disable keepalive by default

No need for keepalive for the internal socket.

nginx/nginx.conf

@@ -26,7 +26,7 @@ http {
     sendfile_max_chunk 256k;
     tcp_nopush on;
     keepalive_requests 256;
-    keepalive_timeout 3m;
+    keepalive_timeout 0;
     server_tokens off;
     msie_padding off;
 
@@ -97,8 +97,6 @@ http {
         listen 80 default_server backlog=4096;
         listen [::]:80 default_server backlog=4096;
 
-        keepalive_timeout 0;
-
         # https://trac.nginx.org/nginx/ticket/2012
         location / {
             return 404;
@@ -110,8 +108,6 @@ http {
         listen [::]:80;
         server_name matrix.grapheneos.org element.grapheneos.org;
 
-        keepalive_timeout 0;
-
         location /.well-known/acme-challenge/ {
             root /srv/certbot;
         }
@@ -126,8 +122,6 @@ http {
         listen [::]:443 default_server ssl http2 backlog=4096;
         ssl_reject_handshake on;
 
-        keepalive_timeout 0;
-
         # https://trac.nginx.org/nginx/ticket/2012
         location / {
             return 404;
@@ -139,6 +133,8 @@ http {
         listen [::]:443 ssl http2;
         server_name matrix.grapheneos.org;
 
+        keepalive_timeout 3m;
+
         include snippets/security-headers.conf;
         add_header Cross-Origin-Resource-Policy "same-origin" always;
         add_header Content-Security-Policy "font-src 'none'; manifest-src 'none'; object-src 'none'; script-src 'none'; style-src 'none'; frame-ancestors 'none'" always;
@@ -184,6 +180,8 @@ http {
 
         include root_element.grapheneos.org.conf;
 
+        keepalive_timeout 3m;
+
         include snippets/security-headers.conf;
         add_header Cross-Origin-Resource-Policy "cross-origin" always;
         add_header Content-Security-Policy "font-src 'self'; manifest-src 'self'; object-src 'none'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'" always;