| location /.well-known/acme-challenge/ { |
| return 301 https://$host$request_uri; |
| listen 443 ssl default_server; |
| listen [::]:443 ssl default_server; |
| ssl_certificate /etc/nginx/certs/live/${SA_PUBLIC_DOMAIN_NAME}/fullchain.pem; |
| ssl_certificate_key /etc/nginx/certs/live/${SA_PUBLIC_DOMAIN_NAME}/privkey.pem; |
| ssl_prefer_server_ciphers on; |
| #ssl_dhparam /etc/nginx/dhparam.pem; |
| ssl_ciphers EECDH+AESGCM:EDH+AESGCM; |
| ssl_ecdh_curve secp384r1; |
| ssl_session_cache shared:SSL:10m; |
| resolver valid=300s; |
| # Disable strict transport security for now. You can uncomment the following |
| # line if you understand the implications. |
| #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; |
| add_header X-Frame-Options DENY; |
| add_header X-Content-Type-Options nosniff; |
| add_header X-XSS-Protection "1; mode=block"; |