user              {{ nginx_service_user }};
worker_processes  auto;

error_log         /var/log/nginx/error.log notice;
pid               /var/run/nginx.pid;

events {
    worker_connections  1024;
}

include /etc/nginx/conf.d/*.conf;

http {
    include           /etc/nginx/mime.types;
    default_type      application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log        /var/log/nginx/access.log  main;

    sendfile          on;
    server_tokens     off;

    ssl_ciphers   ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
    ssl_dhparam   /etc/nginx/ssl/dhparams.pem;
    ssl_prefer_server_ciphers off;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ecdh_curve x25519:secp256r1:secp521r1:secp384r1;

    keepalive_timeout 65;

    include /etc/nginx/sites-enabled/*.conf;
}

stream {
    log_format proxy '$remote_addr [$time_local] '
           '$protocol $status $bytes_sent $bytes_received '
           '$session_time "$upstream_addr" "-- $ssl_preread_server_name --"'
           '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';

    access_log        /var/log/nginx/stream-access.log proxy;

    include /etc/nginx/streams-enabled/*.conf;
}