Ghost Cloudflare Nginx Config

nginx.conf

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name www.verifiedbyme.xyz;

  # SSL
  ssl_certificate /etc/nginx/ssl/nginx.crt;
  ssl_certificate_key /etc/nginx/ssl/nginx.key;

  # reverse proxy
location / {
proxy_pass http://127.0.0.1:2368;
proxy_http_version	1.1;
proxy_cache_bypass	$http_upgrade;
proxy_set_header Upgrade			$http_upgrade;
proxy_set_header Connection 		"upgrade";
proxy_set_header Host				$host;
proxy_set_header X-Real-IP			$remote_addr;
proxy_set_header X-Forwarded-For	$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto	$scheme;
proxy_set_header X-Forwarded-Host	$host;
proxy_set_header X-Forwarded-Port	$server_port;
  }
  # security headers
  add_header X-Frame-Options "SAMEORIGIN" always;
  add_header X-XSS-Protection "1; mode=block" always;
  add_header X-Content-Type-Options "nosniff" always;
  add_header Referrer-Policy "no-referrer-when-downgrade" always;
  add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
  
  # . files
  location ~ /\.(?!well-known) {
    deny all;
  }
  
  # favicon.ico
  location = /favicon.ico {
    log_not_found off;
    access_log off;
  }
  
  # robots.txt
  location = /robots.txt {
    log_not_found off;
    access_log off;
  }
  
  # gzip
  gzip on;
  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 6;
  gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;
}

# non-www, subdomains redirect
server {

  listen 443 ssl http2;
  listen [::]:443 ssl http2;

  server_name .verifiedbyme.xyz;

  # SSL
  ssl_certificate /etc/nginx/ssl/verifiedbyme.xyz.crt;
  ssl_certificate_key /etc/nginx/ssl/verifiedbyme.xyz.key;

  return 301 https://www.verifiedbyme.xyz$request_uri;
}

# HTTP redirect
server {

  listen 80;
  listen [::]:80;

  server_name .verifiedbyme.xyz;

  return 301 https://www.verifiedbyme.xyz$request_uri;
}