# Suggestions? => https://github.com/theraw/The-World-Is-Yours/issues # Problems? => https://github.com/theraw/The-World-Is-Yours/issues # # Tuned for shared hosting at 5,000+ vhost scale. # Per-vhost listen/ssl_certificate directives live in /nginx/live/* — this # file only contains the global event/http settings. user nginx; pid /var/run/nginx.pid; worker_processes auto; worker_cpu_affinity auto; # Pin workers to cores for L1/L2 locality. worker_rlimit_nofile 65535; events { multi_accept on; use epoll; worker_connections 65535; } http { # =================== LOAD LUA ========================= # lua_package_path "/usr/nginx_lua/lib/lua/?.lua;;"; lua_package_cpath "/usr/nginx_lua/lib/lua/5.1/?.so;;"; # =================== END LUA ========================== # # =================== LOAD L7 ========================== # include modsec/l7.conf; # =================== END L7 =========================== # # ===================== LOGS =========================== # log_format main 'DATE: $time_local FROM: $remote_addr | STATUS: $status | TO: $request | CACHE: $upstream_cache_status | A: $http_user_agent'; # =================== END LOGS ========================= # # ==================== GENERAL ========================= # # Header buffers — keep small. The previous 2M default was a memory # amplification target (per-conn × worker_connections = absurd worst case). client_header_buffer_size 4k; large_client_header_buffers 4 16k; client_body_buffer_size 16k; client_max_body_size 2M; client_body_timeout 30s; client_header_timeout 30s; send_timeout 30s; reset_timedout_connection on; # Free sockets fast under churn. keepalive_timeout 65s; # Amortise TCP setup across requests. keepalive_requests 10000; # Default 1000 too low for HTTP/2. max_headers 100; # nginx 1.29.8 — slowloris defence. port_in_redirect off; sendfile on; sendfile_max_chunk 1m; tcp_nodelay on; tcp_nopush on; server_tokens off; server_name_in_redirect off; # 5,000+ vhost hash sizing. _max_size must exceed total server names; # _bucket_size must be a CPU-cache-line multiple (32/64/128/256/512/1024). server_names_hash_bucket_size 128; server_names_hash_max_size 32768; types_hash_max_size 4096; # File metadata cache — biggest single win for static-heavy shared hosting. open_file_cache max=200000 inactive=30s; open_file_cache_valid 30s; open_file_cache_min_uses 2; open_file_cache_errors on; # ===================== TLS ============================ # ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers off; # TLS 1.3 ciphers, client picks. ssl_session_cache shared:SSL:200m; # ~800k sessions shared across workers ssl_session_timeout 1d; ssl_session_tickets off; # Off unless you have ticket-key rotation. ssl_stapling on; # OCSP stapling — avoid per-handshake OCSP lookups. ssl_stapling_verify on; # ===================== END TLS ======================== # resolver 1.1.1.1 1.0.0.1 valid=300s; resolver_timeout 5s; default_type application/octet-stream; include /nginx/mime.types; map $http_upgrade $connection_upgrade { default upgrade; '' close; } # ==================== COMPRESSION ===================== # # Compiled in, now actually enabled. Bandwidth saving on text responses # is typically 60-80% for HTML/JSON/CSS/JS/SVG. Comp level 4 is the # sweet spot for CPU vs ratio on shared hosting. gzip on; gzip_vary on; gzip_proxied any; gzip_comp_level 4; gzip_min_length 256; gzip_types text/plain text/css text/xml application/json application/javascript application/xml application/xml+rss application/atom+xml image/svg+xml font/ttf font/otf font/woff font/woff2; brotli on; brotli_comp_level 4; brotli_min_length 256; brotli_types text/plain text/css text/xml application/json application/javascript application/xml application/xml+rss application/atom+xml image/svg+xml font/ttf font/otf font/woff font/woff2; # =================== END COMPRESSION ================== # # =================== END GENERAL ====================== # # ================ LOAD VHOST +CONFIGS ================= # include live/*; include conf.d/*; include modsec/naxi.core; # =================== END CONFIGS ====================== # }