“nginx [engine x] is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server, originally written by Igor Sysoev. For a long time, it has been running on many heavily loaded Russian sites including Yandex, Mail.Ru, VK, and Rambler. “

guide:

## create rsa certificates
> openssl req -x509 -nodes \
        -subj "/C=DE/ST=Germany/L=Magdeburg/O=x33u/OU=webdev/CN=192.168.1.10" \
        -newkey rsa:4096 \
        -keyout /etc/ssl/nginx.key \
        -out /etc/ssl/nginx.crt \
        -days 365

## create dhparam
openssl dhparam \
        -out /etc/ssl/certs/dhparam.pem 4096

edit /etc/nginx/nginx.conf

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	#ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_prefer_server_ciphers on;

	#ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256;
	ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;

	# Load DH parameters
	ssl_dhparam /etc/ssl/certs/dhparam.pem;
	ssl_ecdh_curve secp521r1:secp384r1;

	# Shared cache size 10MB
	ssl_session_cache shared:SSL:10m;
	# Default timeout is 5m
	ssl_session_timeout 10m;

	# OCSP-Stapling
	ssl_stapling on;
	ssl_stapling_verify on;


	map $remote_addr $ip_anonym1 {
	default 0.0.0;
	"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" $ip;
	"~(?P<ip>[^:]+:[^:]+):" $ip;
	}

	map $remote_addr $ip_anonym2 {
	default .0;
	"~(?P<ip>(\d+)\.(\d+)\.(\d+))\.\d+" .0;
	"~(?P<ip>[^:]+:[^:]+):" ::;
	}

	map $ip_anonym1$ip_anonym2 $ip_anonymized {
	default 0.0.0.0;
	"~(?P<ip>.*)" $ip;
	}

	log_format anonymized '$ip_anonymized - $remote_user [$time_local] '
	'"$request" $status $body_bytes_sent '
	'"$http_referer" "$http_user_agent"';

	access_log /var/log/nginx/access.log anonymized;

	##
	# add header
	##
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";
	add_header X-Robots-Tag none;
	add_header X-Download-Options noopen;
	add_header X-Permitted-Cross-Domain-Policies none;
	add_header Referrer-Policy no-referrer;
	# Remove X-Powered-By, which is an information leak
	fastcgi_hide_header X-Powered-By;
	add_header X-Frame-Options "DENY";
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
	add_header Expect-CT "enforce, max-age=21600";
	#add_header Content-Security-Policy "default-src 'none'; font-src 'self'; img-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' ;";
	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}