zetas/expanded-default.conf

## expanded-default.conf
# configuration file /etc/nginx/nginx.conf:
# Configuration File - Nginx Server Configs
# http://nginx.org/en/docs/dirindex.html

# Run as a unique, less privileged user for security reasons.
# Default: nobody nobody
user www-data www-data;

# Sets the worker threads to the number of CPU cores available in the system for best performance.
# Should be > the number of CPU cores.
# Maximum number of connections = worker_processes * worker_connections
# Default: 1
worker_processes 20;

# Maximum number of open files per worker process.
# Should be > worker_connections.
# Default: no limit
worker_rlimit_nofile 8192;

events {
  # If you need more connections than this, you start optimizing your OS.
  # That's probably the point at which you hire people who are smarter than you as this is *a lot* of requests.
  # Should be < worker_rlimit_nofile.
  # Default: 512
  worker_connections 8000;
}

# Log errors and warnings to this file
# This is only used when you don't override it on a server{} level
# Default: logs/error.log error
error_log  /var/log/nginx/error.log warn;

# The file storing the process ID of the main process
# Default: nginx.pid
pid        /var/run/nginx.pid;

http {

  # Hide nginx version information.
  # Default: on
  server_tokens off;

  # Specify MIME types for files.
  include       mime.types;

  # Default: text/plain
  default_type  application/octet-stream;

  # Update charset_types to match updated mime.types.
  # text/html is always included by charset module.
  # Default: text/html text/xml text/plain text/vnd.wap.wml application/javascript application/rss+xml
  charset_types
    text/css
    text/plain
    text/vnd.wap.wml
    application/javascript
    application/json
    application/rss+xml
    application/xml;

  # Include $http_x_forwarded_for within default format used in log files
  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

  # Log access to this file
  # This is only used when you don't override it on a server{} level
  # Default: logs/access.log combined
  access_log /var/log/nginx/access.log main buffer=16k;

  # How long to allow each connection to stay idle.
  # Longer values are better for each individual client, particularly for SSL,
  # but means that worker connections are tied up longer.
  # Default: 75s
  keepalive_timeout 20s;

  # Speed up file transfers by using sendfile() to copy directly
  # between descriptors rather than using read()/write().
  # For performance reasons, on FreeBSD systems w/ ZFS
  # this option should be disabled as ZFS's ARC caches
  # frequently used files in RAM by default.
  # Default: off
  sendfile        on;

  # Don't send out partial frames; this increases throughput
  # since TCP frames are filled up before being sent out.
  # Default: off
  tcp_nopush      on;

  # Enable gzip compression.
  # Default: off
  gzip on;

  # Compression level (1-9).
  # 5 is a perfect compromise between size and CPU usage, offering about
  # 75% reduction for most ASCII files (almost identical to level 9).
  # Default: 1
  gzip_comp_level    5;

  # Don't compress anything that's already small and unlikely to shrink much
  # if at all (the default is 20 bytes, which is bad as that usually leads to
  # larger files after gzipping).
  # Default: 20
  gzip_min_length    256;

  # Compress data even for clients that are connecting to us via proxies,
  # identified by the "Via" header (required for CloudFront).
  # Default: off
  gzip_proxied       any;

  # Tell proxies to cache both the gzipped and regular version of a resource
  # whenever the client's Accept-Encoding capabilities header varies;
  # Avoids the issue where a non-gzip capable client (which is extremely rare
  # today) would display gibberish if their proxy gave them the gzipped version.
  # Default: off
  gzip_vary          on;

  # Compress all output labeled with one of the following MIME-types.
  # text/html is always compressed by gzip module.
  # Default: text/html
  gzip_types
    application/atom+xml
    application/javascript
    application/json
    application/ld+json
    application/manifest+json
    application/rss+xml
    application/vnd.geo+json
    application/vnd.ms-fontobject
    application/x-font-ttf
    application/x-web-app-manifest+json
    application/xhtml+xml
    application/xml
    font/opentype
    image/bmp
    image/svg+xml
    image/x-icon
    text/cache-manifest
    text/css
    text/plain
    text/vcard
    text/vnd.rim.location.xloc
    text/vtt
    text/x-component
    text/x-cross-domain-policy;

  # This should be turned on if you are going to have pre-compressed copies (.gz) of
  # static files available. If not it should be left off as it will cause extra I/O
  # for the check. It is best if you enable this in a location{} block for
  # a specific directory, or on an individual server{} level.
   gzip_static on;

  # Include files in the sites-enabled folder. server{} configuration files should be
  # placed in the sites-available folder, and then the configuration should be enabled
  # by creating a symlink to it in the sites-enabled folder.
  # See doc/sites-enabled.md for more info.
  include sites-enabled/*;
}

# configuration file /etc/nginx/mime.types:

types {
    text/html                             html htm shtml;
    text/css                              css;
    text/xml                              xml;
    image/gif                             gif;
    image/jpeg                            jpeg jpg;
    application/javascript                js;
    application/atom+xml                  atom;
    application/rss+xml                   rss;

    text/mathml                           mml;
    text/plain                            txt;
    text/vnd.sun.j2me.app-descriptor      jad;
    text/vnd.wap.wml                      wml;
    text/x-component                      htc;

    image/png                             png;
    image/tiff                            tif tiff;
    image/vnd.wap.wbmp                    wbmp;
    image/x-icon                          ico;
    image/x-jng                           jng;
    image/x-ms-bmp                        bmp;
    image/svg+xml                         svg svgz;
    image/webp                            webp;

    application/font-woff                 woff;
    application/java-archive              jar war ear;
    application/json                      json;
    application/mac-binhex40              hqx;
    application/msword                    doc;
    application/pdf                       pdf;
    application/postscript                ps eps ai;
    application/rtf                       rtf;
    application/vnd.apple.mpegurl         m3u8;
    application/vnd.ms-excel              xls;
    application/vnd.ms-fontobject         eot;
    application/vnd.ms-powerpoint         ppt;
    application/vnd.wap.wmlc              wmlc;
    application/vnd.google-earth.kml+xml  kml;
    application/vnd.google-earth.kmz      kmz;
    application/x-7z-compressed           7z;
    application/x-cocoa                   cco;
    application/x-java-archive-diff       jardiff;
    application/x-java-jnlp-file          jnlp;
    application/x-makeself                run;
    application/x-perl                    pl pm;
    application/x-pilot                   prc pdb;
    application/x-rar-compressed          rar;
    application/x-redhat-package-manager  rpm;
    application/x-sea                     sea;
    application/x-shockwave-flash         swf;
    application/x-stuffit                 sit;
    application/x-tcl                     tcl tk;
    application/x-x509-ca-cert            der pem crt;
    application/x-xpinstall               xpi;
    application/xhtml+xml                 xhtml;
    application/xspf+xml                  xspf;
    application/zip                       zip;

    application/octet-stream              bin exe dll;
    application/octet-stream              deb;
    application/octet-stream              dmg;
    application/octet-stream              iso img;
    application/octet-stream              msi msp msm;

    application/vnd.openxmlformats-officedocument.wordprocessingml.document    docx;
    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet          xlsx;
    application/vnd.openxmlformats-officedocument.presentationml.presentation  pptx;

    audio/midi                            mid midi kar;
    audio/mpeg                            mp3;
    audio/ogg                             ogg;
    audio/x-m4a                           m4a;
    audio/x-realaudio                     ra;

    video/3gpp                            3gpp 3gp;
    video/mp2t                            ts;
    video/mp4                             mp4;
    video/mpeg                            mpeg mpg;
    video/quicktime                       mov;
    video/webm                            webm;
    video/x-flv                           flv;
    video/x-m4v                           m4v;
    video/x-mng                           mng;
    video/x-ms-asf                        asx asf;
    video/x-ms-wmv                        wmv;
    video/x-msvideo                       avi;
}

# configuration file /etc/nginx/sites-enabled/forum:
upstream io_nodes {
#    ip_hash;
    server x.x.x.x:4567;
}


server {
    listen 80;
    listen [::]:80;

    server_name forum.example.com forums.example.com;

    return 301    https://forum.example.com/$request_uri;

}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name forum.example.com forums.example.com;

    access_log /var/log/nginx/forum_access.log;
    error_log /var/log/nginx/forum_error.log;

    ssl on;

    # enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    # disables all weak ciphers

    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

    ssl_prefer_server_ciphers on;

    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Host $http_host;
    proxy_set_header X-NginX-Proxy true;
    proxy_redirect off;

    # Socket.io Support
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    gzip            on;
    gzip_min_length 1000;
    gzip_proxied    off;
    gzip_types      text/plain application/xml application/x-javascript text/css application/json;

    location @nodebb {
        proxy_pass http://io_nodes;
    }

    location / {
        proxy_pass http://io_nodes;
    }

ssl_certificate /etc/letsencrypt/live/forum.example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/forum.example.com/privkey.pem; # managed by Certbot

}


# configuration file /etc/nginx/sites-enabled/example.com:
upstream @backend {
    server x.x.x.x;
}

# Choose between www and non-www, listen on the *wrong* one and redirect to
# the right one -- http://wiki.nginx.org/Pitfalls#Server_Name
#
server {
  listen [::]:80;
  listen 80;

  # listen on both hosts
  server_name example.com www.example.com;

  # and redirect to the https host (declared below)
  # avoiding http://www -> https://www -> https:// chain.
  return 301 https://example.com$request_uri;
}

server {
  listen [::]:443 ssl http2;
  listen 443 ssl http2;

  # listen on the wrong host
  server_name www.example.com;

  # Protect against the BEAST and POODLE attacks by not using SSLv3 at all. If you need to support older browsers (IE6) you may need to add
  # SSLv3 to the list of protocols below.
  ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;

  # Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla (Intermediate Set) - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
  ssl_ciphers                ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;

  ssl_prefer_server_ciphers  on;
  ssl_ecdh_curve secp384r1;

  # Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes.
  # The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection.
  # By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state.
  # Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS.
  ssl_session_cache    shared:SSL:100m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
  ssl_session_timeout  24h;

  # SSL buffer size was added in 1.5.9
  ssl_buffer_size      4k; # 1400 bytes to fit in one MTU
  ssl_dhparam /etc/nginx/ssl/dhparams.pem;

  # Use a higher keepalive timeout to reduce the need for repeated handshakes
  keepalive_timeout 300s; # up from 75 secs default

  # HSTS (HTTP Strict Transport Security)
  # This header tells browsers to cache the certificate for a year and to connect exclusively via HTTPS.
  add_header Strict-Transport-Security "max-age=31536000; preload" always;

  # This default SSL certificate will be served whenever the client lacks support for SNI (Server Name Indication).
  # Make it a symlink to the most important certificate you have, so that users of IE 8 and below on WinXP can see your main site without SSL errors.
  ssl_certificate      /etc/nginx/ssl/example-comodo-new.crt;
  ssl_certificate_key  /etc/nginx/ssl/example.key;


  add_header Public-Key-Pins 'pin-sha256="vlcGi1dfOAlN+CD5XYGHt5k="; pin-sha256="QIe7zfXtxxcL0fdRwdDe2s="; max-age=5184000';

  # OCSP stapling...
  ssl_stapling on;
  ssl_stapling_verify on;

  #trusted cert must be made up of your intermediate certificate followed by root certificate
  ssl_trusted_certificate /etc/nginx/ssl/trusted-intermediate.crt;

  resolver 8.8.8.8 8.8.4.4 valid=60s;
  resolver_timeout 2s;

  # and redirect to the non-www host (declared below)
  return 301 https://example.com$request_uri;
}

server {

   listen [::]:443 ssl http2;  # for Linux
   listen 443 ssl http2;  # for Linux

  # The host name to respond to
  server_name example.com;

  # Protect against the BEAST and POODLE attacks by not using SSLv3 at all. If you need to support older browsers (IE6) you may need to add
  # SSLv3 to the list of protocols below.
  ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;

  # Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla (Intermediate Set) - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
  #ssl_ciphers                ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;

  # Original ciphers:
  ssl_ciphers                ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;

  ssl_prefer_server_ciphers  on;
  ssl_ecdh_curve secp384r1;

  # Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes.
  # The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection.
  # By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state.
  # Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS.
  ssl_session_cache    shared:SSL:100m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
  ssl_session_timeout  24h;

  # SSL buffer size was added in 1.5.9
  ssl_buffer_size      4k; # 1400 bytes to fit in one MTU
  ssl_dhparam /etc/nginx/ssl/dhparams.pem;

  # Use a higher keepalive timeout to reduce the need for repeated handshakes
  keepalive_timeout 300s; # up from 75 secs default

  # HSTS (HTTP Strict Transport Security)
  # This header tells browsers to cache the certificate for a year and to connect exclusively via HTTPS.
  add_header Strict-Transport-Security "max-age=31536000; preload" always;

  # This default SSL certificate will be served whenever the client lacks support for SNI (Server Name Indication).
  # Make it a symlink to the most important certificate you have, so that users of IE 8 and below on WinXP can see your main site without SSL errors.
  ssl_certificate      /etc/nginx/ssl/example-comodo-new.crt;
  ssl_certificate_key  /etc/nginx/ssl/example.key;

  # Consider using OCSP Stapling as shown in ssl-stapling.conf

  add_header Public-Key-Pins 'pin-sha256="vlcGi1akqx2Aymv/prdAlN+CD5XYGHt5k="; pin-sha256="QIe7zSbFxw7vJdwFXXtxxcL0fdRwdDe2s="; max-age=5184000';

  # OCSP stapling...
  ssl_stapling on;
  ssl_stapling_verify on;

  #trusted cert must be made up of your intermediate certificate followed by root certificate
  ssl_trusted_certificate /etc/nginx/ssl/trusted-intermediate.crt;

  resolver 8.8.8.8 8.8.4.4 valid=60s;
  resolver_timeout 2s;

  # Path for static files
  root /var/www/html;

  #Specify a charset
  charset utf-8;

  location /
    {
        proxy_pass http://@backend;
        proxy_buffers 32 128k;
        proxy_buffer_size 128k;
        proxy_busy_buffers_size 256k;
        proxy_max_temp_file_size 2048m;
	      proxy_temp_file_write_size 128k;
        proxy_cache_bypass $http_pragma $http_authorization;
        proxy_connect_timeout 59s;
        proxy_hide_header X-Powered-By;
        proxy_http_version 1.1;
        proxy_ignore_headers Cache-Control Expires;
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504 http_404;
        proxy_no_cache $http_pragma $http_authorization;
        proxy_pass_header Set-Cookie;
        proxy_read_timeout 600;
        proxy_redirect off;
        proxy_send_timeout 600;
        #proxy_temp_file_write_size 64k;
        proxy_set_header Accept-Encoding '';
        proxy_set_header Cookie $http_cookie;
        proxy_set_header Host $host;
        proxy_set_header Proxy '';
        proxy_set_header Referer $http_referer;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Original-Request $request_uri;
    }
}
	# configuration file /etc/nginx/nginx.conf:
	# Configuration File - Nginx Server Configs
	# http://nginx.org/en/docs/dirindex.html

	# Run as a unique, less privileged user for security reasons.
	# Default: nobody nobody
	user www-data www-data;

	# Sets the worker threads to the number of CPU cores available in the system for best performance.
	# Should be > the number of CPU cores.
	# Maximum number of connections = worker_processes * worker_connections
	# Default: 1
	worker_processes 20;

	# Maximum number of open files per worker process.
	# Should be > worker_connections.
	# Default: no limit
	worker_rlimit_nofile 8192;

	events {
	# If you need more connections than this, you start optimizing your OS.
	# That's probably the point at which you hire people who are smarter than you as this is a lot of requests.
	# Should be < worker_rlimit_nofile.
	# Default: 512
	worker_connections 8000;
	}

	# Log errors and warnings to this file
	# This is only used when you don't override it on a server{} level
	# Default: logs/error.log error
	error_log /var/log/nginx/error.log warn;

	# The file storing the process ID of the main process
	# Default: nginx.pid
	pid /var/run/nginx.pid;

	http {

	# Hide nginx version information.
	# Default: on
	server_tokens off;

	# Specify MIME types for files.
	include mime.types;

	# Default: text/plain
	default_type application/octet-stream;

	# Update charset_types to match updated mime.types.
	# text/html is always included by charset module.
	# Default: text/html text/xml text/plain text/vnd.wap.wml application/javascript application/rss+xml
	charset_types
	text/css
	text/plain
	text/vnd.wap.wml
	application/javascript
	application/json
	application/rss+xml
	application/xml;

	# Include $http_x_forwarded_for within default format used in log files
	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
	'$status $body_bytes_sent "$http_referer" '
	'"$http_user_agent" "$http_x_forwarded_for"';

	# Log access to this file
	# This is only used when you don't override it on a server{} level
	# Default: logs/access.log combined
	access_log /var/log/nginx/access.log main buffer=16k;

	# How long to allow each connection to stay idle.
	# Longer values are better for each individual client, particularly for SSL,
	# but means that worker connections are tied up longer.
	# Default: 75s
	keepalive_timeout 20s;

	# Speed up file transfers by using sendfile() to copy directly
	# between descriptors rather than using read()/write().
	# For performance reasons, on FreeBSD systems w/ ZFS
	# this option should be disabled as ZFS's ARC caches
	# frequently used files in RAM by default.
	# Default: off
	sendfile on;

	# Don't send out partial frames; this increases throughput
	# since TCP frames are filled up before being sent out.
	# Default: off
	tcp_nopush on;

	# Enable gzip compression.
	# Default: off
	gzip on;

	# Compression level (1-9).
	# 5 is a perfect compromise between size and CPU usage, offering about
	# 75% reduction for most ASCII files (almost identical to level 9).
	# Default: 1
	gzip_comp_level 5;

	# Don't compress anything that's already small and unlikely to shrink much
	# if at all (the default is 20 bytes, which is bad as that usually leads to
	# larger files after gzipping).
	# Default: 20
	gzip_min_length 256;

	# Compress data even for clients that are connecting to us via proxies,
	# identified by the "Via" header (required for CloudFront).
	# Default: off
	gzip_proxied any;

	# Tell proxies to cache both the gzipped and regular version of a resource
	# whenever the client's Accept-Encoding capabilities header varies;
	# Avoids the issue where a non-gzip capable client (which is extremely rare
	# today) would display gibberish if their proxy gave them the gzipped version.
	# Default: off
	gzip_vary on;

	# Compress all output labeled with one of the following MIME-types.
	# text/html is always compressed by gzip module.
	# Default: text/html
	gzip_types
	application/atom+xml
	application/javascript
	application/json
	application/ld+json
	application/manifest+json
	application/rss+xml
	application/vnd.geo+json
	application/vnd.ms-fontobject
	application/x-font-ttf
	application/x-web-app-manifest+json
	application/xhtml+xml
	application/xml
	font/opentype
	image/bmp
	image/svg+xml
	image/x-icon
	text/cache-manifest
	text/css
	text/plain
	text/vcard
	text/vnd.rim.location.xloc
	text/vtt
	text/x-component
	text/x-cross-domain-policy;

	# This should be turned on if you are going to have pre-compressed copies (.gz) of
	# static files available. If not it should be left off as it will cause extra I/O
	# for the check. It is best if you enable this in a location{} block for
	# a specific directory, or on an individual server{} level.
	gzip_static on;

	# Include files in the sites-enabled folder. server{} configuration files should be
	# placed in the sites-available folder, and then the configuration should be enabled
	# by creating a symlink to it in the sites-enabled folder.
	# See doc/sites-enabled.md for more info.
	include sites-enabled/*;
	}

	# configuration file /etc/nginx/mime.types:

	types {
	text/html html htm shtml;
	text/css css;
	text/xml xml;
	image/gif gif;
	image/jpeg jpeg jpg;
	application/javascript js;
	application/atom+xml atom;
	application/rss+xml rss;

	text/mathml mml;
	text/plain txt;
	text/vnd.sun.j2me.app-descriptor jad;
	text/vnd.wap.wml wml;
	text/x-component htc;

	image/png png;
	image/tiff tif tiff;
	image/vnd.wap.wbmp wbmp;
	image/x-icon ico;
	image/x-jng jng;
	image/x-ms-bmp bmp;
	image/svg+xml svg svgz;
	image/webp webp;

	application/font-woff woff;
	application/java-archive jar war ear;
	application/json json;
	application/mac-binhex40 hqx;
	application/msword doc;
	application/pdf pdf;
	application/postscript ps eps ai;
	application/rtf rtf;
	application/vnd.apple.mpegurl m3u8;
	application/vnd.ms-excel xls;
	application/vnd.ms-fontobject eot;
	application/vnd.ms-powerpoint ppt;
	application/vnd.wap.wmlc wmlc;
	application/vnd.google-earth.kml+xml kml;
	application/vnd.google-earth.kmz kmz;
	application/x-7z-compressed 7z;
	application/x-cocoa cco;
	application/x-java-archive-diff jardiff;
	application/x-java-jnlp-file jnlp;
	application/x-makeself run;
	application/x-perl pl pm;
	application/x-pilot prc pdb;
	application/x-rar-compressed rar;
	application/x-redhat-package-manager rpm;
	application/x-sea sea;
	application/x-shockwave-flash swf;
	application/x-stuffit sit;
	application/x-tcl tcl tk;
	application/x-x509-ca-cert der pem crt;
	application/x-xpinstall xpi;
	application/xhtml+xml xhtml;
	application/xspf+xml xspf;
	application/zip zip;

	application/octet-stream bin exe dll;
	application/octet-stream deb;
	application/octet-stream dmg;
	application/octet-stream iso img;
	application/octet-stream msi msp msm;

	application/vnd.openxmlformats-officedocument.wordprocessingml.document docx;
	application/vnd.openxmlformats-officedocument.spreadsheetml.sheet xlsx;
	application/vnd.openxmlformats-officedocument.presentationml.presentation pptx;

	audio/midi mid midi kar;
	audio/mpeg mp3;
	audio/ogg ogg;
	audio/x-m4a m4a;
	audio/x-realaudio ra;

	video/3gpp 3gpp 3gp;
	video/mp2t ts;
	video/mp4 mp4;
	video/mpeg mpeg mpg;
	video/quicktime mov;
	video/webm webm;
	video/x-flv flv;
	video/x-m4v m4v;
	video/x-mng mng;
	video/x-ms-asf asx asf;
	video/x-ms-wmv wmv;
	video/x-msvideo avi;
	}

	# configuration file /etc/nginx/sites-enabled/forum:
	upstream io_nodes {
	# ip_hash;
	server x.x.x.x:4567;
	}


	server {
	listen 80;
	listen [::]:80;

	server_name forum.example.com forums.example.com;

	return 301 https://forum.example.com/$request_uri;

	}

	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name forum.example.com forums.example.com;

	access_log /var/log/nginx/forum_access.log;
	error_log /var/log/nginx/forum_error.log;

	ssl on;

	# enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated.
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

	# disables all weak ciphers

	ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

	ssl_prefer_server_ciphers on;

	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header Host $http_host;
	proxy_set_header X-NginX-Proxy true;
	proxy_redirect off;

	# Socket.io Support
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";

	gzip on;
	gzip_min_length 1000;
	gzip_proxied off;
	gzip_types text/plain application/xml application/x-javascript text/css application/json;

	location @nodebb {
	proxy_pass http://io_nodes;
	}

	location / {
	proxy_pass http://io_nodes;
	}

	ssl_certificate /etc/letsencrypt/live/forum.example.com/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/forum.example.com/privkey.pem; # managed by Certbot

	}


	# configuration file /etc/nginx/sites-enabled/example.com:
	upstream @backend {
	server x.x.x.x;
	}

	# Choose between www and non-www, listen on the wrong one and redirect to
	# the right one -- http://wiki.nginx.org/Pitfalls#Server_Name
	#
	server {
	listen [::]:80;
	listen 80;

	# listen on both hosts
	server_name example.com www.example.com;

	# and redirect to the https host (declared below)
	# avoiding http://www -> https://www -> https:// chain.
	return 301 https://example.com$request_uri;
	}

	server {
	listen [::]:443 ssl http2;
	listen 443 ssl http2;

	# listen on the wrong host
	server_name www.example.com;

	# Protect against the BEAST and POODLE attacks by not using SSLv3 at all. If you need to support older browsers (IE6) you may need to add
	# SSLv3 to the list of protocols below.
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

	# Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla (Intermediate Set) - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
	ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;

	ssl_prefer_server_ciphers on;
	ssl_ecdh_curve secp384r1;

	# Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes.
	# The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection.
	# By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state.
	# Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS.
	ssl_session_cache shared:SSL:100m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
	ssl_session_timeout 24h;

	# SSL buffer size was added in 1.5.9
	ssl_buffer_size 4k; # 1400 bytes to fit in one MTU
	ssl_dhparam /etc/nginx/ssl/dhparams.pem;

	# Use a higher keepalive timeout to reduce the need for repeated handshakes
	keepalive_timeout 300s; # up from 75 secs default

	# HSTS (HTTP Strict Transport Security)
	# This header tells browsers to cache the certificate for a year and to connect exclusively via HTTPS.
	add_header Strict-Transport-Security "max-age=31536000; preload" always;

	# This default SSL certificate will be served whenever the client lacks support for SNI (Server Name Indication).
	# Make it a symlink to the most important certificate you have, so that users of IE 8 and below on WinXP can see your main site without SSL errors.
	ssl_certificate /etc/nginx/ssl/example-comodo-new.crt;
	ssl_certificate_key /etc/nginx/ssl/example.key;


	add_header Public-Key-Pins 'pin-sha256="vlcGi1dfOAlN+CD5XYGHt5k="; pin-sha256="QIe7zfXtxxcL0fdRwdDe2s="; max-age=5184000';

	# OCSP stapling...
	ssl_stapling on;
	ssl_stapling_verify on;

	#trusted cert must be made up of your intermediate certificate followed by root certificate
	ssl_trusted_certificate /etc/nginx/ssl/trusted-intermediate.crt;

	resolver 8.8.8.8 8.8.4.4 valid=60s;
	resolver_timeout 2s;

	# and redirect to the non-www host (declared below)
	return 301 https://example.com$request_uri;
	}

	server {

	listen [::]:443 ssl http2; # for Linux
	listen 443 ssl http2; # for Linux

	# The host name to respond to
	server_name example.com;

	# Protect against the BEAST and POODLE attacks by not using SSLv3 at all. If you need to support older browsers (IE6) you may need to add
	# SSLv3 to the list of protocols below.
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

	# Ciphers set to best allow protection from Beast, while providing forwarding secrecy, as defined by Mozilla (Intermediate Set) - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
	#ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;

	# Original ciphers:
	ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;

	ssl_prefer_server_ciphers on;
	ssl_ecdh_curve secp384r1;

	# Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes.
	# The handshake is the most CPU-intensive operation, and by default it is re-negotiated on every new/parallel connection.
	# By enabling a cache (of type "shared between all Nginx workers"), we tell the client to re-use the already negotiated state.
	# Further optimization can be achieved by raising keepalive_timeout, but that shouldn't be done unless you serve primarily HTTPS.
	ssl_session_cache shared:SSL:100m; # a 1mb cache can hold about 4000 sessions, so we can hold 40000 sessions
	ssl_session_timeout 24h;

	# SSL buffer size was added in 1.5.9
	ssl_buffer_size 4k; # 1400 bytes to fit in one MTU
	ssl_dhparam /etc/nginx/ssl/dhparams.pem;

	# Use a higher keepalive timeout to reduce the need for repeated handshakes
	keepalive_timeout 300s; # up from 75 secs default

	# HSTS (HTTP Strict Transport Security)
	# This header tells browsers to cache the certificate for a year and to connect exclusively via HTTPS.
	add_header Strict-Transport-Security "max-age=31536000; preload" always;

	# This default SSL certificate will be served whenever the client lacks support for SNI (Server Name Indication).
	# Make it a symlink to the most important certificate you have, so that users of IE 8 and below on WinXP can see your main site without SSL errors.
	ssl_certificate /etc/nginx/ssl/example-comodo-new.crt;
	ssl_certificate_key /etc/nginx/ssl/example.key;

	# Consider using OCSP Stapling as shown in ssl-stapling.conf

	add_header Public-Key-Pins 'pin-sha256="vlcGi1akqx2Aymv/prdAlN+CD5XYGHt5k="; pin-sha256="QIe7zSbFxw7vJdwFXXtxxcL0fdRwdDe2s="; max-age=5184000';

	# OCSP stapling...
	ssl_stapling on;
	ssl_stapling_verify on;

	#trusted cert must be made up of your intermediate certificate followed by root certificate
	ssl_trusted_certificate /etc/nginx/ssl/trusted-intermediate.crt;

	resolver 8.8.8.8 8.8.4.4 valid=60s;
	resolver_timeout 2s;

	# Path for static files
	root /var/www/html;

	#Specify a charset
	charset utf-8;

	location /
	{
	proxy_pass http://@backend;
	proxy_buffers 32 128k;
	proxy_buffer_size 128k;
	proxy_busy_buffers_size 256k;
	proxy_max_temp_file_size 2048m;
	proxy_temp_file_write_size 128k;
	proxy_cache_bypass $http_pragma $http_authorization;
	proxy_connect_timeout 59s;
	proxy_hide_header X-Powered-By;
	proxy_http_version 1.1;
	proxy_ignore_headers Cache-Control Expires;
	proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504 http_404;
	proxy_no_cache $http_pragma $http_authorization;
	proxy_pass_header Set-Cookie;
	proxy_read_timeout 600;
	proxy_redirect off;
	proxy_send_timeout 600;
	#proxy_temp_file_write_size 64k;
	proxy_set_header Accept-Encoding '';
	proxy_set_header Cookie $http_cookie;
	proxy_set_header Host $host;
	proxy_set_header Proxy '';
	proxy_set_header Referer $http_referer;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Host $host;
	proxy_set_header X-Forwarded-Server $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header X-Original-Request $request_uri;
	}
	}