop_policy {
    ~*text/(html|javascript)|application/pdf|xml "same-origin";
  }
  # Cross-Origin-Resource-Policy
  map $sent_http_content_type $corp_policy {
    ~*text/(html|javascript)|application/pdf|xml "same-origin";
  }

  # Add Access-Control-Allow-Origin.
  # h5bp/cross-origin/requests.conf
  map $sent_http_content_type $cors {
    # Images
    ~*image/                        "*";
    ~*application/javascript        "*";

    # Web fonts
    ~*font/                         "*";
    ~*application/vnd.ms-fontobject "*";
    ~*application/x-font-ttf        "*";
    ~*application/font-woff         "*";
    ~*application/x-font-woff       "*";
    ~*application/font-woff2        "*";
  }

# Include files in the http.d folder.
# The configurations should be disabled by prefixing files with a dot.
include http.d/*.conf;

  # Include files in the conf.d folder.
  # `server` configuration files should be placed in the conf.d folder.
  # The configurations should be disabled by prefixing files with a dot.
  include conf.d/*.conf;

}