mmangione/README.md

## README.md

      
    Raw
  

              README.md
            
          
    The Most Boring nginx.conf

These configs describe the way your default nginx proxy ought to be configured. Because you almost certainly want:

standard HTTPS -> HTTP proxy caching, using conditional GETs
to upgrade all HTTP connections to HTTPS
to follow Mozilla's TLS recomendations
SPDY support if the client supports it
to support proxying WebSockets
to provide X-Real-IP, X-Forwarded-For & X-Forwarded-Proto
to avoid rewriting hostnames when proxying
pids, logs, caches & documents in LSB standard locations
to have unknown file types be downloaded, not displayed in-browser
UTF-8 as your default character set
compression for common text content types
to use sendfile(2) and TCP_NOPUSH/TCP_CORK
to minimize server fingerprinting


## nginx.conf
# nginx.conf - base config for nginx web server
#   This file is written by config management:
#        ANY CHANGES WILL BE OVERWRITTEN

# This file includes all nginx default directive values in comments.
# Non-default settings should explain why they are made, ideally
# including business value and ticket number. This file is not the
# place document what any particular directive does. Documentation
# for all directives lives at http://nginx.org/en/docs/dirindex.html

# daemon on;
# user nobody nobody; # nginx default
user www-data; # debian default, allow writing files
# pid nginx.pid;
pid /var/run/nginx.pid; # LSB
# lock_file logs/nginx.lock;
# working_directory -;
# env TZ;

# error_log logs/error.log error; # nginx default
error_log /var/log/nginx/error.log; # debian default, LSB

# debug_points -;
# pcre_jit off;
# ssl_engine -;
# timer_resolution -;

# master_process on;
# worker_cpu_affinity -;
# worker_priority 0;
# worker_processes 1; # nginx default
# worker_processes 4; # debian default
# worker_processes auto; # v1.3.8+, do not require uniq config for different sized servers
# worker_rlimit_core -;
# worker_rlimit_nofile -;
# worker_rlimit_sigpending -;

events {
  # accept_mutex on;
  # accept_mutex_delay  500ms;
  # debug_connection -;
  # multi_accept off;
  # use -; # autoselect fastest
  # worker_aio_requests 32;
  # worker_connections 512; # nginx default
  # worker_connections 768; # debian default
}

http {
  ## Content ##
  # error_page -;
  # disable_symlinks off;
  # recursive_error_pages off;
  # root html;
  root /var/www; # LSB
  # satisfy all;
  # satisfy_any off;
  # types {
  #   text/html  html;
  #   image/gif  gif;
  #   image/jpeg jpg;
  # }
  include mime.types;
  # default_type text/plain; # nginx default
  default_type  application/octet-stream; # debian default, download files, don't display in-browser as text
  # charset off;
  charset utf-8; # when in doubt, UTF-8

  ## GZip ##
  # gzip off; # nginx default
  gzip on; # debian default
  # gzip_disable -;
  gzip_disable msie6; # support msie6 users ;_;
  # gzip_vary off;
  gzip_vary on; # Vary: Accept-Encoding is good HTTP
  # gzip_proxied off;
  gzip_proxied any; # Assume proxies are not broken
  # gzip_comp_level 1;
  gzip_comp_level 6; # default for gzip command
  # gzip_min_length 20;
  # gzip_buffers 32 4k|16 8k;
  # gzip_http_version 1.1;
  # gzip_types text/html;
  gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; # common text context types

  ## Body ##
  # client_max_body_size 1m;
  # client_body_in_file_only off;
  # client_body_temp_path client_body_temp;
  # client_body_timeout 60s;

  ## Headers ##
  # etag on;
  # if_modified_since exact;
  if_modified_since before; # intelligent IfModifiedSince is good HTTP
  # server_tokens on;
  server_tokens off; # reduce server fingerprinting
  # client_header_timeout 60s;
  # port_in_redirect on;
  # server_name_in_redirect off;
  # underscores_in_headers off;
  # ignore_invalid_headers on;

  ## HTTP ##
  # chunked_transfer_encoding on;
  # keepalive_disable msie6;
  # keepalive_requests 100;
  # keepalive_timeout 75s; # nginx default
  # keepalive_timeout 65s; # debian default
  # merge_slashes on;
  # msie_padding on;
  # msie_refresh off;

  ## SSL ##
  # ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_protocols TLSv1.1 TLSv1.2; # mozilla modern https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
  # ssl_ciphers HIGH:!aNULL:!MD5; # nginx
  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK; # mozilla modern https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
  # ssl_prefer_server_ciphers off;
  ssl_prefer_server_ciphers on; # mozilla modern https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
  ssl_dhparam /etc/nginx/ssl/dhparam.pem;
  # ssl_ecdh_curve prime256v1;
  # ssl_stapling off;
  ssl_stapling on; # mozilla modern https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
  # ssl_stapling_verify off;
  ssl_stapling_verify on; # mozilla modern https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
  # ssl_trusted_certificate -;
  # ssl_session_tickets on;
  # ssl_session_ticket_key -;
  # ssl_session_cache none;
  ssl_session_cache shared:SSL:10m; # nginx recomendation
  # ssl_session_timeout 5m;
  ssl_session_timeout 10m; # nginx recomendation
  # ssl_verify_client off;
  # ssl_verify_depth 1;
  # ssl_client_certificate -;
  # ssl_crl -;
  # ssl_buffer_size 16k;
  # ssl_password_file -;

  ## Logging ##
  # log_not_found on;
  #
  # log_format combined '$remote_addr - $remote_user [$time_local] '
  #                     '"$request" $status $body_bytes_sent '
  #                     '"$http_referer" "$http_user_agent"';
  # access_log logs/access.log combined; # nginx default
  access_log /var/log/nginx/access.log; # debian default, LSB
  # access_log syslog:server=unix:/dev/log; # v1.7.1+, syslog
  # log_subrequest off;
  # open_log_file_cache off;
  # error_log logs/error.log error; # nginx default
  # error_log /var/log/nginx/error.log; # debian default
  # error_log syslog:server=unix:/dev/log; # v1.7.1+, syslog

  ## System Calls ##
  # aio off;
  # aio sendfile; # FreeBSD only
  # directio off;
  # directio_alignment 512;
  # sendfile off; # nginx default
  sendfile on; # debian default, less memory usage for small files
  # read_ahead 0;
  # send_lowat 0;
  # sendfile_max_chunk 0;

  ## Network stack ##
  # tcp_nodelay on;
  # tcp_nopush off; # nginx default
  tcp_nopush on; # debian default
  # reset_timedout_connection off;
  # resolver -;
  resolver 8.8.4.4 8.8.8.8 valid=300s; # for ocsp stapling
  # resolver_timeout 30s;

  ## Memory ##
  # client_body_buffer_size 16k;
  # client_body_in_single_buffer off;
  # client_header_buffer_size 1k;
  # large_client_header_buffers 4 8k;
  # output_buffers 1 32k;
  # open_file_cache off;
  # open_file_cache_errors off;
  # open_file_cache_min_uses 1;
  # open_file_cache_valid 60s;
  # request_pool_size 4k;
  # server_names_hash_bucket_size 32|64|128;
  # server_names_hash_max_size 512;
  # types_hash_bucket_size 64;
  # types_hash_max_size 1024;
  # variables_hash_bucket_size 64;
  # variables_hash_max_size 1024;

  ## System Tunables ##
  # connection_pool_size 256;
  # limit_rate 0;
  # limit_rate_after 0;
  # lingering_close on;
  # lingering_time 30s;
  # lingering_timeout 5s;
  # postpone_output 1460;
  # send_timeout 60s;

  ## Proxy Features ##
  # proxy_buffering on;
  # proxy_cache off;
  proxy_cache CACHE;
  # proxy_cache_convert_head on;
  # proxy_cache_key $scheme$proxy_host$request_uri;
  # proxy_cache_lock off;
  # proxy_cache_methods GET HEAD;
  # proxy_cache_path {path} keys_zone={zone}:{size} use_temp_path=on
  #                  inactive=10m loader_files=100 loader_sleep=50ms
  #                  loader_threshold=200ms;
  proxy_cache_path /var/lib/nginx/cache keys_zone=CACHE:10m; # ~80k keys
  # proxy_cache_revalidate off;
  proxy_cache_revalidate on; # Conditional GETs are good HTTP
  # proxy_cache_use_stale off;
  proxy_cache_use_stale  error timeout invalid_header updating
                         http_500 http_502 http_503 http_504;
  # proxy_cookie_domain off;
  # proxy_cookie_path off;
  # proxy_force_ranges off;
  # proxy_http_version 1.0;
  proxy_http_version 1.1; # recomended for keepalive conns
  # proxy_ignore_client_abort off;
  # proxy_intercept_errors off;
  # proxy_next_upstream error timeout;
  proxy_next_upstream  error timeout invalid_header
                       http_500 http_502 http_503 http_504;
  # proxy_request_buffering on;
  # proxy_store off;
  # proxy_store_access user:rw;
  # proxy_temp_path proxy_temp;

  ## Proxy Tuning ##
  # proxy_buffer_size 4k|8k;
  # proxy_buffers 8 4k|8k;
  # proxy_busy_buffers_size 8k|16k;
  # proxy_cache_lock_age 5s;
  # proxy_cache_lock_timeout 5s;
  # proxy_connect_timeout 60s;
  # proxy_headers_hash_bucket_size 64;
  # proxy_headers_hash_max_size 512;
  # proxy_limit_rate 0;
  # proxy_max_temp_file_size 1024m;
  # proxy_min_uses 1;
  # proxy_next_upstream_timeout 0;
  # proxy_next_upstream_tries 0;
  # proxy_read_timeout 60s;
  # proxy_send_timeout 60s;
  # proxy_temp_file_write_size 16k;

  ## Proxy SSL ##
  # proxy_ssl_ciphers DEFAULT;
  # proxy_ssl_name $proxy_host;
  # proxy_ssl_server_name off;
  # proxy_ssl_session_reuse on;
  # proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  # proxy_ssl_verify off;
  # proxy_ssl_verify_depth 1;

  include /etc/nginx/conf.d/*.conf;
  include /etc/nginx/sites-enabled/*;
}

## vhost-https.conf
# vhost-https.conf - https vhost config for nginx web server
#   This file is written by config management:
#        ANY CHANGES WILL BE OVERWRITTEN

# This file includes all nginx default directive values in comments.
# Non-default settings should explain why they are made, ideally
# including business value and ticket number. This file is not the
# place document what any particular directive does. Documentation
# for all directives lives at http://nginx.org/en/docs/dirindex.html

server {
  # listen *:80;
  server_name {fqdn};
  rewrite ^(.*) https://$host$1 permanent;
}

server {
  # listen *:80;
  listen 443 ssl spdy;
  # server_name "";
  server_name  {fqdn};

  # ssl_certificate -;
  ssl_certificate /etc/nginx/ssl/crt.pem;
  # ssl_certificate_key -;
  ssl_certificate_key  /etc/nginx/ssl/key.pem;

  add_header Strict-Transport-Security max-age=15724800; # mozilla modern https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility

  location / {
    # alias {path};
    # internal;
    # limit_except method {};

    # try_files {file ...} uri;

    proxy_pass http://http_backend;
    # proxy_set_header Host $proxy_host;
    proxy_set_header Host $host;
    # proxy_set_header Connection close;
    proxy_set_header Connection "upgrade"; # websocket http://nginx.org/en/docs/http/websocket.html
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-NginX-Proxy true;
    proxy_set_header Upgrade $http_upgrade; # websocket http://nginx.org/en/docs/http/websocket.html

    # proxy_redirect default;
    proxy_redirect off;
    # proxy_intercept_errors off;

    # proxy_pass_request_body on;
    # proxy_pass_request_headers on;
  }
}

upstream http_backend {
  # server {addr}:{port} weight=1 max_fails=1 fail_timeout=10s max_conns=0 slow_start=0;
  server 127.0.0.1:8080;
  # zone {name} [{size}];
  # hash {key} [consistent];
  # keepalive {connections};
  # ip_hash; # disabled
  # least_conn; # disabled
}

## vhost-status.conf
# vhost-status.conf - nginx status vhost
#   This file is written by config management:
#        ANY CHANGES WILL BE OVERWRITTEN

# This file includes all nginx default directive values in comments.
# Non-default settings should explain why they are made, ideally
# including business value and ticket number. This file is not the
# place document what any particular directive does. Documentation
# for all directives lives at http://nginx.org/en/docs/dirindex.html

server {
  # listen *:80;
  listen 127.0.0.1:80;
  location /status {
    stub_status;
  }
}
	# nginx.conf - base config for nginx web server
	# This file is written by config management:
	# ANY CHANGES WILL BE OVERWRITTEN

	# This file includes all nginx default directive values in comments.
	# Non-default settings should explain why they are made, ideally
	# including business value and ticket number. This file is not the
	# place document what any particular directive does. Documentation
	# for all directives lives at http://nginx.org/en/docs/dirindex.html

	# daemon on;
	# user nobody nobody; # nginx default
	user www-data; # debian default, allow writing files
	# pid nginx.pid;
	pid /var/run/nginx.pid; # LSB
	# lock_file logs/nginx.lock;
	# working_directory -;
	# env TZ;

	# error_log logs/error.log error; # nginx default
	error_log /var/log/nginx/error.log; # debian default, LSB

	# debug_points -;
	# pcre_jit off;
	# ssl_engine -;
	# timer_resolution -;

	# master_process on;
	# worker_cpu_affinity -;
	# worker_priority 0;
	# worker_processes 1; # nginx default
	# worker_processes 4; # debian default
	# worker_processes auto; # v1.3.8+, do not require uniq config for different sized servers
	# worker_rlimit_core -;
	# worker_rlimit_nofile -;
	# worker_rlimit_sigpending -;

	events {
	# accept_mutex on;
	# accept_mutex_delay 500ms;
	# debug_connection -;
	# multi_accept off;
	# use -; # autoselect fastest
	# worker_aio_requests 32;
	# worker_connections 512; # nginx default
	# worker_connections 768; # debian default
	}

	http {
	## Content ##
	# error_page -;
	# disable_symlinks off;
	# recursive_error_pages off;
	# root html;
	root /var/www; # LSB
	# satisfy all;
	# satisfy_any off;
	# types {
	# text/html html;
	# image/gif gif;
	# image/jpeg jpg;
	# }
	include mime.types;
	# default_type text/plain; # nginx default
	default_type application/octet-stream; # debian default, download files, don't display in-browser as text
	# charset off;
	charset utf-8; # when in doubt, UTF-8

	## GZip ##
	# gzip off; # nginx default
	gzip on; # debian default
	# gzip_disable -;
	gzip_disable msie6; # support msie6 users ;_;
	# gzip_vary off;
	gzip_vary on; # Vary: Accept-Encoding is good HTTP
	# gzip_proxied off;
	gzip_proxied any; # Assume proxies are not broken
	# gzip_comp_level 1;
	gzip_comp_level 6; # default for gzip command
	# gzip_min_length 20;
	# gzip_buffers 32 4k\|16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/html;
	gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; # common text context types

	## Body ##
	# client_max_body_size 1m;
	# client_body_in_file_only off;
	# client_body_temp_path client_body_temp;
	# client_body_timeout 60s;

	## Headers ##
	# etag on;
	# if_modified_since exact;
	if_modified_since before; # intelligent IfModifiedSince is good HTTP
	# server_tokens on;
	server_tokens off; # reduce server fingerprinting
	# client_header_timeout 60s;
	# port_in_redirect on;
	# server_name_in_redirect off;
	# underscores_in_headers off;
	# ignore_invalid_headers on;

	## HTTP ##
	# chunked_transfer_encoding on;
	# keepalive_disable msie6;
	# keepalive_requests 100;
	# keepalive_timeout 75s; # nginx default
	# keepalive_timeout 65s; # debian default
	# merge_slashes on;
	# msie_padding on;
	# msie_refresh off;

	## SSL ##
	# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_protocols TLSv1.1 TLSv1.2; # mozilla modern https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
	# ssl_ciphers HIGH:!aNULL:!MD5; # nginx
	ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK; # mozilla modern https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
	# ssl_prefer_server_ciphers off;
	ssl_prefer_server_ciphers on; # mozilla modern https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
	ssl_dhparam /etc/nginx/ssl/dhparam.pem;
	# ssl_ecdh_curve prime256v1;
	# ssl_stapling off;
	ssl_stapling on; # mozilla modern https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
	# ssl_stapling_verify off;
	ssl_stapling_verify on; # mozilla modern https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
	# ssl_trusted_certificate -;
	# ssl_session_tickets on;
	# ssl_session_ticket_key -;
	# ssl_session_cache none;
	ssl_session_cache shared:SSL:10m; # nginx recomendation
	# ssl_session_timeout 5m;
	ssl_session_timeout 10m; # nginx recomendation
	# ssl_verify_client off;
	# ssl_verify_depth 1;
	# ssl_client_certificate -;
	# ssl_crl -;
	# ssl_buffer_size 16k;
	# ssl_password_file -;

	## Logging ##
	# log_not_found on;
	#
	# log_format combined '$remote_addr - $remote_user [$time_local] '
	# '"$request" $status $body_bytes_sent '
	# '"$http_referer" "$http_user_agent"';
	# access_log logs/access.log combined; # nginx default
	access_log /var/log/nginx/access.log; # debian default, LSB
	# access_log syslog:server=unix:/dev/log; # v1.7.1+, syslog
	# log_subrequest off;
	# open_log_file_cache off;
	# error_log logs/error.log error; # nginx default
	# error_log /var/log/nginx/error.log; # debian default
	# error_log syslog:server=unix:/dev/log; # v1.7.1+, syslog

	## System Calls ##
	# aio off;
	# aio sendfile; # FreeBSD only
	# directio off;
	# directio_alignment 512;
	# sendfile off; # nginx default
	sendfile on; # debian default, less memory usage for small files
	# read_ahead 0;
	# send_lowat 0;
	# sendfile_max_chunk 0;

	## Network stack ##
	# tcp_nodelay on;
	# tcp_nopush off; # nginx default
	tcp_nopush on; # debian default
	# reset_timedout_connection off;
	# resolver -;
	resolver 8.8.4.4 8.8.8.8 valid=300s; # for ocsp stapling
	# resolver_timeout 30s;

	## Memory ##
	# client_body_buffer_size 16k;
	# client_body_in_single_buffer off;
	# client_header_buffer_size 1k;
	# large_client_header_buffers 4 8k;
	# output_buffers 1 32k;
	# open_file_cache off;
	# open_file_cache_errors off;
	# open_file_cache_min_uses 1;
	# open_file_cache_valid 60s;
	# request_pool_size 4k;
	# server_names_hash_bucket_size 32\|64\|128;
	# server_names_hash_max_size 512;
	# types_hash_bucket_size 64;
	# types_hash_max_size 1024;
	# variables_hash_bucket_size 64;
	# variables_hash_max_size 1024;

	## System Tunables ##
	# connection_pool_size 256;
	# limit_rate 0;
	# limit_rate_after 0;
	# lingering_close on;
	# lingering_time 30s;
	# lingering_timeout 5s;
	# postpone_output 1460;
	# send_timeout 60s;

	## Proxy Features ##
	# proxy_buffering on;
	# proxy_cache off;
	proxy_cache CACHE;
	# proxy_cache_convert_head on;
	# proxy_cache_key $scheme$proxy_host$request_uri;
	# proxy_cache_lock off;
	# proxy_cache_methods GET HEAD;
	# proxy_cache_path {path} keys_zone={zone}:{size} use_temp_path=on
	# inactive=10m loader_files=100 loader_sleep=50ms
	# loader_threshold=200ms;
	proxy_cache_path /var/lib/nginx/cache keys_zone=CACHE:10m; # ~80k keys
	# proxy_cache_revalidate off;
	proxy_cache_revalidate on; # Conditional GETs are good HTTP
	# proxy_cache_use_stale off;
	proxy_cache_use_stale error timeout invalid_header updating
	http_500 http_502 http_503 http_504;
	# proxy_cookie_domain off;
	# proxy_cookie_path off;
	# proxy_force_ranges off;
	# proxy_http_version 1.0;
	proxy_http_version 1.1; # recomended for keepalive conns
	# proxy_ignore_client_abort off;
	# proxy_intercept_errors off;
	# proxy_next_upstream error timeout;
	proxy_next_upstream error timeout invalid_header
	http_500 http_502 http_503 http_504;
	# proxy_request_buffering on;
	# proxy_store off;
	# proxy_store_access user:rw;
	# proxy_temp_path proxy_temp;

	## Proxy Tuning ##
	# proxy_buffer_size 4k\|8k;
	# proxy_buffers 8 4k\|8k;
	# proxy_busy_buffers_size 8k\|16k;
	# proxy_cache_lock_age 5s;
	# proxy_cache_lock_timeout 5s;
	# proxy_connect_timeout 60s;
	# proxy_headers_hash_bucket_size 64;
	# proxy_headers_hash_max_size 512;
	# proxy_limit_rate 0;
	# proxy_max_temp_file_size 1024m;
	# proxy_min_uses 1;
	# proxy_next_upstream_timeout 0;
	# proxy_next_upstream_tries 0;
	# proxy_read_timeout 60s;
	# proxy_send_timeout 60s;
	# proxy_temp_file_write_size 16k;

	## Proxy SSL ##
	# proxy_ssl_ciphers DEFAULT;
	# proxy_ssl_name $proxy_host;
	# proxy_ssl_server_name off;
	# proxy_ssl_session_reuse on;
	# proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	# proxy_ssl_verify off;
	# proxy_ssl_verify_depth 1;

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
	}
	# vhost-https.conf - https vhost config for nginx web server
	# This file is written by config management:
	# ANY CHANGES WILL BE OVERWRITTEN

	# This file includes all nginx default directive values in comments.
	# Non-default settings should explain why they are made, ideally
	# including business value and ticket number. This file is not the
	# place document what any particular directive does. Documentation
	# for all directives lives at http://nginx.org/en/docs/dirindex.html

	server {
	# listen *:80;
	server_name {fqdn};
	rewrite ^(.*) https://$host$1 permanent;
	}

	server {
	# listen *:80;
	listen 443 ssl spdy;
	# server_name "";
	server_name {fqdn};

	# ssl_certificate -;
	ssl_certificate /etc/nginx/ssl/crt.pem;
	# ssl_certificate_key -;
	ssl_certificate_key /etc/nginx/ssl/key.pem;

	add_header Strict-Transport-Security max-age=15724800; # mozilla modern https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility

	location / {
	# alias {path};
	# internal;
	# limit_except method {};

	# try_files {file ...} uri;

	proxy_pass http://http_backend;
	# proxy_set_header Host $proxy_host;
	proxy_set_header Host $host;
	# proxy_set_header Connection close;
	proxy_set_header Connection "upgrade"; # websocket http://nginx.org/en/docs/http/websocket.html
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header X-NginX-Proxy true;
	proxy_set_header Upgrade $http_upgrade; # websocket http://nginx.org/en/docs/http/websocket.html

	# proxy_redirect default;
	proxy_redirect off;
	# proxy_intercept_errors off;

	# proxy_pass_request_body on;
	# proxy_pass_request_headers on;
	}
	}

	upstream http_backend {
	# server {addr}:{port} weight=1 max_fails=1 fail_timeout=10s max_conns=0 slow_start=0;
	server 127.0.0.1:8080;
	# zone {name} [{size}];
	# hash {key} [consistent];
	# keepalive {connections};
	# ip_hash; # disabled
	# least_conn; # disabled
	}
	# vhost-status.conf - nginx status vhost
	# This file is written by config management:
	# ANY CHANGES WILL BE OVERWRITTEN

	# This file includes all nginx default directive values in comments.
	# Non-default settings should explain why they are made, ideally
	# including business value and ticket number. This file is not the
	# place document what any particular directive does. Documentation
	# for all directives lives at http://nginx.org/en/docs/dirindex.html

	server {
	# listen *:80;
	listen 127.0.0.1:80;
	location /status {
	stub_status;
	}
	}