colinmcintosh/nginx.conf

## nginx.conf
worker_processes auto;
worker_rlimit_nofile 65535;

events {
    multi_accept on;
    worker_connections 65535;
}

http {
    charset utf-8;
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    server_tokens off;
    log_not_found off;
    types_hash_max_size 2048;
    client_max_body_size 16M;

    # MIME
    include mime.types;
    default_type application/octet-stream;

    # logging
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log warn;

    # Remove Nginx version from server header
    server_tokens off;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparam.pem; # sudo openssl dhparam -out /etc/nginx/dhparam.pem 4096
    # Update ciphers from https://ssl-config.mozilla.org/#server=nginx
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
    ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
    ssl_session_timeout  10m;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off; # Requires nginx >= 1.5.9
    ssl_stapling on; # Requires nginx >= 1.3.7
    ssl_stapling_verify on; # Requires nginx => 1.3.7
    resolver 1.1.1.1 8.8.8.8 valid=300s;
    resolver_timeout 5s;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";

    server {
        server_name example.mydomain.com;

        listen 80 default_server;
        return 301 https://$host$request_uri;
    }

    server {
        server_name         example.mydomain.com;

        ssl_certificate     /etc/nginx/ssl/example.mydomain.com.fullchain.pem;
        ssl_certificate_key /etc/nginx/ssl/example.mydomain.com.key.pem;
        ssl_trusted_certificate /etc/nginx/ssl/example.mydomain.com.cert.pem;

        listen              443 ssl http2;
        location / {
            proxy_pass https://localhost:8443/;
        }
    }
}
	worker_processes auto;
	worker_rlimit_nofile 65535;

	events {
	multi_accept on;
	worker_connections 65535;
	}

	http {
	charset utf-8;
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	server_tokens off;
	log_not_found off;
	types_hash_max_size 2048;
	client_max_body_size 16M;

	# MIME
	include mime.types;
	default_type application/octet-stream;

	# logging
	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log warn;

	# Remove Nginx version from server header
	server_tokens off;

	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_prefer_server_ciphers on;
	ssl_dhparam /etc/nginx/dhparam.pem; # sudo openssl dhparam -out /etc/nginx/dhparam.pem 4096
	# Update ciphers from https://ssl-config.mozilla.org/#server=nginx
	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
	ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
	ssl_session_timeout 10m;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off; # Requires nginx >= 1.5.9
	ssl_stapling on; # Requires nginx >= 1.3.7
	ssl_stapling_verify on; # Requires nginx => 1.3.7
	resolver 1.1.1.1 8.8.8.8 valid=300s;
	resolver_timeout 5s;
	add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";

	server {
	server_name example.mydomain.com;

	listen 80 default_server;
	return 301 https://$host$request_uri;
	}

	server {
	server_name example.mydomain.com;

	ssl_certificate /etc/nginx/ssl/example.mydomain.com.fullchain.pem;
	ssl_certificate_key /etc/nginx/ssl/example.mydomain.com.key.pem;
	ssl_trusted_certificate /etc/nginx/ssl/example.mydomain.com.cert.pem;

	listen 443 ssl http2;
	location / {
	proxy_pass https://localhost:8443/;
	}
	}
	}