upstream origin { server ${UPSTREAM:-127.0.0.1}; } include /etc/nginx/auth_part1.conf; server { listen 443 ssl http2; server_name ${SERVERNAME:-structr.cerulean.it}; ssl_certificate /etc/letsencrypt/fullchain-copy.pem; ssl_certificate_key /etc/letsencrypt/privkey-copy.pem; # Performance + Privacy improvements ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/letsencrypt/fullchain-copy.pem; resolver 8.8.8.8 208.67.222.222 valid=300s; resolver_timeout 5s; # https://mozilla.github.io/server-side-tls/ssl-config-generator/ ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; ssl_dhparam /etc/nginx/dhparams.pem; location /.well-known/acme-challenge { include /etc/nginx/hsts.conf; include /etc/nginx/security_headers.conf; default_type "text/plain"; root /usr/share/nginx/html; try_files $uri =404; } location / { include /etc/nginx/auth_part2.conf; include /etc/nginx/hsts.conf; include /etc/nginx/security_headers.conf; include /etc/nginx/request_size.conf; include /etc/nginx/trusted_proxies.conf; include /etc/nginx/main_location.conf; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://origin; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_read_timeout 900s; } } server { listen 80; server_name ${SERVERNAME:-structr.cerulean.it}; location /.well-known/acme-challenge { default_type "text/plain"; root /usr/share/nginx/html; try_files $uri =404; } location = /silent_liveness_check { access_log off; return 301 https://$server_name$request_uri; } location / { return 301 https://$server_name$request_uri; } }