user www-data; worker_processes auto; pid /run/nginx.pid; worker_rlimit_nofile 16384; # 1024 * events { use epoll; multi_accept on; worker_connections 6144; # 1024 * } http { include mime.types; default_type application/octet-stream; access_log off; tcp_nopush on; tcp_nodelay on; keepalive_timeout 120; types_hash_max_size 2048; server_names_hash_bucket_size 256; sendfile on; server { listen 80; listen [::]:80; server_name imag.example.com; # or whatever domain you use access_log off; return 301 https://$server_name$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name imag.example.com; access_log off; # letsencrypt ssl certs - you don't have to use LE, but this is just an example ssl_certificate /etc/letsencrypt/live/imag.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/imag.example.com/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/imag.example.com/chain.pem; ssl_stapling on; ssl_stapling_verify on; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; ssl_session_tickets off; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; location / { access_log off; proxy_pass http://127.0.0.1:19721; # or wherever your app is running proxy_cache_bypass $http_upgrade; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; client_max_body_size 512M; proxy_max_temp_file_size 0; proxy_buffering off; } } }