Ghost Cloudflare Nginx Config

## nginx.conf
server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name www.verifiedbyme.xyz;

  # SSL
  ssl_certificate /etc/nginx/ssl/nginx.crt;
  ssl_certificate_key /etc/nginx/ssl/nginx.key;

  # reverse proxy
location / {
proxy_pass http://127.0.0.1:2368;
proxy_http_version	1.1;
proxy_cache_bypass	$http_upgrade;
proxy_set_header Upgrade			$http_upgrade;
proxy_set_header Connection 		"upgrade";
proxy_set_header Host				$host;
proxy_set_header X-Real-IP			$remote_addr;
proxy_set_header X-Forwarded-For	$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto	$scheme;
proxy_set_header X-Forwarded-Host	$host;
proxy_set_header X-Forwarded-Port	$server_port;
  }
  # security headers
  add_header X-Frame-Options "SAMEORIGIN" always;
  add_header X-XSS-Protection "1; mode=block" always;
  add_header X-Content-Type-Options "nosniff" always;
  add_header Referrer-Policy "no-referrer-when-downgrade" always;
  add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

  # . files
  location ~ /\.(?!well-known) {
    deny all;
  }

  # favicon.ico
  location = /favicon.ico {
    log_not_found off;
    access_log off;
  }

  # robots.txt
  location = /robots.txt {
    log_not_found off;
    access_log off;
  }

  # gzip
  gzip on;
  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 6;
  gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;
}

# non-www, subdomains redirect
server {

  listen 443 ssl http2;
  listen [::]:443 ssl http2;

  server_name .verifiedbyme.xyz;

  # SSL
  ssl_certificate /etc/nginx/ssl/verifiedbyme.xyz.crt;
  ssl_certificate_key /etc/nginx/ssl/verifiedbyme.xyz.key;

  return 301 https://www.verifiedbyme.xyz$request_uri;
}

# HTTP redirect
server {

  listen 80;
  listen [::]:80;

  server_name .verifiedbyme.xyz;

  return 301 https://www.verifiedbyme.xyz$request_uri;
}
	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name www.verifiedbyme.xyz;

	# SSL
	ssl_certificate /etc/nginx/ssl/nginx.crt;
	ssl_certificate_key /etc/nginx/ssl/nginx.key;

	# reverse proxy
	location / {
	proxy_pass http://127.0.0.1:2368;
	proxy_http_version 1.1;
	proxy_cache_bypass $http_upgrade;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header X-Forwarded-Host $host;
	proxy_set_header X-Forwarded-Port $server_port;
	}
	# security headers
	add_header X-Frame-Options "SAMEORIGIN" always;
	add_header X-XSS-Protection "1; mode=block" always;
	add_header X-Content-Type-Options "nosniff" always;
	add_header Referrer-Policy "no-referrer-when-downgrade" always;
	add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

	# . files
	location ~ /\.(?!well-known) {
	deny all;
	}

	# favicon.ico
	location = /favicon.ico {
	log_not_found off;
	access_log off;
	}

	# robots.txt
	location = /robots.txt {
	log_not_found off;
	access_log off;
	}

	# gzip
	gzip on;
	gzip_vary on;
	gzip_proxied any;
	gzip_comp_level 6;
	gzip_types text/plain text/css text/xml application/json application/javascript application/xml+rss application/atom+xml image/svg+xml;
	}

	# non-www, subdomains redirect
	server {

	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name .verifiedbyme.xyz;

	# SSL
	ssl_certificate /etc/nginx/ssl/verifiedbyme.xyz.crt;
	ssl_certificate_key /etc/nginx/ssl/verifiedbyme.xyz.key;

	return 301 https://www.verifiedbyme.xyz$request_uri;
	}

	# HTTP redirect
	server {

	listen 80;
	listen [::]:80;

	server_name .verifiedbyme.xyz;

	return 301 https://www.verifiedbyme.xyz$request_uri;
	}