Replace debian stock nginx with custom optimized nginx

etc/nginx/fastcgi.conf

@@ -28,4 +28,5 @@ fastcgi_param  REDIRECT_STATUS    200;
 fastcgi_param HTTP_PROXY "";
 
 #running in chroots
-fastcgi_param SCRIPT_FILENAME /www/$fastcgi_script_name;
+fastcgi_param DOCUMENT_ROOT /www;
+fastcgi_param SCRIPT_FILENAME /www$fastcgi_script_name;

etc/nginx/nginx.conf

@@ -1,7 +1,6 @@
 user www-data;
 worker_processes auto;
 pid /run/nginx.pid;
-include /etc/nginx/modules-enabled/*.conf;
 pcre_jit on;
 worker_rlimit_nofile 30000;
 
@@ -76,8 +75,6 @@ http {
 	##
 
 	gzip on;
-	gzip_disable "msie6";
-
 	gzip_vary on;
 	gzip_proxied any;
 	gzip_comp_level 6;
@@ -85,6 +82,9 @@ http {
 	# gzip_http_version 1.1;
 	gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
 
+	brotli on;
+	brotli_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
+
 	fastcgi_index index.php;
 	fastcgi_read_timeout 30m;
 	fastcgi_max_temp_file_size 0;
@@ -94,6 +94,17 @@ http {
 	fastcgi_cache_path /tmp/nginx/ levels=2 keys_zone=fcache:5m inactive=1h max_size=1G;
 	fastcgi_cache_key $host$request_uri;
 
+	ssl_protocols TLSv1.2 TLSv1.3;
+	ssl_prefer_server_ciphers on;
+	ssl_ecdh_curve X448:X25519:secp521r1:secp384r1:prime256v1;
+	ssl_ciphers HIGH:!PSK:!RSA:!aNULL:!MD5:!SHA:!CAMELLIA:!AES+SHA256:!AES+SHA384;
+	ssl_session_cache shared:SSL:10m;
+	ssl_stapling on;
+	ssl_stapling_verify on;
+#	ssl_certificate /etc/acme.sh/hosting.danwin1210.me_ecc/fullchain.cer;
+#	ssl_certificate_key /etc/acme.sh/hosting.danwin1210.me_ecc/hosting.danwin1210.me.key;
+#	ssl_dhparam /etc/nginx/dh4096.pem;
+
 	##
 	# Virtual Host Configs
 	##

etc/nginx/snippets/fastcgi-php.conf

@@ -1,5 +1,5 @@
 # regex to split $uri to $fastcgi_script_name and $fastcgi_path
-fastcgi_split_path_info ^(.+\.php)(/.+)$;
+fastcgi_split_path_info ^(.+\.php)(/.*)$;
 
 # Check that the PHP script exists before passing it
 try_files $fastcgi_script_name =404;

etc/systemd/system/nginx.service

@@ -1,11 +1,19 @@
+[Unit]
+Description=A high performance web server and a reverse proxy server
+After=network.target nss-lookup.target
+
 [Service]
+Type=forking
+PIDFile=/run/nginx.pid
 LimitNOFILE=100000
 TimeoutStartSec=600
-ExecStop=
+TimeoutStopSec=5
+KillMode=mixed
 ExecStop=-/sbin/start-stop-daemon --quiet --stop --pidfile /run/nginx.pid
-ExecStartPre=
-ExecStartPre=/usr/bin/install -Z -m 02755 -o www-data -g www-data -d /var/run/nginx
+ExecStartPre=/usr/bin/install -Z -m 02755 -o www-data -g www-data -d /run/nginx
 ExecStartPre=/usr/sbin/nginx -t -q -g 'daemon on; master_process on;'
+ExecStart=/usr/sbin/nginx -g 'daemon on; master_process on;'
+ExecReload=/usr/sbin/nginx -g 'daemon on; master_process on;' -s reload
 ProtectSystem=strict
 PrivateTmp=true
 NoNewPrivileges=true
@@ -17,7 +25,9 @@ LockPersonality=true
 SystemCallArchitectures=native
 BindPaths=/var/log/nginx/
 BindPaths=/var/lib/nginx/
-BindPaths=/var/run/
 BindPaths=/var/www/var/run/
 BindPaths=/run/
 InaccessiblePaths=/root/
+
+[Install]
+WantedBy=multi-user.target