| server { |
| listen 80; |
| listen [::]:80; |
| |
| location /.well-known/acme-challenge/ { |
| root /var/www/certbot; |
| } |
| |
| location / { |
| return 301 https://$host$request_uri; |
| } |
| } |
| |
| server { |
| listen 443 ssl default_server; |
| listen [::]:443 ssl default_server; |
| ssl_certificate /etc/nginx/certs/live/${SA_PUBLIC_DOMAIN_NAME}/fullchain.pem; |
| ssl_certificate_key /etc/nginx/certs/live/${SA_PUBLIC_DOMAIN_NAME}/privkey.pem; |
| ssl_protocols TLSv1.3; |
| ssl_prefer_server_ciphers on; |
| #ssl_dhparam /etc/nginx/dhparam.pem; |
| ssl_ciphers EECDH+AESGCM:EDH+AESGCM; |
| ssl_ecdh_curve secp384r1; |
| ssl_session_timeout 10m; |
| ssl_session_cache shared:SSL:10m; |
| ssl_session_tickets off; |
| ssl_stapling on; |
| ssl_stapling_verify on; |
| resolver 8.8.8.8 8.8.4.4 valid=300s; |
| resolver_timeout 5s; |
| # Disable strict transport security for now. You can uncomment the following |
| # line if you understand the implications. |
| #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; |
| add_header X-Frame-Options DENY; |
| add_header X-Content-Type-Options nosniff; |
| add_header X-XSS-Protection "1; mode=block"; |
| } |