cache_bypass:
  - '$http_authorization'
  - '$http_pragma'
  - '$http_upgrade'

compress_types:
  - application/atom+xml
  - application/javascript
  - application/json
  - application/vnd.api+json
  - application/rss+xml
  - application/x-javascript
  - application/xhtml+xml
  - application/xml
  - image/svg+xml
  - image/x-icon
  - text/css
  - text/javascript
  - text/plain
  - text/xml

request_headers:
  ## '$req_connection' is defined in /angie/autoconf/http-request-headers-basic.conf.j2
  Connection: '$req_connection'
  Upgrade: '$http_upgrade'
  ## do not pass Accept-Encoding to backend
  Accept-Encoding: ""
  ## almost all browsers doesn't support this
 #Early-Data: '$ssl_early_data'
  Early-Data: ""

response_headers: {}

tls:
  ## https://docs.openssl.org/3.0/man3/SSL_CONF_cmd/#supported-configuration-file-commands
  conf_cmd:
    Options: PrioritizeChaCha
  stapling:
    enable: false
    verify: true
  profiles:
    modern:
      protocols: TLSv1.3
     #prefer_server_ciphers: off
      session_tickets: off
      session_timeout: 1d
    intermediate:
      protocols: TLSv1.2 TLSv1.3
     #prefer_server_ciphers: off
      ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
      dhparam: tls/ffdhe2048.pem
      session_tickets: off
      session_timeout: 1d
    old:
      protocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
      prefer_server_ciphers: on
      ciphers: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA
      dhparam: tls/dh1024.pem
      session_tickets: off
      session_timeout: 1d

## well-known values are:
## - 'off'             - don't use "realip" module
## - 'proxy_protocol'  - get information from PROXY protocol if listen directive has "proxy_protocol" option
## - 'X-Forwarded-For' - get information from 'X-Forwarded-For' header
## - 'X-Real-IP'       - get information from 'X-Real-IP' header
## any other value will be treated as uncommon (but valid?) header
real_ip_from: off
## list of trusted sources to be used in "realip" module
## ref: https://en.angie.software/angie/docs/configuration/modules/http/http_realip/
## if empty, defaults to "unix:"
trusted_sources: []