# /etc/nginx/nginx.conf

# load dynamic modules
load_module /usr/lib/nginx/modules/ngx_http_cookie_flag_filter_module.so;
load_module /usr/lib/nginx/modules/ngx_http_geoip2_module.so;
load_module /usr/lib/nginx/modules/ngx_http_headers_more_filter_module.so;
load_module /usr/lib/nginx/modules/ngx_http_lua_module.so;
load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so;
load_module /usr/lib/nginx/modules/ngx_http_brotli_filter_module.so;
load_module /usr/lib/nginx/modules/ngx_http_brotli_static_module.so;

# run as daemon
daemon on;

# PID file
pid /tmp/nginx.pid;

# worker number = CPU core(s)
worker_processes auto;

# faster regexp
pcre_jit on;

# config files for dynamic modules
include /etc/nginx/modules/*.conf;

events {
	# max connections per worker
	worker_connections 1024;

	# epoll seems to be the best on Linux
	use epoll;
}

http {
	# zero copy within the kernel
	sendfile on;

	# send packets only if filled
	tcp_nopush on;

	# remove 200ms delay
	tcp_nodelay on;

	# load mime types and set default one
	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	# write logs to local syslog
	log_format logf '%LOG_FORMAT%';
	access_log syslog:server=unix:/dev/log,nohostname,facility=local0,severity=notice logf;
	error_log syslog:server=unix:/dev/log,nohostname,facility=local0 warn;

	# temp paths
	proxy_temp_path /tmp/proxy_temp;
	client_body_temp_path /tmp/client_temp;
	fastcgi_temp_path /tmp/fastcgi_temp;
	uwsgi_temp_path /tmp/uwsgi_temp;
	scgi_temp_path /tmp/scgi_temp;

	# close connections in FIN_WAIT1 state
	reset_timedout_connection on;

	# timeouts
	client_body_timeout 12;
	client_header_timeout 12;
	keepalive_timeout 15;
	send_timeout 10;

	# resolvers to use
	resolver %DNS_RESOLVERS% ipv6=off;

	# remove ports when sending redirects
	port_in_redirect off;

	# lua path and dicts
	lua_package_path "/usr/local/lib/lua/?.lua;;";
	%WHITELIST_IP_CACHE%
	%WHITELIST_REVERSE_CACHE%
	%BLACKLIST_IP_CACHE%
	%BLACKLIST_REVERSE_CACHE%
	%DNSBL_CACHE%

	# crowdsec init
	%USE_CROWDSEC%
	
	# shared memory zone for limit_req
	%LIMIT_REQ_ZONE%

	# shared memory zone for limit_conn
	%LIMIT_CONN_ZONE%

	# whitelist or blacklist country
	%USE_COUNTRY%

	# list of blocked user agents
	%BLOCK_USER_AGENT%

	# list of blocked referrers
	%BLOCK_REFERRER%

	# zone for proxy_cache
	%PROXY_CACHE_PATH%

	# custom http confs
	include /http-confs/*.conf;

	# default server when MULTISITE=yes
	%MULTISITE_DEFAULT_SERVER%

	# server config(s)
	%INCLUDE_SERVER%

	# API
	%USE_API%
}