load_module "/usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so";
worker_processes auto;
user nginx nginx;
pcre_jit on;

events {
	worker_connections 1024;
}

http {
	# Performance optimisation
	sendfile on;
	tcp_nopush on;

	# Correct Content-Type header
	charset utf-8;
	default_type text/plain;
	include inc/types.conf;

	# Serve file.gz instead of file if available
	gzip_static on;

	# Logging
	error_log /var/log/nginx/error.log notice;
	access_log off;

	# Disable useless/dangerous features
	etag off;
	server_tokens off;
	more_clear_headers "Server";

	# Delete unused request headers
	more_clear_input_headers "User-Agent";
	more_clear_input_headers "Referer";
	more_clear_input_headers "From";
	more_clear_input_headers "DNT";

	# Basic security headers
	more_set_headers "Referrer-Policy : no-referrer";
	more_set_headers "Strict-Transport-Security : max-age=31536000";
	more_set_headers "X-Content-Type-Options : nosniff";

	# TLS
	ssl_protocols TLSv1.3 TLSv1.2;
	ssl_ciphers ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384;
	ssl_ecdh_curve X25519:X448:prime256v1;
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;

	# OCSP Stapling
	#ssl_stapling on;
	#ssl_stapling_verify on;
	#ssl_trusted_certificate /etc/letsencrypt/live/servnest.test/chain.pem;

	# Include other configuration
	include sites/*.conf;

	absolute_redirect off;
	server_names_hash_bucket_size 128;
}