3dprogramin/mysite.conf

## mysite.conf
upstream mysite {
        ip_hash;
        server localhost:8080;
}

// HTTP server for redirecting to HTTPs
server {
        listen       80;
        listen       [::]:80;
        server_name  mysite.com;
        return 301   https://mysite.com$request_uri;
}

// Redirect www.*
server {
        listen       80;
        listen       [::]:80;
        server_name  www.mysite.com;
        return 301   $scheme://mysite.com$request_uri;
}

server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name mysite.com;
        root /home/icebox/websites/easyio/public;

        # SSL
        # -----------
        # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
	    ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem;
        ssl_session_timeout 1d;
	    ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;

        # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
        #ssl_dhparam /path/to/dhparam.pem;

        # intermediate configuration. tweak to your needs.
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SH$
        ssl_prefer_server_ciphers on;

        # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
        add_header Strict-Transport-Security max-age=15768000;

        # OCSP Stapling ---
        # fetch OCSP records from URL in ssl_certificate and cache them
        ssl_stapling on;
        ssl_stapling_verify on;

        ## verify chain of trust of OCSP response using Root CA and Intermediate certs
        ssl_trusted_certificate /etc/letsencrypt/live/mysite.com/cert.pem;

        resolver 8.8.8.8;
        # ---------------------------
        # end SSL

        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        location /socket.io/ {
                proxy_http_version 1.1;

                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";

                proxy_pass "http://mysite/socket.io/";
        }

        location /api/ {
                proxy_pass "http://mysite/api/";
        }

    	error_page 404 /404.html;
                location = /40x.html {
        }
    	error_page 500 502 503 504 /50x.html;
                location = /50x.html{
        }
}
	upstream mysite {
	ip_hash;
	server localhost:8080;
	}

	// HTTP server for redirecting to HTTPs
	server {
	listen 80;
	listen [::]:80;
	server_name mysite.com;
	return 301 https://mysite.com$request_uri;
	}

	// Redirect www.*
	server {
	listen 80;
	listen [::]:80;
	server_name www.mysite.com;
	return 301 $scheme://mysite.com$request_uri;
	}

	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name mysite.com;
	root /home/icebox/websites/easyio/public;

	# SSL
	# -----------
	# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
	ssl_certificate /etc/letsencrypt/live/mysite.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/mysite.com/privkey.pem;
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;

	# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
	#ssl_dhparam /path/to/dhparam.pem;

	# intermediate configuration. tweak to your needs.
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SH$
	ssl_prefer_server_ciphers on;

	# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
	add_header Strict-Transport-Security max-age=15768000;

	# OCSP Stapling ---
	# fetch OCSP records from URL in ssl_certificate and cache them
	ssl_stapling on;
	ssl_stapling_verify on;

	## verify chain of trust of OCSP response using Root CA and Intermediate certs
	ssl_trusted_certificate /etc/letsencrypt/live/mysite.com/cert.pem;

	resolver 8.8.8.8;
	# ---------------------------
	# end SSL

	proxy_set_header Host $http_host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

	location /socket.io/ {
	proxy_http_version 1.1;

	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";

	proxy_pass "http://mysite/socket.io/";
	}

	location /api/ {
	proxy_pass "http://mysite/api/";
	}

	error_page 404 /404.html;
	location = /40x.html {
	}
	error_page 500 502 503 504 /50x.html;
	location = /50x.html{
	}
	}