diff --git a/etc/nginx/fastcgi_cache b/etc/nginx/fastcgi_cache
index cdf6b19..d4ebdf4 100644
--- a/etc/nginx/fastcgi_cache
+++ b/etc/nginx/fastcgi_cache
@@ -18,8 +18,8 @@ log_format cache '$remote_addr - $upstream_cache_status [$time_local] '
 
 # Purge cache for request method.
 map $request_method $purge_method {
-    PURGE 1;
     default 0;
+    PURGE 1;
 }
 
 # Skip caching for request method.
diff --git a/etc/nginx/fastcgi_https_map b/etc/nginx/fastcgi_https_map
index 5b21ef9..9075f03 100644
--- a/etc/nginx/fastcgi_https_map
+++ b/etc/nginx/fastcgi_https_map
@@ -5,3 +5,8 @@ map $scheme $server_https {
 	default off;
 	https on;
 }
+
+map $http_x_forwarded_proto $proto_https {
+	default $scheme;
+	https https;
+}
diff --git a/etc/nginx/fastcgi_params b/etc/nginx/fastcgi_params
index c1c5bb3..e78e2ad 100644
--- a/etc/nginx/fastcgi_params
+++ b/etc/nginx/fastcgi_params
@@ -3,7 +3,8 @@
 
 # Comment out HTTPS line for PHP behind SSL https.
 #fastcgi_param HTTPS on; # old pre .03 method
-#fastcgi_param HTTPS $server_https;	# new .04+ map method
+fastcgi_param HTTPS $server_https;	# new .04+ map method
+fastcgi_param HTTP_X_FORWARDED_PROTO $proto_https;
 
 # Comment out PATH_TRANSLATED line if /etc/php5/fpm/php.ini sets following:
 # cgi.fix_pathinfo=0
diff --git a/etc/nginx/http_proxy_ips b/etc/nginx/http_proxy_ips
index f2fe497..0dced64 100644
--- a/etc/nginx/http_proxy_ips
+++ b/etc/nginx/http_proxy_ips
@@ -1,6 +1,6 @@
 ## Designed to be included to /etc/nginx/nginx.conf http{} or server{} block
 
-# Varnish HTTP Accelerator
+# HTTP Accelerator or Load Balancer.
 set_real_ip_from 127.0.0.1/32;
 
 # Header
diff --git a/etc/nginx/includes/compression_brotli.conf b/etc/nginx/includes/compression_brotli.conf
index 92b0ee0..8b4b853 100644
--- a/etc/nginx/includes/compression_brotli.conf
+++ b/etc/nginx/includes/compression_brotli.conf
@@ -66,9 +66,9 @@ brotli_buffers 16 8k;
 brotli_window 512k;
 
 # Up the minimum length a little to account for gzip overhead
-# this means anything smaller than 1024 bytes won't be compressed.
+# this means anything smaller than 256 bytes won't be compressed.
 # The default is 20 bytes, which is sooo tiny it's a waste to compress.
-brotli_min_length 1024;
+brotli_min_length 256;
 
 # Custom header.
 add_header X-Powered-By "LEMPer/Brotli";
diff --git a/etc/nginx/includes/compression_gzip.conf b/etc/nginx/includes/compression_gzip.conf
index f308621..c58ca38 100644
--- a/etc/nginx/includes/compression_gzip.conf
+++ b/etc/nginx/includes/compression_gzip.conf
@@ -79,9 +79,9 @@ gzip_vary on;
 gzip_buffers 16 8k;
 
 # Up the minimum length a little to account for gzip overhead
-# this means anything smaller than 1024 bytes won't be compressed.
+# this means anything smaller than 256 bytes won't be compressed.
 # The default is 20 bytes, which is sooo tiny it's a waste to compress.
-gzip_min_length 1024;
+gzip_min_length 256;
 
 # Custom header.
 add_header X-Powered-By "LEMPer/Gzip";
diff --git a/etc/nginx/includes/fastcgi_cache.conf b/etc/nginx/includes/fastcgi_cache.conf
index 708ec4f..f28004e 100644
--- a/etc/nginx/includes/fastcgi_cache.conf
+++ b/etc/nginx/includes/fastcgi_cache.conf
@@ -16,8 +16,8 @@ fastcgi_no_cache $http_pragma $http_authorization;
 
 fastcgi_cache_purge $purge_method;
 
-# Ignore header
-fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
+# Ignore header (Added Pragma, crosscheck first)
+fastcgi_ignore_headers Cache-Control Expires Pragma Set-Cookie;
 
 # Header status
 add_header X-FastCGI-Cache $upstream_cache_status;
diff --git a/etc/nginx/includes/ssl.conf b/etc/nginx/includes/ssl.conf
index a1f3428..ffefe3f 100644
--- a/etc/nginx/includes/ssl.conf
+++ b/etc/nginx/includes/ssl.conf
@@ -1,8 +1,10 @@
 # Enables SSL (deprecated on http2).
 #ssl on;
 
+# --- Common definitions for HTTPS content --- #
+
 # Optimize SSL by caching session parameters for 10 minutes. This cuts down on the number of expensive SSL handshakes.
-ssl_session_cache shared:LEMPer_SSL:10m; # a 1mb cache can hold about 4000 sessions
+ssl_session_cache shared:LEMPer_SSL:50m; # a 1mb cache can hold about 4000 sessions
 ssl_session_timeout 1d;
 
 # SSL buffer size was added in 1.5.9
@@ -14,25 +16,33 @@ ssl_session_tickets off;
 # Diffie-Hellman parameter for DHE ciphersuites, minimum recommendation 2048 bits.
 ssl_dhparam /etc/nginx/ssl/dhparam-2048.pem;
 
-# If you need to support older browsers (IE6) you may need to add
-# SSLv2 SSLv3 TLSv1 TLSv1.1 to the list of protocols below.
-ssl_protocols TLSv1.2 TLSv1.3;
+# --- Protocols & Ciphers [start] --- #
 
-# Enables server-side protection from BEAST attacks.
-# http://blog.ivanristic.com/2013/09/is-beast-still-a-threat.html
+# Maximum client support [enabled by default]
+# Supports Firefox 1, Android 2.3, Chrome 1, Edge 12, IE8 on Windows XP, Java 6, OpenSSL 0.9.8, Opera 5 & Safari 1
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
 ssl_prefer_server_ciphers on;
 
-# Ciphers set to best allow protection from Beast, while providing forwarding secrecy,
-# as defined by Mozilla (Intermediate Set) - https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
-ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+# Intermediate client support [disabled by default]
+# Supports Firefox 27, Android 4.4.2, Chrome 31, Edge, IE 11 on Windows 7, Java 8u31, OpenSSL 1.0.1, Opera 20 & Safari 9
+#ssl_protocols TLSv1.2 TLSv1.3;
+#ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+#ssl_prefer_server_ciphers off;
+
+# Modern client support [disabled by default]
+# Supports Firefox 63, Android 10.0, Chrome 70, Edge 75, Java 11, OpenSSL 1.1.1, Opera 57 & Safari 12.1
+#ssl_protocols TLSv1.3;
+#ssl_ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
+#ssl_prefer_server_ciphers off;
 
 # Specifies a curve for ECDHE ciphers, default is auto.
 ssl_ecdh_curve prime256v1:secp384r1;
 
 # Enable OCSP stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
 # http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
-ssl_stapling on;
-ssl_stapling_verify on;
+#ssl_stapling on;
+#ssl_stapling_verify on;
 
 # Reduce SSL buffer size.
 ssl_buffer_size 4k; # Default = 16k
@@ -55,4 +65,4 @@ resolver_timeout 5s;
 # This header tells browsers to cache the certificate for a year and to connect exclusively via HTTPS.
 #add_header Strict-Transport-Security "max-age=31536000;" always;
 # This version tells browsers to treat all subdomains the same as this site and to load exclusively over HTTPS
-add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;";
\ No newline at end of file
+add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload;";
diff --git a/etc/nginx/nginx.conf b/etc/nginx/nginx.conf
index 879fbb2..3870d26 100644
--- a/etc/nginx/nginx.conf
+++ b/etc/nginx/nginx.conf
@@ -60,6 +60,8 @@ http {
     # Optimization settings.
     aio threads;
     sendfile on;
+    # Limit the amount of data transferred in a single sendfile() call to 1MB.
+    sendfile_max_chunk 1m;
     tcp_nopush on;
     tcp_nodelay on;
     client_body_buffer_size 128k;
@@ -80,8 +82,8 @@ http {
 
     # Enable Compression.
     # gzip (default) or brotli (requires Nginx installed with brotli module).
-    # TODO: Move to per site config.
-    #include /etc/nginx/comp_gzip;
+    # Moved to per site config.
+    ##include /etc/nginx/compression_gzip;
 
     # Uncomment to enable FastCGI cache. If disabled, do not use the cached vhost setting.
     include /etc/nginx/fastcgi_cache;
@@ -91,7 +93,7 @@ http {
 
     # Upstream, ex: for Node.JS application server. 
     # TODO: Move to per site config.
-    #include /etc/nginx/upstream;
+    ##include /etc/nginx/upstream;
 
     # SSL map.
     include /etc/nginx/fastcgi_https_map;
diff --git a/etc/nginx/sites-available/default b/etc/nginx/sites-available/default
index 0aa927e..e48fdcb 100644
--- a/etc/nginx/sites-available/default
+++ b/etc/nginx/sites-available/default
@@ -11,8 +11,8 @@ server {
     #ssl_certificate_key /etc/letsencrypt/live/localhost.localdomain/privkey.pem;
     #ssl_trusted_certificate /etc/letsencrypt/live/localhost.localdomain/fullchain.pem;
 
-    access_log /var/log/nginx/localhost.access.log;
-    error_log /var/log/nginx/localhost.error.log;
+    access_log /var/log/nginx/localhost.access.log combined buffer=32k;
+    error_log /var/log/nginx/localhost.error.log error;
 
     root /usr/share/nginx/html;
     index index.php index.html index.htm;
@@ -24,7 +24,18 @@ server {
 
     include /etc/nginx/vhost/site_default.conf;
 
-    location ~ ^/(status|ping)$ {
+    # Nginx basic status monitoring.
+    location = /nginx_status {
+        stub_status;
+        allow all;
+        auth_basic "Denied";
+        auth_basic_user_file /srv/.htpasswd;
+        access_log off;
+        log_not_found off;
+    }
+
+    # PHP-FPM status monitoring.
+    location ~ ^/php-fpm_(status|ping)$ {
         include /etc/nginx/fastcgi_params;
 
         fastcgi_pass unix:/run/php/php8.0-fpm.sock;
@@ -33,6 +44,8 @@ server {
         allow all;
         auth_basic "Denied";
         auth_basic_user_file /srv/.htpasswd;
+        access_log off;
+        log_not_found off;
     }
 
     location ~ \.php81$ {
@@ -46,7 +59,7 @@ server {
         fastcgi_pass unix:/run/php/php8.1-fpm.sock;
     }
 
-    location ~ \.php80$ {
+    location ~ \.(php|php80)$ {
         try_files $uri =404;
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
         fastcgi_index index.php;
@@ -56,7 +69,7 @@ server {
         fastcgi_pass unix:/run/php/php8.0-fpm.sock;
     }
 
-    location ~ \.(php|php74)$ {
+    location ~ \.php74$ {
         try_files $uri =404;
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
         fastcgi_index index.php;
@@ -132,8 +145,8 @@ server {
     index index.php index.html index.htm;
 
     # Log Settings.
-    access_log /var/log/nginx/localhost.access.log;
-    error_log /var/log/nginx/localhost.error.log;
+    access_log /var/log/nginx/localhost.access.log combined buffer=32k;
+    error_log /var/log/nginx/localhost.error.log error;
 
     location /lcp {
         try_files $uri $uri/ /index.php?$args;
@@ -175,7 +188,7 @@ server {
         fastcgi_pass unix:/run/php/php8.1-fpm.sock;
     }
 
-    location ~ \.php80$ {
+    location ~ \.(php|php80)$ {
         try_files $uri =404;
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
         fastcgi_index index.php;
@@ -185,7 +198,7 @@ server {
         fastcgi_pass unix:/run/php/php8.0-fpm.sock;
     }
 
-    location ~ \.(php|php74)$ {
+    location ~ \.php74$ {
         try_files $uri =404;
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
         fastcgi_index index.php;