Example Nginx ssl terminator with proxy-pass to node app

example.conf

server {

    listen 443;
    ssl on;
    server_name EXAMPLE.com   www.EXAMPLE.com;

    access_log /var/log/nginx/EXAMPLE.com.access.log rt_cache;
    error_log /var/log/nginx/EXAMPLE.com.error.log;

    # SSL cert via letsencrypt
    ssl_certificate      /etc/letsencrypt/live/EXAMPLE.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/EXAMPLE.com/privkey.pem;

    # SSL config from https://cipherli.st/
    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off; # Requires nginx >= 1.5.9
    ssl_stapling on; # Requires nginx >= 1.3.7
    ssl_stapling_verify on; # Requires nginx => 1.3.7
    resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
    resolver_timeout 5s;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    # CAUTION HSTS headers can really ruin your day if you don't know what you're doing
    # add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

    location '/.well-known/acme-challenge' {
        default_type "text/plain";
        root         /var/www/EXAMPLE.com/htdocs;
    }

    location / {
        add_header X-Proxy-Cache $upstream_cache_status;
        proxy_pass http://127.0.0.1:3000;
        proxy_redirect      off;
        proxy_set_header    Host              $host;
        proxy_set_header    X-Real-IP         $remote_addr;
        proxy_set_header    X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header    X-Forwarded-Proto $scheme;
        add_header          Front-End-Https   on;
    }

}