diff --git a/docs/assets/nginx.conf b/docs/assets/nginx.conf
index 6b7bb4f..bf1814f 100644
--- a/docs/assets/nginx.conf
+++ b/docs/assets/nginx.conf
@@ -3,23 +3,16 @@ pid /var/run/nginx.pid;
 
 
 worker_processes auto;
-worker_rlimit_nofile 300000; # needs to be < ulimit -n
+worker_cpu_affinity auto;
+worker_rlimit_nofile 80100; # ensures that OS limit is correct. Every client may use up to 3. + something for logs
 
 error_log /data/nginx/logs/nginx-error.log warn;
 
 events {
-    worker_connections 40000;
-    multi_accept off; # very important, otherwise one worker might get all the connections
+    worker_connections 40000; # 1 per client, 1 per upstream
 }
 
 http {
-    # aggressive caching for read-only sources
-    open_file_cache max=1000000 inactive=60m;
-    open_file_cache_valid 60m;
-    open_file_cache_min_uses 1;
-    open_file_cache_errors on;
-
-    server_tokens off;
 
     include /etc/nginx/mime.types;
     types {
@@ -29,16 +22,16 @@ http {
 
     charset utf-8;
 
-    sendfile on;
+    sendfile on; # effectively disabled by ssl, gzip or any other CPU related tasks 
     tcp_nopush on;
     tcp_nodelay on;
 
     reset_timedout_connection on;
-    send_timeout 20;
+    send_timeout 2; # timeout between write()'s. Behind a CDN even 1s is a rather high timeout.
 
     max_ranges 0;
 
-    gzip on;
+    gzip on; # effectively disables sendfile
     gzip_comp_level 1;
     gzip_types application/json application/x-protobuf;
 
@@ -225,20 +218,18 @@ map "" $empty {
 }
 
 server {
-    listen 80 default_server;
-    listen [::]:80 default_server;
+    listen 80 reuseport default_server;
+    listen [::]:80 reuseport default_server;
 
-    listen 443 ssl default_server;
-    listen [::]:443 ssl default_server;
+    listen 443 ssl reuseport default_server;
+    listen [::]:443 ssl reuseport default_server;
     http2 on;
 
     server_name _;
 
-    ssl_ciphers aNULL;
-    ssl_certificate /etc/nginx/ssl/dummy.crt;
-    ssl_certificate_key /etc/nginx/ssl/dummy.key;
+    ssl_reject_handshake on;
 
-    return 444;
+    return 204;
 }
 
 # configuration file /data/nginx/sites/ofm_roundrobin.conf:
@@ -247,11 +238,14 @@ server {
 
     # ssl: https://ssl-config.mozilla.org / intermediate config
 
-    listen 80;
-    listen 443 ssl;
-    listen [::]:443 ssl;
+    listen 80 reuseport ;
+    listen 443 ssl reuseport ;
+    listen [::]:443 ssl reuseport ;
     http2 on;
 
+    keepalive_time 1h; # default is 1h, if there is CDN in front of the server - increase the time a connection lives
+    keepalive_requests 100000; # default is 1000, which is rather low
+
     ssl_certificate /data/nginx/certs/ofm_roundrobin.cert;
     ssl_certificate_key /data/nginx/certs/ofm_roundrobin.key;
 
@@ -264,7 +258,7 @@ server {
     # intermediate configuration
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
-    ssl_prefer_server_ciphers off;
+    #ssl_prefer_server_ciphers off; # default is "off"
 
     # access log doesn't contain IP address
     access_log off;
diff --git a/ssh_lib/assets/nginx/default_disable.conf b/ssh_lib/assets/nginx/default_disable.conf
index 2aac0df..79f988a 100644
--- a/ssh_lib/assets/nginx/default_disable.conf
+++ b/ssh_lib/assets/nginx/default_disable.conf
@@ -3,18 +3,15 @@ map "" $empty {
 }
 
 server {
-    listen 80 default_server;
-    listen [::]:80 default_server;
+    listen 80 reuseport default_server;
+    listen [::]:80 reuseport default_server;
 
-    listen 443 ssl default_server;
-    listen [::]:443 ssl default_server;
+    listen 443 ssl reuseport default_server;
+    listen [::]:443 ssl reuseport default_server;
     http2 on;
 
     server_name _;
 
-    ssl_ciphers aNULL;
-    ssl_certificate /etc/nginx/ssl/dummy.cert;
-    ssl_certificate_key /etc/nginx/ssl/dummy.key;
-
-    return 444;
+    ssl_reject_handshake on;
+    return 204;
 }
diff --git a/ssh_lib/assets/nginx/nginx.conf b/ssh_lib/assets/nginx/nginx.conf
index ab5afc0..216dc8b 100644
--- a/ssh_lib/assets/nginx/nginx.conf
+++ b/ssh_lib/assets/nginx/nginx.conf
@@ -5,22 +5,16 @@ pid /var/run/nginx.pid;
 # universal
 
 worker_processes auto;
-worker_rlimit_nofile 300000; # needs to be < ulimit -n
+worker_cpu_affinity auto;
+worker_rlimit_nofile 80100; # ensures that OS limits are correct
 
 error_log /data/nginx/logs/nginx-error.log warn;
 
 events {
     worker_connections 40000;
-    multi_accept off; # very important, otherwise one worker might get all the connections
 }
 
 http {
-    # aggressive caching for read-only sources
-    open_file_cache max=1000000 inactive=60m;
-    open_file_cache_valid 60m;
-    open_file_cache_min_uses 1;
-    open_file_cache_errors on;
-
     server_tokens off;
 
     include /etc/nginx/mime.types;