blob: f0cb923d1c3324fd28c00295bb95ffb5b2f6049e [file] [log] [blame]
Nico Huber8cd50ee2023-06-24 15:35:16 +00001server {
Nico Huber38c14da2023-06-24 16:59:28 +00002 listen 80;
3 listen [::]:80;
4
Nico Huber15edd772023-07-01 18:16:50 +00005 location /.well-known/acme-challenge/ {
6 root /var/www/certbot;
7 }
8
9 location / {
10 return 301 https://$host$request_uri;
11 }
Nico Huber38c14da2023-06-24 16:59:28 +000012}
13
14server {
Nico Hubera1a296f2023-06-25 10:07:07 +000015 listen 443 ssl default_server;
16 listen [::]:443 ssl default_server;
Nico Huber15edd772023-07-01 18:16:50 +000017 ssl_certificate /etc/nginx/certs/live/miau.local/fullchain.pem;
18 ssl_certificate_key /etc/nginx/certs/live/miau.local/privkey.pem;
Nico Huber38c14da2023-06-24 16:59:28 +000019 ssl_protocols TLSv1.3;
20 ssl_prefer_server_ciphers on;
21 #ssl_dhparam /etc/nginx/dhparam.pem;
22 ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
23 ssl_ecdh_curve secp384r1;
24 ssl_session_timeout 10m;
25 ssl_session_cache shared:SSL:10m;
26 ssl_session_tickets off;
27 ssl_stapling on;
28 ssl_stapling_verify on;
29 resolver 8.8.8.8 8.8.4.4 valid=300s;
30 resolver_timeout 5s;
31 # Disable strict transport security for now. You can uncomment the following
32 # line if you understand the implications.
33 #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
34 add_header X-Frame-Options DENY;
35 add_header X-Content-Type-Options nosniff;
36 add_header X-XSS-Protection "1; mode=block";
Nico Huber8cd50ee2023-06-24 15:35:16 +000037}