cache_bypass:
- '$http_authorization'
- '$http_pragma'
- '$http_upgrade'

compress_types:
- application/atom+xml
- application/javascript
- application/json
- application/vnd.api+json
- application/rss+xml
- application/x-javascript
- application/xhtml+xml
- application/xml
- image/svg+xml
- image/x-icon
- text/css
- text/javascript
- text/plain
- text/xml

request_headers:
{% if env.NGX_HTTP_TRANSPARENT_PROXY == '0' %}
  Host: '$proxy_host'
  X-Real-IP: '$remote_addr'
  ## '$proxy_add_forwarded' is defined in /angie/autoconf.dist/http-request-headers-forwarded.conf
  Forwarded: '$proxy_add_forwarded'
{% elif env.NGX_HTTP_TRANSPARENT_PROXY == '1' %}
  Host: '$host'
  X-Real-IP: ''
  Forwarded: ''
{% endif %}

request_headers:
  ## do not pass Accept-Encoding to backend
  Accept-Encoding: ""
  ## '$req_accept' is defined in /angie/autoconf.dist/http-request-headers-basic.conf.j2
  Accept: '$req_accept'
  ## '$req_connection' is defined in /angie/autoconf.dist/http-request-headers-basic.conf.j2
  Connection: '$req_connection'
  Upgrade: '$http_upgrade'
  Early-Data: '$ssl_early_data'
  ## '$req_user_agent' is defined in /angie/autoconf.dist/http-request-headers-basic.conf.j2
  User-Agent: '$req_user_agent'
{% if env.NGX_HTTP_X_FORWARDED == 'pass' %}
  X-Forwarded-Proto: '$scheme'
  X-Forwarded-Host: '$host'
  X-Forwarded-Port: '$server_port'
  X-Forwarded-For: '$proxy_add_x_forwarded_for'
{% elif env.NGX_HTTP_X_FORWARDED == 'remove' %}
  X-Forwarded-Proto: ''
  X-Forwarded-Host: ''
  X-Forwarded-Port: ''
  X-Forwarded-For: ''
{% endif %}

response_headers:
{% if env.NGX_HTTP_TRANSPARENT_PROXY == '0' %}
  Permissions-Policy: "accelerometer=(), autoplay=(), browsing-topics=(), camera=(), clipboard-read=(), clipboard-write=(), geolocation=(), gyroscope=(), hid=(), interest-cohort=(), magnetometer=(), microphone=(), payment=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), sync-xhr=(), usb=()"
  Referrer-Policy: "no-referrer-when-downgrade"
  Strict-Transport-Security: "max-age=15724800; includeSubDomains; preload"
  X-Content-Type-Options: "nosniff"
  X-Frame-Options: "SAMEORIGIN"
  X-XSS-Protection: "1; mode=block"
{% endif %}

tls:
  ## https://docs.openssl.org/3.0/man3/SSL_CONF_cmd/#supported-configuration-file-commands
  conf_cmd:
    Options: PrioritizeChaCha
  stapling:
    enable: false
    verify: true
  profiles:
    modern:
      protocols: TLSv1.3
     #prefer_server_ciphers: off
      session_tickets: off
      session_timeout: 1d
    intermediate:
      protocols: TLSv1.2 TLSv1.3
     #prefer_server_ciphers: off
      ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
      dhparam: tls.d/ffdhe2048.pem
      session_tickets: off
      session_timeout: 1d
    old:
      protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
      prefer_server_ciphers: on
      ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
      dhparam: tls.d/dh1024.pem
      session_tickets: off
      session_timeout: 1d