user nginx nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
    use epoll;
}

stream {
    upstream www {
        server 127.0.0.1:4443;
    }
    upstream turn {
        server 127.0.0.1:3478;
    }

    map $ssl_preread_server_name $upstream {
        om.example.org     www;
        turn.example.org   turn;
        default            www;
    }

#    map $ssl_preread_alpn_protocols $upstream {
#        ~\bh2\b           www;
#        ~\bhttp/1.1\b     www;
#         default          turn;
#    }

    server {
        listen *:443;

        ssl_preread on;
        proxy_pass $upstream;

        proxy_buffer_size 10m;
    }
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    client_header_timeout 10m;
    client_body_timeout 10m;
    send_timeout 10m;

    connection_pool_size 256;
    client_header_buffer_size 16k;
    large_client_header_buffers 4 16k;
    request_pool_size 16k;

    gzip on;
    gzip_min_length 1100;
    gzip_buffers 4 8k;
    gzip_types text/plain;

    output_buffers 1 32k;
    postpone_output 1460;

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;

    server_tokens off;
    underscores_in_headers off;
    ignore_invalid_headers on;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    index index.html;

    server {
        listen *:80 default;
        listen 127.0.0.1:4443 default ssl http2;
        server_name unknown;

        ssl_protocols TLSv1.2 TLSv1.3;

        ssl_certificate      /etc/nginx/ssl/om.example.org.pem;
        ssl_certificate_key  /etc/nginx/ssl/om.example.org.key;

        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA;
        ssl_session_cache shared:SSL:50m;
        ssl_dhparam /etc/nginx/ssl/dhparam.pem;
        ssl_prefer_server_ciphers on;

        root /var/www;
    }

    include /etc/nginx/hosts/*.conf;

}