###
## This file comes with the "Angie modules" on https://deb.paranoid.nl/angie-modules
## It contains various optimizations, examples and tweaks.
####

user www-data;

worker_processes auto;
worker_rlimit_nofile 10000;

pid /run/angie.pid;
include /etc/angie/modules-enabled/*.conf;

pcre_jit on;

events {
    worker_connections 8192;  # this can go as high as ulimit -n
    multi_accept on;
    use epoll;
}

http {

    ##
    # Basic Settings
    ##

    aio threads;
    aio_write on;
    sendfile on;
    directio 256k;
    sendfile_max_chunk 256k;

    tcp_nopush on;
    tcp_nodelay on;

    include /etc/angie/mime.types;
    server_name_in_redirect off; # if off, angie will use the requested Host header
    source_charset utf-8; # same value as "charset"


    ###
    ## Enable security_headers only if you installed/enabled the module
    ###
    #  security_headers on;


    ###
    ## Enable other security headers.
    ###
    #  hide_server_tokens on;
    #  fastcgi_hide_header X-Powered-By;
    #  server_tokens off;

    ##
    # Optimizing TLS over TCP to reduce latency (Cloudflare patch)
    ##
    # ssl_dyn_rec_enable on;

    ##
    # Enable HTTP2 and HTTP3
    #
    http2 on;
    #http3 on;

    ##
    # SSL Settings
    ##

    # Enable only if you are running on a openssl3 build and kernel 4.17 or higher
    # You need to do `modprobe tls` to load the kernel TLS module
    #ssl_conf_command Options KTLS;

    ssl_protocols TLSv1.3 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;

    ssl_dhparam /etc/angie/dhparam.pem;
    ssl_ecdh_curve secp521r1:secp384r1;
    ssl_session_tickets off;
    ssl_early_data on;

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1440m;

    # OCSP Stapling
    # fetch OCSP records from URL in ssl_certificate and cache them
    # Please enter your own nameservers for security
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 1.1.1.1 8.8.8.8 valid=300;

    ##
    # Logging Settings
    ##

    ## Log Format
    log_format main '$remote_addr $host $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $ssl_cipher $request_time';

    access_log /var/log/angie/access.log;
    error_log /var/log/angie/error.log;

    ##
    # Gzip Settings
    ##
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_min_length 250;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    ##
    # Brotli settings  (Please load module first!)
    ##
    #brotli on;
    #brotli_comp_level 4;
    #brotli_buffers 32 8k;
    #brotli_min_length 1000;
    #brotli_static on;
    #brotli_types image/svg+xml text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript image/x-icon;

    ##
    # ZSTD Settings (Please load module first!)
    ##
    #zstd on;
    #zstd_min_length 256; # no less than 256 bytes
    #zstd_comp_level 3; # set the level to #
    #zstd_buffers 32 8k;
    #zstd_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/ xml+rss text/javascript image/x-icon;


    ###
    ## Miscellaneous
    ###

    # cache informations about FDs, frequently accessed files
    # can boost performance, but you need to test those values
    #open_file_cache max=200000 inactive=20s;
    #open_file_cache_valid 30s;
    #open_file_cache_min_uses 2;
    #open_file_cache_errors on;

    server_names_hash_bucket_size 256;
    server_names_hash_max_size 2048;
    variables_hash_bucket_size 256;
    variables_hash_max_size 2048;
    map_hash_max_size 2048;
    map_hash_bucket_size 256;

    #postpone_output 1440;    # postpone sends to match our machine's MSS
    read_ahead 512K;          # kernel read head set to the output_buffers
    output_buffers 4 512k;   

    # Buffer size for POST submissions
    client_body_buffer_size 80K;
    client_max_body_size 16m;

    # Buffer size for Headers
    client_header_buffer_size 1k;

    # Timeouts, do not keep connections open longer then necessary to reduce
    # resource usage and deny Slowloris type attacks.
    client_body_timeout 12;  # maximum time between packets the client can pause when sending angie any data
    client_header_timeout 12;# maximum time the client has to send the entire header to ngin 
    keepalive_timeout 15;    # timeout which a single keep-alive client connection will stay open
    keepalive_disable none;  # allow all browsers to use keepalive connections
    keepalive_requests 5000; # number of requests per connection, does not affect SPDY
    reset_timedout_connection on; # Allow the server to close the connection after a client stops responding.
    send_timeout 12;

    ##
    # Virtual Host Configs
    ##

    include /etc/angie/conf.d/*.conf;
    include /etc/angie/sites-enabled/*;
}

#mail {
#	# See sample authentication script at:
#	# http://wiki.angie.org/ImapAuthenticateWithApachePhpScript
#
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
#
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}