Nircek/nginx.conf

## nginx.conf
# https://gist.github.com/Nircek/a77d26456bc1c43c8d9f467963b0d53f
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
        worker_connections 768;
        # multi_accept on;
}
http {
  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  keepalive_timeout 70;
  types_hash_max_size 2048;
  server_tokens off;

  include /etc/nginx/mime.types;
  default_type application/octet-stream;

  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
  ssl_prefer_server_ciphers on;
  ssl_ecdh_curve secp384r1;
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;
  ssl_session_tickets off;
  ssl_stapling on;
  ssl_stapling_verify on;
  resolver 8.8.8.8 8.8.4.4 valid=300s;
  resolver_timeout 5s;
  add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff always;
  ssl_dhparam /etc/nginx/dhparam.pem;

  access_log /var/log/nginx/access.log;
  error_log /var/log/nginx/error.log;

  include /etc/nginx/conf.d/*.conf;
  include /etc/nginx/sites-enabled/*;
}

## sites-available.conf
# https://gist.github.com/Nircek/a77d26456bc1c43c8d9f467963b0d53f

# sudo openssl req -x509 -nodes -days 365 -newkey rsa:3072 -keyout /etc/ssl/private/selfsigned.key -out /etc/ssl/certs/selfsigned.crt
# sudo openssl dhparam -out /etc/nginx/dhparam.pem 4096
server {
  listen 80;
  server_name example.com www.example.com;
  return 301 https://example.com$request_uri;
}
server {
  listen 443 ssl http2;
  ssl_certificate /etc/ssl/certs/.crt;
  ssl_certificate_key /etc/ssl/private/.key;
  server_name www.example.com;
  return 301 https://example.com$request_uri;
}
server {
  listen 443 ssl http2;
  server_name example.com;
  ssl_certificate /etc/ssl/certs/.crt;
  ssl_certificate_key /etc/ssl/private/.key;
  location / {
    proxy_pass http://127.0.0.1:8081;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
  }
}
	# https://gist.github.com/Nircek/a77d26456bc1c43c8d9f467963b0d53f
	user www-data;
	worker_processes auto;
	pid /run/nginx.pid;
	include /etc/nginx/modules-enabled/*.conf;
	events {
	worker_connections 768;
	# multi_accept on;
	}
	http {
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 70;
	types_hash_max_size 2048;
	server_tokens off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
	ssl_prefer_server_ciphers on;
	ssl_ecdh_curve secp384r1;
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;
	ssl_session_tickets off;
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.8.8 8.8.4.4 valid=300s;
	resolver_timeout 5s;
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always;
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff always;
	ssl_dhparam /etc/nginx/dhparam.pem;

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
	}
	# https://gist.github.com/Nircek/a77d26456bc1c43c8d9f467963b0d53f

	# sudo openssl req -x509 -nodes -days 365 -newkey rsa:3072 -keyout /etc/ssl/private/selfsigned.key -out /etc/ssl/certs/selfsigned.crt
	# sudo openssl dhparam -out /etc/nginx/dhparam.pem 4096
	server {
	listen 80;
	server_name example.com www.example.com;
	return 301 https://example.com$request_uri;
	}
	server {
	listen 443 ssl http2;
	ssl_certificate /etc/ssl/certs/.crt;
	ssl_certificate_key /etc/ssl/private/.key;
	server_name www.example.com;
	return 301 https://example.com$request_uri;
	}
	server {
	listen 443 ssl http2;
	server_name example.com;
	ssl_certificate /etc/ssl/certs/.crt;
	ssl_certificate_key /etc/ssl/private/.key;
	location / {
	proxy_pass http://127.0.0.1:8081;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto https;
	}
	}