user www-data;

# detect based on available CPU cores
worker_processes  auto;

# this is 4096 by default. See /proc/<PID>/limits and /etc/security/limits.conf
# usually twice the worker_connections (one for uptsream, one for downstream)
# see also LimitNOFILE=16384 in systemd drop-in
worker_rlimit_nofile 8192; 

pid /run/nginx.pid;

events {
    # a single worker has these many simultaneous connections max
    worker_connections  4096;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    # the collectd config depends on this log format
    log_format combined2 '$remote_addr - [$time_local] '
        '"$request" $status $body_bytes_sent $request_time '
        '"$http_referer" "$host" "$http_user_agent"';

    # required for long host names
    server_names_hash_bucket_size 128;

    access_log /var/log/nginx/access.log combined2;

    sendfile        on;

    # timeout for client to finish sending headers
    client_header_timeout 30s;

    # timeout for reading client request body (successive read timeout and not whole body!)
    client_body_timeout 60s;

    # keep-alive connections timeout in 65s. this is because many browsers timeout in 60 seconds
    keepalive_timeout  65s;

    # zones for rate limiting
    limit_req_zone $binary_remote_addr zone=admin_login:10m rate=10r/s; # 10 request a second


    # default http server that returns 404 for any domain we are not listening on
    server {
        listen      80 default_server;
        listen      [::]:80 default_server;
        server_name does_not_match_anything;

        # acme challenges (for app installation and re-configure when the vhost config does not exist)
        location /.well-known/acme-challenge/ {
            default_type text/plain;
            alias /home/yellowtent/platformdata/acme/;
        }

        location / {
            return 404;
        }
    }

    include applications/*.conf;
}