Global HTTP Settings

Following are the global HTTP server settings loaded from the /etc/nginx/http-conf.d/ directory.

Since the order in which these configurations are applied does matter, the files are numbered.

The configuration options are explained in the files comments

TCP Options

The file /etc/nginx/http-conf.d/10_tcp-options.conf contains optimizations on the TCP/IP network level.

 1#
 2# Nginx TCP network configuration
 3#
 4
 5# Speed up file transfers by using sendfile() instead of read() and write().
 6# Default: off;
 7sendfile on;
 8
 9# When set to a non-zero value, limits the amount of data that can be
10# transferred in a single sendfile() call. Without the limit, one fast
11# connection may seize the worker process entirely.
12# Default: 0;
13#sendfile_max_chunk  0;
14
15# Increase throughput by sending full TCP packets with sendfile().
16# Enables or disables the use of the TCP_CORK socket option on Linux.
17# The options are enabled only when sendfile is used.
18# Enabling the option allows sending the response header and the beginning of a
19# file in one packet and sending a file in full packets.
20# Default: off
21tcp_nopush on;
22
23# Enables or disables the use of the TCP_NODELAY option. The option is enabled
24# only when a connection is transitioned into the keep-alive state.
25# Allows to send out small stuff more quickly and conserving resources.
26# Default: on
27#tcp_nodelay on;
28
29# Number and size of the buffers used for reading a response from a disk.
30# # Set a large buffer ONLY if you set 'sendfile' to `off`
31# Default: 1 32k;
32#output_buffers 1 512k;
33
34# Enable resetting timed out connections, thus freeing up RAM.
35# TCP RST is sent to the client. Not valid for keep-alive connections.
36# Default: Off;
37reset_timedout_connection on;

HTTPS Options

The file /etc/nginx/http-conf.d/20_https-options.conf for global SSL/TLS settings.

 1#
 2# TLS - Transport Layer Security (SSL)
 3#
 4# nginx/1.11.6
 5# OpenSSL 1.0.2g  1 Mar 2016
 6
 7
 8# Specifies the enabled ciphers. The ciphers are specified in the format
 9# understood by the OpenSSL library.
10# Default: ssl_ciphers HIGH:!aNULL:!MD5;
11ssl_ciphers
12	'kEECDH+aECDSA+CHACHA20:kEECDH+aRSA+CHACHA20:kEDH+aRSA+CHACHA20:kEECDH+aECDSA+AESGCM:kEECDH+aRSA+AESGCM:kEDH+aRSA+AESGCM:kEECDH+aECDSA+AES:kEECDH+aRSA+AES:kEDH+aRSA+AES:-AESCCM:-AES256:+SHA1';
13
14#
15# Diffie-Hellman ephemeral key exchange parameters
16# Specifies a file with DH parameters for DHE ciphers.
17# Should be at least the size of the public RSA key
18# Default: <not set>
19ssl_dhparam /etc/ssl/dhparams/dh_4096.pem;
20
21#
22# The curve used for Elliptic Curve encryption.
23# Specifies a curve for ECDHE ciphers.
24# Default: ssl_ecdh_curve auto;
25ssl_ecdh_curve secp384r1;
26
27#
28# Specifies that server ciphers should be preferred over client ciphers when
29# using the SSLv3 and TLS protocols.
30# Default: ssl_prefer_server_ciphers off;
31ssl_prefer_server_ciphers on;
32
33#
34# Enables (or disables) the specified protocols.
35# Don't use SSLv2 and SSLv3
36# Default: ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
37#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
38
39#
40# Enables or disables session resumption through TLS session tickets (RFC5077).
41# Default: ssl_session_tickets on;
42#ssl_session_tickets on;
43
44#
45#   Optimize SSL by caching session parameters. This cuts down on
46#   the number of expensive SSL handshakes. The handshake is the most
47#   CPU-intensive operation, and by default it is re-negotiated on every
48#   new/parallel connection.
49#
50
51# Time during which a client may reuse a cached TLS session without re-
52# negotiation.
53# Default:  ssl_session_timeout 5m;
54ssl_session_timeout 1d;
55
56#
57# Further optimization can be achieved by raising keepalive_timeout.
58# Time during which a client connection will stay open on the server side.
59# The optional second parameter sets a value in the “Keep-Alive: timeout=time”
60# response header field.
61#
62# Set in configuration file 20_limits.conf

Limits

The file /etc/nginx/http-conf.d/20_limits.conf can be used to set various network related limitations, like number of allowed connections per IP address or various buffer sizes. At this time we limit connections only and stick with Nginx default values for the rest.

  1#
  2# Various Nginx Server Run-Time Limits
  3#
  4
  5#
  6# Buffer Limits
  7#
  8
  9# Buffer size for reading client request header,
 10# before the large_client_header_buffers is used.
 11# Default 1k
 12#client_header_buffer_size 1k;
 13
 14# Maximum number and size allowed large client request headers,
 15# before a 414 (Request-URI Too Large) error is returned to the client.
 16#large_client_header_buffers 4 8k; # 32k total size
 17
 18# Buffer size for reading client request bodies without saving to disk.
 19# Default: 16k
 20client_body_buffer_size   32k;
 21
 22# Maximum allowed size of the client request body,
 23# before a 413 (Request Entity Too Large) error is returned to the client.
 24# Default: 1m
 25#client_max_body_size      1m;
 26
 27# Sets the maximum size of chunks into which the response body is sliced. A too
 28# low value results in higher overhead. A too high value impairs prioritization
 29# due to HOL blocking (http://en.wikipedia.org/wiki/Head-of-line_blocking).
 30# Default: 8k
 31#http2_chunk_size 8k;
 32
 33# Sets the size of the per worker input buffer.
 34# Default: 256k
 35#http2_recv_buffer_size 256k;
 36
 37
 38#
 39# Timeouts
 40#
 41
 42# Maximum time between packets the client can pause when sending nginx any data
 43# Default: 60s
 44client_body_timeout 4s;
 45
 46# Maximum time the client has to send the entire header to nginx
 47# Default: 60s
 48client_header_timeout 4s;
 49
 50# Timeout which a single keep-alive client connection will stay open.
 51# Set this to the same as set 'ssl_session_timeout' to reduce the number of
 52# needed TLS handshakes. Second number sets what is sent to clients.
 53# Default: 75s
 54keepalive_timeout 1d 1d;
 55
 56# Timeout for sending response to clients, before the connection is closed.
 57# Default: 60s
 58send_timeout 24s;
 59
 60# Sets the timeout of inactivity after which the connection is closed.
 61# Default: 3m;
 62#http2_idle_timeout 3m;
 63
 64# Sets the timeout for expecting more data from the client, after which the
 65# connection is closed.
 66# Default: 30s
 67#http2_recv_timeout 30s;
 68
 69
 70#
 71# Request Rate Limits
 72#
 73
 74# Limit the rate of requests an IP can make over a certain time.
 75# Returns 503 (Service Temporarily Unavailable) error if clients sends to many
 76# requests too quickly.
 77# Default: none
 78limit_req_zone $binary_remote_addr zone=ip_req:10m rate=1000r/s;
 79limit_req_zone $server_name zone=server_req:10m rate=1000r/s;
 80
 81# Sets the status code to return in response to rejected requests.
 82# Default: 503
 83limit_req_status 429;
 84
 85# Enforce
 86limit_req zone=ip_req burst=50 nodelay;
 87limit_req zone=server_req burst=100;
 88
 89
 90#
 91# Response Rate Limits
 92#
 93
 94# Rate of response transmission to a client in bytes per second (per request).
 95# Default: 0 (unlimited)
 96#limit_rate 0;
 97
 98# Initial amount of data sent at an unlimited rate, before response rate
 99# limiting starts.
100# Default: 0 (unlimited)
101#limit_rate_after 0;
102
103
104#
105# Connection Limits
106#
107
108# Define zone for storing session states. Handles 16,000 sessions per MB
109# Returns 503 (Service Temporarily Unavailable) error if storage is exhausted.
110limit_conn_zone $binary_remote_addr zone=ip_conn:10m;
111
112# Max. number of simultaneous connections per session (IP address)
113limit_conn ip_conn 512;
114
115# Logging level used for connection-limits ( info | notice | warn | error).
116# Default: Error;
117#limit_conn_log_level Error;
118
119# Sets the status code to return in response to rejected requests.
120# Default: 503 (Service Unavailable);
121limit_conn_status 429; # (429 Too Many Requests)
122
123# Max. requests through one keep-alive connection before it will be closed.
124# Default: 100
125#keepalive_requests       50;
126
127# Allow a single range header for resumed downloads only.
128# Stops large range header DoS attacks
129# Default: unlimited
130#max_ranges                1;
131
132# Enables or disables adding comments to responses for MSIE clients with status
133# greater than 400 to increase the response size to 512 bytes.
134# Default: on
135#msie_padding              off;
136
137# Sets the maximum number of concurrent HTTP/2 streams in a connection.
138# Default: 128
139#http2_max_concurrent_streams 128;

Character-Sets and MIME-Types

The file /etc/nginx/http-conf.d/30_charsets.conf.

 1#
 2# Nginx default MIME-types and character sets configuration
 3#
 4
 5 # Define the MIME types for files.
 6include         mime.types;
 7default_type    application/octet-stream;
 8
 9# Update charset_types due to updated mime.types
10charset_types   text/xml
11                text/plain
12                text/vnd.wap.wml
13                application/x-javascript
14                application/rss+xml
15                text/css
16                application/javascript
17                application/json;
18
19# Adds the specified character set to the “Content-Type” response header field.
20# Default: off
21charset         utf-8;
22
23# Defines the source character set of a response.
24# Default: none
25source_charset  utf-8;

HTTP Server Security

We group settings who affect the global HTTP server security in the file /etc/nginx/http-conf.d/30_http-server-security.conf.

 1#
 2# Global HTTP Server Security and Access Restriction Settings
 3#
 4
 5# Don't allow access to directory listing if there is no index document.
 6# Default: Off
 7#autoindex off;
 8
 9# Don't send the Nginx version number in error pages and server header
10# Default: on
11server_tokens off;
12
13# Set our own server token
14more_set_headers	'Server: CERN/3.0 libwww/2.17'
15#more_set_headers	'Server: NCSA HTTPd 1.5.2a';
16#more_set_headers	'Server: Netscape-Enterprise/3.5.1';
17#more_set_headers	'Server: Apache/1.3.0 (Unix) PHP/3.0 ';
18#more_set_headers	'Server: Microsoft-IIS/6.0';
19
20# Controls whether header fields with invalid names should be ignored. Valid
21# names are composed of English letters, digits, hyphens, and possibly
22# underscores (as controlled by the underscores_in_headers directive).
23# Default: on
24#ignore_invalid_headers on;
25
26# Enables or disables the use of underscores in client request header fields.
27# When the use of underscores is disabled, request header fields whose names
28# contain underscores are marked as invalid and become subject to the
29# 'ignore_invalid_headers' directive.
30# Default: off
31#underscores_in_headers off;

There will be more security settings in the individual virtual hosts later on.

Logging

Format

This sets the pretty much standard log format for websites.

Note that we don’t set what will be logged here in any way, but only how and where. More on this will follow later on.

File: /etc/nginx/http-conf.d/40_log-format.conf.

1#
2# Nginx Logging Configuration
3#
4log_format  main    '$remote_addr [$host] $remote_user [$time_local] "$request" '
5                    '$status $body_bytes_sent "$http_referer" '
6                    '"$http_user_agent" "$http_x_forwarded_for"';

Don’t Log Anything

File: /etc/nginx/http-conf.d/50_no-log.conf.

 1#
 2# Nginx Logging Configuration
 3#
 4# For debugging, include the following file in the server {} or location {} temporarely.
 5#   include log-debug.conf;
 6# and reload the nginx configuration (sudo sevice nginx reload):
 7
 8# By default we do not log access
 9access_log off;
10log_not_found off;
11log_subrequest off;
12
13# Default error log file
14# Error log levels:
15#   debug | info | notice | warn | error | crit | alert | emerg
16#error_log  /dev/null emerg;
17error_log /var/log/nginx/error.log crit;

Compression

Brötli Compression

The file /etc/nginx/http-conf.d/60_compression_brotli.conf.

 1#
 2# Brötli Compression
 3#
 4
 5# Enables or disables checking of the existence of pre-compressed files with.br
 6# extension. With the always value, pre-compressed file is used in all cases,
 7# without checking if the client supports it.
 8# Default: off
 9#brotli_static off;
10
11# Enables or disables on-the-fly compression of responses.
12# Default: off
13brotli on;
14
15# Enables on-the-fly compression of responses for the specified MIME types in
16# addition to text/html. The special value * matches any MIME type. Responses
17# with the text/html MIME type are always compressed.
18# Default: text/html
19brotli_types
20	application/atom+xml
21	application/javascript
22	application/json
23	application/rss+xml
24	application/vnd.ms-fontobject
25	application/x-font-ttf
26	application/x-web-app-manifest+json
27	application/xhtml+xml
28	application/xml
29	font/opentype
30	image/svg+xml
31	image/x-icon
32	text/css
33	text/plain
34	text/x-component;
35
36# Sets the number and size of buffers used to compress a response. By default,
37# the buffer size is equal to one memory page. This is either 4k or 8k,
38# depending on a platform.
39# Default: 16 8k
40#brotli_buffers 16 8k;
41
42# Sets Brotli quality (compression) level. Acceptable values are in the range
43# from 0 to 11.
44# Default: 6
45# brotli_comp_level 6;
46
47# Sets Brotli window size. Acceptable values are
48#   1k, 2k, 4k, 8k, 16k, 32k, 64k, 128k, 256k, 512k,
49#   1m, 2m, 4m, 8m and 16m.
50# Default: 512k
51#brotli_window 512k;
52
53# Sets the minimum length of a response that will be compressed. The length is
54# determined only from the Content-Length response header field.
55# Default: 20
56#brotli_min_length 20

GZip Compression

The file /etc/nginx/http-conf.d/60_compression_gzip.conf.

  1#
  2# Compression
  3#
  4# The ngx_http_gzip_module module is a filter that compresses responses using
  5# the “gzip” method. This often helps to reduce the size of transmitted data by
  6# half or even more.
  7
  8# Enables or disables gzipping of responses.
  9# Default: off;
 10gzip on;
 11
 12# Sets the number and size of buffers used to compress a response. By default,
 13# the buffer size is equal to one memory page. This is either 4K or 8K,
 14# depending on a platform.
 15# Default 32bit (i386): 32 4k
 16# Default 64bit (x64): 16 8k;
 17#gzip_buffers 16 8k;
 18
 19# Sets a gzip compression level of a response. Acceptable values are in the
 20# range from 1 to 9.
 21# Default: 1
 22gzip_comp_level 5;
 23
 24# Disables gzipping of responses for requests with “User-Agent” header fields
 25# matching any of the specified regular expressions.
 26# Default: <not set>
 27#gzip_disable msie6;
 28
 29# Sets the minimum length of a response that will be gzipped. The length is
 30# determined only from the “Content-Length” response header field.
 31# Default: 20
 32#gzip_min_length 256;
 33
 34# Sets the minimum HTTP version of a request required to compress a response.
 35# Default: 1.1
 36#gzip_http_version 1.1;
 37
 38# Enables or disables gzipping of responses for proxied requests depending on
 39# the request and response.
 40# Default: off;
 41gzip_proxied any;
 42
 43# Enables gzipping of responses for the specified MIME types in addition to
 44# “text/html”. The special value “*” matches any MIME type (0.8.29). Responses
 45# with the “text/html” type are always compressed.
 46# Default: text/html
 47gzip_types
 48    application/atom+xml
 49    application/javascript
 50    application/json
 51    application/rss+xml#
 52# Gzip Compression
 53#
 54# The ngx_http_gzip_module module is a filter that compresses responses using
 55# the “gzip” method. This often helps to reduce the size of transmitted data by
 56# half or even more.
 57
 58# Enables or disables gzipping of responses.
 59# Default: off
 60gzip on;
 61
 62# Sets the number and size of buffers used to compress a response. By default,
 63# the buffer size is equal to one memory page. This is either 4K or 8K,
 64# depending on a platform.
 65# Default: 16 8k;
 66#gzip_buffers 16 8k;
 67
 68# Sets a gzip compression level of a response. Acceptable values are in the
 69# range from 1 to 9.
 70# 5 is a perfect compromise between size and cpu usage, offering about
 71# 75% reduction for most ascii files (almost identical to level 9).
 72# Default: 1;
 73gzip_comp_level 5;
 74
 75# Disables gzipping of responses for requests with “User-Agent” header fields
 76# matching any of the specified regular expressions.
 77#
 78# The special mask “msie6” (0.7.12) corresponds to the regular expression “MSIE
 79# [4-6]\.”, but works faster. Starting from version 0.8.11, “MSIE 6.0; ... SV1”
 80# is excluded from this mask.
 81# Default: <unset>
 82 gzip_disable 'msie6';
 83
 84#  Sets the minimum length of a response that will be gzipped. The length is
 85#  determined only from the “Content-Length” response header field.
 86#
 87# Don't compress anything that's already small and unlikely to shrink much
 88# if at all (the default is 20 bytes, which is bad as that usually leads to
 89# larger files after gzipping).
 90# Default: 20
 91#gzip_min_length 256;
 92
 93# Sets the minimum HTTP version of a request required to compress a response.
 94# Default: 1.1
 95#gzip_http_version 1.1;
 96
 97# Enables or disables gzipping of responses for proxied requests depending on
 98# the request and response. The fact that the request is proxied is determined
 99# by the presence of the “Via” request header field. The directive accepts
100# multiple parameters:
101#    off | expired | no-cache | no-store | private | no_last_modified |
102#    no_etag | auth | any
103#
104# Compress data even for clients that are connecting to us via proxies,
105# identified by the "Via" header (required for CloudFront).
106# Default: off
107gzip_proxied any;
108
109# Enables gzipping of responses for the specified MIME types in addition to
110# “text/html”. The special value “*” matches any MIME type.
111# Responses with the “text/html” type are always compressed.
112#
113# Compress all output labeled with one of the following MIME-types.
114# text/html is always compressed by HttpGzipModule
115# Default: text/html;
116gzip_types
117    application/atom+xml
118    application/javascript
119    application/json
120    application/rss+xml
121    application/vnd.ms-fontobject
122    application/x-font-ttf
123    application/x-web-app-manifest+json
124    application/xhtml+xml
125    application/xml
126    font/opentype
127    image/svg+xml
128    image/x-icon
129    text/css
130    text/plain
131    text/x-component;
132
133# Tell proxies to cache both the gzipped and regular version of a resource
134# whenever the client's Accept-Encoding capabilities header varies;
135# Avoids the issue where a non-gzip capable client (which is extremely rare
136# today) would display gibberish if their proxy gave them the gzipped version.
137gzip_vary on;
138
139# This should be turned on if you are going to have pre-compressed copies
140# (.gz) of static files available. If not it should be left off as it will
141# cause extra I/O for the check. It is best if you enable this in a location{}
142# block for a specific directory, or on an individual server{} level.
143#gzip_static on;
144
145    application/vnd.ms-fontobject
146    application/x-font-ttf
147    application/x-web-app-manifest+json
148    application/xhtml+xml
149    application/xml
150    font/opentype
151    image/svg+xml
152    image/x-icon
153    text/css
154    text/plain
155    text/x-component;
156
157# Tell proxies to cache both the gzipped and regular version of a resource
158# whenever the client's Accept-Encoding capabilities header varies;
159# Avoids the issue where a non-gzip capable client (which is extremely rare
160# today) would display gibberish if their proxy gave them the gzipped version.
161gzip_vary on;

Open Files Cache

In the file /etc/nginx/http-conf.d/60_open-file-cache.conf we set how Nginx can cache files it has opened already to save disk operations while serving requests.

Configures a cache that can store:

  • open file descriptors, their sizes and modification times;

  • information on existence of directories;

  • file lookup errors, such as “file not found”, “no permission”, and so on.

 1#
 2# Nginx Open Files Cache Configuration
 3#
 4
 5# This tells Nginx to cache open file handles, "not found" errors, meta-data
 6# about files and their permissions, etc.
 7#
 8# The upside of this is that Nginx can immediately begin sending data when a
 9# popular file is requested, and will also know to immediately send a 404 if a
10# file is missing on disk, and so on.
11#
12# However, it also means that the server won't react immediately to changes on
13# disk, which may be undesirable.
14#
15# Production servers with stable file collections will definitely want to enable
16# the cache.
17#
18
19# Maximum number of cached elements, before least used (LRU) element is removed;
20# Time after which unused elements are removed from the cache (default 60s).
21# Default: off;
22open_file_cache         max=10000 inactive=30m;
23
24# Also cache file lookup errors like "file not found".
25# Default: off;
26open_file_cache_errors  on;
27
28# Number of times any item has to be accessed to remain in the cache as active.
29# Default: 1;
30#open_file_cache_min_uses  1;
31
32# Sets a time after which open_file_cache elements should be re-validated.
33# Default: 60s
34open_file_cache_valid   30m;

PHP Backend

The file /etc/nginx/http-conf.d/70_php-backend.conf

 1#
 2# PHP FastCGI Process Manager (FPM)
 3#
 4upstream php-backend {
 5
 6    # Unix Socket to PHP 7 FPM server
 7    server unix:/run/php/php7.0-fpm.sock;
 8}
 9
10# Number and size of the buffers used for reading a response from the
11# FastCGI server.
12# Default: 8 8k (1 system memory page size)
13fastcgi_buffers 128 8k; # 1 MB total

FastCGI Cache

The file /etc/nginx/http-conf.d/90_fastcgi_cache.conf

 1#
 2# fastcgi_cache Zones
 3# To be included outside outside of any "server" context.
 4
 5# FastCGI cache settings for WordPress
 6fastcgi_cache_path
 7    /var/cache/nginx/wordpress_temp
 8    levels=1:2
 9    keys_zone=WORDPRESS:250m
10    inactive=3M
11    max_size=275m;
12
13# FastCGI cache settings for ownCloud
14# use to cache ownCloud gallery thumbnails
15# https://doc.owncloud.org/server/8.2/admin_manual/configuration_server/performance_tuning/webserver_tips.html#nginx-caching-owncloud-gallery-thumbnails
16fastcgi_cache_path
17    /var/cache/nginx/owncloud_temp
18    levels=1:2
19    keys_zone=OWNCLOUD:100m
20    inactive=60m;
21
22# FastCGI cache settings for Wallabag
23fastcgi_cache_path
24    /var/cache/nginx/wallabag_temp
25    levels=1:2
26    keys_zone=WALLABAG:250m
27    inactive=3M
28    max_size=275m;

Tor Exit Nodes

The file /etc/nginx/http-conf.d/90_tor-exits-map.conf

 1#
 2# Define map of currently active Tor Exit Nodes
 3#
 4
 5map_hash_max_size 4096;
 6map_hash_bucket_size 128;
 7map $remote_addr $isTorExitNode {
 8
 9    default false;
10    include tor-exit-nodes.map;
11}

Default Server

The file /etc/nginx/conf.g/default.conf is installed with Nginx and usually serves a test page to show that the installation has been successful and the server is working.

However this should be changed immediately to something more useful and secure.

First I like to rename it to make its purpose easier recognizable:

$ sudo mv /etc/nginx/conf.d/default.conf /etc/nginx/http-conf.d/99_default-site.conf

Then edit /etc/nginx/http-conf.d/99_default-server.conf as follows:

 1#
 2# Default Server catch all requests ...
 3#  ... without hostname
 4#  ... with a numeric IP-Address as hostname
 5#  ... to any hostname not defined elsewhere
 6#
 7
 8# Don't send HSTS and HKP headers, respect other/later servers on this dynamic
 9# address which do not have TLS/SSL enabled.
10server {
11
12    # IPv4 private address
13    # Port-forwarded connections from firewall-router
14    listen      192.0.2.10:80 deferred default_server bind;
15    listen      192.0.2.10:443 ssl http2 deferred default_server bind;
16
17    # Enable stapling of online certificate status protocol (OCSP) response
18    include     ocsp-stapling.conf;
19
20    # TLS certificate of signing CA (validate OCSP repsonse when stapling)
21    ssl_trusted_certificate /etc/dehydrated/certs/default_server/chain.pem;
22
23    # OCSP staping repsonse file (pre-generated)
24    ssl_stapling_file       /etc/dehydrated/certs/default_server/ocsp_response.der;
25
26    # TLS certificate (chained) and key
27    ssl_certificate         /etc/dehydrated/certs/default_server/fullchain.pem;
28    ssl_certificate_key     /etc/dehydrated/certs/default_server/privkey.pem;
29
30    # TLS session cache (type:name:size)
31    ssl_session_cache       shared:default_server:10m;
32
33    # TLS session ticket key
34    ssl_session_ticket_key  /etc/nginx/tls_session_keys/default_server.1.key;
35    ssl_session_ticket_key  /etc/nginx/tls_session_keys/default_server.2.key;
36    ssl_session_ticket_key  /etc/nginx/tls_session_keys/default_server.3.key;
37
38    # Public Documents Root
39    root        /var/www/default_site/public_html/;
40
41    # Allow access for Let's Encrypt to domain validation tokens
42    location /.well-known/acme-challenge {
43        allow all;
44    }
45
46    location / {
47
48        # Return nothing and close connection (useful against malware).
49        return 444;
50    }
51
52    # Path, format, and configuration for buffered log writes
53    access_log  /var/log/nginx/default-access.log main;
54    log_not_found off;
55    log_subrequest off;
56
57}

This “website” has only one purpose. Immediately closing any connections made to it. Whatever is connecting to your IP address with HTTP or HTTPS, but does not know the name of any website actually hosted here (like www.example.net) can safely be assumed to be either a malicious bot or a script kiddie probing for security holes.

The certificate and key defined here, need not to be valid, as normal clients will never connect here.