#extra config End
#user  me;
#quic_bpf on;
worker_processes  1;

error_log  /opt/nginx/logs/error.log warn;
pid        /opt/nginx/tmp/nginx.pid;

pcre_jit  on;
timer_resolution 100ms;

events {
    use epoll;
    worker_aio_requests 128;
    worker_connections  5120;
    multi_accept        on;
}

http {
    include       mime.types;
    charset utf-8;
    default_type  application/octet-stream;
    
    client_body_temp_path /opt/nginx/tmp/client_temp;
    proxy_temp_path /opt/nginx/tmp/proxy;
    proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
    proxy_ssl_server_name on;
    proxy_ssl_verify on;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /opt/nginx/logs/access.log  main;

    sendfile        on;
    aio             threads;
    aio_write       on;
    tcp_nopush      on;
    tcp_nodelay     on;
    resolver __DNS_SERVER__ valid=5s;
    
    open_file_cache          max=1000 inactive=20s;
    open_file_cache_valid    30s;
    open_file_cache_min_uses 2;
    open_file_cache_errors   on;

    keepalive_timeout           15s;
    send_timeout                60s;
    client_header_timeout       15s;
    client_body_timeout         600s;
    client_max_body_size        500m;
    client_body_buffer_size     8K;
    client_header_buffer_size   1k;
    large_client_header_buffers 4 8k;
    output_buffers              5 8m;
    resolver_timeout            5s;
    read_ahead                  256k;
    
    keepalive_disable           msie6;
    disable_symlinks            if_not_owner;
    if_modified_since           before;
    reset_timedout_connection   on;
    server_tokens               off;
    more_set_headers            'Server: AmazingFromHere';

    more_set_headers 'X-Frame-Options: SAMEORIGIN';
    more_set_headers 'X-Content-Type-Options: nosniff';
    more_set_headers 'X-XSS-Protection: 1; mode=block';

    ssl_protocols TLSv1.3;
    ssl_ecdh_curve X25519:P-521:P-384;
    ssl_stapling on; # Requires nginx >= 1.3.7
    ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
    ssl_stapling_verify on; # Requires nginx => 1.3.7
    ssl_prefer_server_ciphers on;
    ssl_session_cache builtin:1000 shared:SSL:50m;
    ssl_session_timeout 1d;
    ssl_session_tickets off;

    gzip_static on;
    gzip on;
    gzip_comp_level 5;
    gzip_min_length 512;
    gzip_proxied any;
    gzip_vary on;
    gzip_disable "msie6";
    gzip_types 
        text/plain
        text/css
        text/x-component
        text/javascript application/x-javascript application/javascript text/x-js
        image/svg+xml
        text/plaintext/xsd text/xsl
        text/xml application/xml application/rss+xml
        application/json
        font/truetype font/opentype application/x-font-otf application/x-font-ttf application/vnd.ms-opentype application/vnd.ms-fontobject application/font-woff application/font-woff2
        audio/ogg
        application/pdf
        image/bmp image/x-icon image/webp image/tiff
        audio/wav;

    brotli_static on;
    brotli on;
    brotli_types
        text/plain
        text/css
        text/x-component
        text/javascript application/x-javascript application/javascript text/x-js
        image/svg+xml
        text/plaintext/xsd text/xsl
        text/xml application/xml application/rss+xml
        application/json
        font/truetype font/opentype application/x-font-otf application/x-font-ttf application/vnd.ms-opentype application/vnd.ms-fontobject application/font-woff application/font-woff2
        audio/ogg
        application/pdf
        image/bmp image/x-icon image/webp image/tiff
        audio/wav;
        
    include /opt/nginx/etc/conf.d/*.conf;
}