nginx.conf

# -*- Mode: nginx; coding: utf-8; tab-width: 4; indent-tabs-mode: s; -*-

#----------------------------------------------------------------------
# Core Module - global directives
#
#   http://nginx.org/en/docs/ngx_core_module.html
#
#----------------------------------------------------------------------
user                    nginx;  # assuming user exists on system
worker_processes        auto;   # auto-scale to available cores on machine
worker_rlimit_nofile    8192;   # set e.g. `nofile 16000` in `/etc/security/limits.d/*`
timer_resolution        100ms;  # reduce `timeofday()` syscalls
pcre_jit                on;     # requires pcre v8.2+, http://nginx.org/en/docs/ngx_core_module.html#pcre_jit
thread_pool             default threads=32 max_queue=65536;

error_log  /var/log/nginx/error.log;

pid        /run/nginx.pid;

events {
    # use epoll;
    # worker_aio_requests 64; # default 32
    worker_connections  4096; # affected by worker_rlimit_nofile
    # accept_mutex on; # default: on
    # multi_accept on; # worker accepts all new connections, not one by one
}

#----------------------------------------------------------------------
# HTTP Core Module
#
#   http://nginx.org/en/docs/http/ngx_http_core_module.html
#
#----------------------------------------------------------------------
http {
    # mime-type and character set handling defaults
    include         mime.types;
    default_type    application/octet-stream;
    charset         utf-8;
    charset_types   text/xml text/plain text/vnd.wap.wml application/x-javascript application/rss+xml text/css application/javascript application/json;

    # http://nginx.org/en/docs/hash.html
    server_names_hash_bucket_size   64;
    server_names_hash_max_size      1024;
    types_hash_bucket_size          128;
    types_hash_max_size             2048;
    variables_hash_bucket_size      64;
    variables_hash_max_size         1024;

    log_format  main  '$remote_addr - - [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log main buffer=32k;

    # basic sanity checks
    server_tokens           off; # don't send server version in headers
    ignore_invalid_headers  on;
    underscores_in_headers  off;

    # high-throughput bias
    sendfile                    on; # default: off, use `sendfile` syscall when sending files
    tcp_nodelay                 on; # default: on, set `TCP_NODELAY` option, requires keepalive
    tcp_nopush                  on; # default: off, set `TCP_CORK` option, requires sendfile
    reset_timedout_connection   on; # default: off, close connections in `FIN_WAIT1` state faster

    # resolver 208.67.222.222 208.67.220.220 valid=300s; # opendns 
    # resolver 8.8.8.8 8.8.4.4 valid=300s; # google 

    # Load misc config definitions
    include conf.d/*.conf;

    # Load enabled vhosts/sites 
    include sites-enabled/*.conf;

    # catchall server: no Host-header is present, or no server_name matches
    # this effectively prevents requests by ip-address only
    server {
        listen 80 default_server;
        server_name "";
        access_log off;
        keepalive_timeout 0;
        server_name_in_redirect off;
        return 444;
    }
}