diff --git a/production/nginx.conf b/production/nginx.conf
index 8079bb312..3024e132d 100644
--- a/production/nginx.conf
+++ b/production/nginx.conf
@@ -1,9 +1,9 @@
 user nobody;
+
 pid /var/run/nginx.pid;
-include /usr/local/etc/nginx/modules-enabled/*.conf;
 
 worker_processes auto;
-worker_rlimit_nofile 9999;
+worker_rlimit_nofile 100000;
 
 events {
 	worker_connections 9000;
@@ -14,134 +14,79 @@ http {
 	sendfile on;
 	tcp_nopush on;
 	tcp_nodelay on;
-	keepalive_timeout 300s;
-	types_hash_max_size 2048;
+
+	server_tokens off;
+	server_name_in_redirect off;
 
 	include /usr/local/etc/nginx/mime.types;
 	default_type application/octet-stream;
 
-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
-	ssl_prefer_server_ciphers on;
-
 	access_log /var/log/nginx/access.log;
 	error_log /var/log/nginx/error.log;
 
+	# reset timed out connections freeing ram
+	reset_timedout_connection on;
+	# maximum time between packets the client can pause when sending nginx any data
+	client_body_timeout 10s;
+	# maximum time the client has to send the entire header to nginx
+	client_header_timeout 10s;
+	# timeout which a single keep-alive client connection will stay open
+	keepalive_timeout 69s;
+	# maximum time between packets nginx is allowed to pause when sending the client data
+	send_timeout 10s;
+
+	# number of requests per connection, does not affect SPDY
+	keepalive_requests 100;
+
+	types_hash_max_size 2048;
+
 	proxy_cache off;
 
+	# enable gzip compression
 	gzip on;
-	gzip_comp_level    5;
-	gzip_min_length    256;
-	gzip_proxied       any;
-	gzip_vary          on;
+	gzip_vary on;
+	gzip_comp_level 6;
+	gzip_min_length 1000;
+	gzip_proxied expired no-cache no-store private auth;
+	# text/html is always compressed by gzip module
+	gzip_types application/javascript application/json application/ld+json application/manifest+json application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard;
 
-	gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # text/html is always compressed by gzip module
+	# limit request body size
+	client_max_body_size 10m;
+
+	# rate limit requests
+	limit_req_zone $binary_remote_addr zone=api:5m rate=50r/m;
+	limit_req_zone $binary_remote_addr zone=electrs:5m rate=1000r/m;
+	limit_req_status 429;
+
+	# rate limit connections
+	limit_conn_zone $binary_remote_addr zone=websocket:10m;
+	limit_conn_status 429;
 
 	server {
-		listen 80;
-		listen [::]:80;
+		listen 80 backlog=1024;
+		listen [::]:80 backlog=1024;
+
+		server_name mempool.space;
+		return 301 https://$host$request_uri;
+	}
+
+	server {
+		listen 127.0.0.1:81 backlog=1024;
+		listen [::]:443 ssl default http2 backlog=1024;
+		listen 443 ssl default http2 backlog=1024;
+
 		server_name mempool.space;
 
-		if ($host = mempool.space) {
-			return 301 https://$host$request_uri;
-		} # managed by Certbot
-
-		return 404; # managed by Certbot
-	}
-
-	server {
-		listen 80;
-		listen [::]:80;
-		server_name mempool.ninja;
-
-		if ($host = mempool.ninja) {
-			return 301 https://mempool.space$request_uri;
-		} # managed by Certbot
-
-		return 404; # managed by Certbot
-	}
-
-	server {
-		listen [::]:443 ssl http2; # managed by Certbot
-		listen 443 ssl http2; # managed by Certbot
-
-		ssl_certificate /usr/local/etc/letsencrypt/live/mempool.ninja/fullchain.pem; # managed by Certbot
-		ssl_certificate_key /usr/local/etc/letsencrypt/live/mempool.ninja/privkey.pem; # managed by Certbot
-		include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
-		ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
-
-		server_name mempool.ninja; # managed by Certbot
-
-		return 301 https://mempool.space$request_uri;
-	}
-
-	server {
-		listen 80;
-		listen [::]:80;
-		server_name liquid.mempool.ninja;
-
-		if ($host = liquid.mempool.ninja) {
-			return 301 https://mempool.space/liquid$request_uri;
-		} # managed by Certbot
-
-		return 404; # managed by Certbot
-	}
-
-	server {
-		listen [::]:443 ssl http2; # managed by Certbot
-		listen 443 ssl http2; # managed by Certbot
-
-		ssl_certificate /usr/local/etc/letsencrypt/live/liquid.mempool.ninja/fullchain.pem; # managed by Certbot
-		ssl_certificate_key /usr/local/etc/letsencrypt/live/liquid.mempool.ninja/privkey.pem; # managed by Certbot
-		include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
-		ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
-
-		server_name liquid.mempool.ninja; # managed by Certbot
-
-		return 301 https://mempool.space/liquid$request_uri;
-	}
-
-	server {
-		listen 80;
-		listen [::]:80;
-		server_name testnet.mempool.ninja;
-
-		if ($host = testnet.mempool.ninja) {
-			return 301 https://mempool.space/testnet$request_uri;
-		} # managed by Certbot
-
-		return 404; # managed by Certbot
-	}
-
-	server {
-		listen [::]:443 ssl http2; # managed by Certbot
-		listen 443 ssl http2; # managed by Certbot
-
-		ssl_certificate /usr/local/etc/letsencrypt/live/testnet.mempool.ninja/fullchain.pem; # managed by Certbot
-		ssl_certificate_key /usr/local/etc/letsencrypt/live/testnet.mempool.ninja/privkey.pem; # managed by Certbot
-		include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
-		ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
-
-		server_name testnet.mempool.ninja; # managed by Certbot
-
-		return 301 https://mempool.space/testnet$request_uri;
-	}
-
-	server {
-		listen 127.0.0.1:81;
-		listen [::]:443 ssl default http2; # managed by Certbot
-		listen 443 ssl default http2; # managed by Certbot
-
-		ssl_certificate /usr/local/etc/letsencrypt/live/mempool.space/fullchain.pem; # managed by Certbot
-		ssl_certificate_key /usr/local/etc/letsencrypt/live/mempool.space/privkey.pem; # managed by Certbot
-		include /usr/local/etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
-		ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+		ssl_certificate /usr/local/etc/letsencrypt/live/mempool.space/fullchain.pem;
+		ssl_certificate_key /usr/local/etc/letsencrypt/live/mempool.space/privkey.pem;
+		include /usr/local/etc/letsencrypt/options-ssl-nginx.conf;
+		ssl_dhparam /usr/local/etc/letsencrypt/ssl-dhparams.pem;
 
 		root /mempool/public_html/mainnet/;
+		index index.html;
 
-		index index.html index.htm index.nginx-debian.html;
-		server_name mempool.space; # managed by Certbot
-
-		add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+		# security headers
 
 		set $frameOptions "DENY";
 		set $contentSecurityPolicy "frame-ancestors 'none'";
@@ -155,86 +100,105 @@ http {
 			set $frameOptions "ALLOW-FROM https://wiz.biz";
 			set $contentSecurityPolicy "frame-ancestors https://wiz.biz";
 		}
-
 		add_header X-Frame-Options $frameOptions;
 		add_header Content-Security-Policy $contentSecurityPolicy;
 		add_header Link "<https://mempool.space$request_uri>; rel=\"canonical\"";
+		add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
+
+		# /
 
 		location / {
 			try_files $uri $uri/ /index.html =404;
 		}
 
-		location /explorer {
-			rewrite /explorer/(.*) https://$host/$1 permanent;
-		}
-
-		location /webhook {
-			proxy_pass http://127.0.0.1:2222/;
-		}
+		# /api
 
 		location /api/v1/ws {
 			proxy_pass http://127.0.0.1:8999/;
 			proxy_http_version 1.1;
 			proxy_set_header Upgrade $http_upgrade;
 			proxy_set_header Connection "Upgrade";
+			limit_conn websocket 10;
 		}
 		location /api/v1 {
 			proxy_pass http://127.0.0.1:8999/api/v1;
+			limit_req burst=50 nodelay zone=api;
 		}
 		location /api/ {
 			proxy_pass http://[::1]:3000/;
+			limit_req burst=100 nodelay zone=electrs;
 		}
 
+		# /mainnet/api
+
 		location /mainnet/api/v1/ws {
 			proxy_pass http://127.0.0.1:8999/;
 			proxy_http_version 1.1;
 			proxy_set_header Upgrade $http_upgrade;
 			proxy_set_header Connection "Upgrade";
+			limit_conn websocket 10;
 		}
 		location /mainnet/api/v1 {
 			proxy_pass http://127.0.0.1:8999/api/v1;
+			limit_req burst=50 nodelay zone=api;
 		}
 		location /mainnet/api/ {
 			proxy_pass http://[::1]:3000/;
+			limit_req burst=100 nodelay zone=electrs;
 		}
 
+		# /liquid/api
+
 		location /liquid/api/v1/ws {
 			proxy_pass http://127.0.0.1:8998/;
 			proxy_http_version 1.1;
 			proxy_set_header Upgrade $http_upgrade;
 			proxy_set_header Connection "Upgrade";
+			limit_conn websocket 10;
 		}
 		location /liquid/api/v1 {
 			proxy_pass http://127.0.0.1:8998/api/v1;
+			limit_req burst=50 nodelay zone=api;
 		}
 		location /liquid/api/ {
 			proxy_pass http://[::1]:3001/;
+			limit_req burst=100 nodelay zone=electrs;
 		}
 
+		# /testnet/api
+
 		location /testnet/api/v1/ws {
 			proxy_pass http://127.0.0.1:8997/;
 			proxy_http_version 1.1;
 			proxy_set_header Upgrade $http_upgrade;
 			proxy_set_header Connection "Upgrade";
+			limit_conn websocket 10;
 		}
 		location /testnet/api/v1 {
 			proxy_pass http://127.0.0.1:8997/api/v1;
+			limit_req burst=50 nodelay zone=api;
 		}
 		location /testnet/api/ {
 			proxy_pass http://[::1]:3002/;
+			limit_req burst=100 nodelay zone=electrs;
 		}
 
+		# /bisq
+
 		location /bisq/api/v1/ws {
 			proxy_pass http://127.0.0.1:8996/;
 			proxy_http_version 1.1;
 			proxy_set_header Upgrade $http_upgrade;
 			proxy_set_header Connection "Upgrade";
+			limit_conn websocket 10;
 		}
 		location /bisq/api/v1 {
 			proxy_pass http://127.0.0.1:8996/api/v1;
+			limit_req burst=50 nodelay zone=api;
 		}
 		location /bisq/api {
 			proxy_pass http://127.0.0.1:8996/api/v1/bisq;
+			limit_req burst=100 nodelay zone=electrs;
 		}
 	}
 }