AF111/nginx site conf

## nginx site conf
upstream upstreamserver {
    server localhost:4500;
}

server {
	listen 80;
	listen [::]:80;

	server_name www.domain.com;
	return 301 https://www.domain.com$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name www.domain.com;
    server_tokens off;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/ssl/dhparams.pem; # openssl dhparams -out /etc/nginx/dhparam.pem 4096
    ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
    ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
    ssl_session_timeout  10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off; # Requires nginx >= 1.5.9
    ssl_stapling on; # Requires nginx >= 1.3.7
    ssl_stapling_verify on; # Requires nginx => 1.3.7

    resolver 1.1.1.1 1.0.0.1 valid=300s;
    resolver_timeout 5s;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    location / {
        root /var/www/app/public;
        try_files $uri @upstreamserver;
    }

    location @upstreamserver {
        proxy_pass http://upstreamserver;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header CF-Connecting-IP $http_cf_connecting_ip; # cloudflare set connecting IP header
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        proxy_cache_bypass $http_upgrade;
    }
}
	upstream upstreamserver {
	server localhost:4500;
	}

	server {
	listen 80;
	listen [::]:80;

	server_name www.domain.com;
	return 301 https://www.domain.com$request_uri;
	}

	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name www.domain.com;
	server_tokens off;

	ssl on;
	ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
	ssl_protocols TLSv1.2 TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2
	ssl_prefer_server_ciphers on;
	ssl_dhparam /etc/nginx/ssl/dhparams.pem; # openssl dhparams -out /etc/nginx/dhparam.pem 4096
	ssl_ciphers EECDH+AESGCM:EDH+AESGCM;
	ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
	ssl_session_timeout 10m;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off; # Requires nginx >= 1.5.9
	ssl_stapling on; # Requires nginx >= 1.3.7
	ssl_stapling_verify on; # Requires nginx => 1.3.7

	resolver 1.1.1.1 1.0.0.1 valid=300s;
	resolver_timeout 5s;

	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";

	location / {
	root /var/www/app/public;
	try_files $uri @upstreamserver;
	}

	location @upstreamserver {
	proxy_pass http://upstreamserver;
	proxy_set_header Host $host;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection 'upgrade';
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header CF-Connecting-IP $http_cf_connecting_ip; # cloudflare set connecting IP header
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_http_version 1.1;
	proxy_cache_bypass $http_upgrade;
	}
	}