hownowbrowncow/gist:9dc43046657d7b3fa7db842913eb60f9

## gistfile1.txt
server {
    listen 80;
    server_name example.com www.example.com;

    rewrite ^ https://$host$request_uri? permanent;
}

server {
    listen 443 ssl;
    server_name example.com www.example.com;
    charset utf-8;
    server_tokens off;

    add_header X-Frame-Options SAMEORIGIN always;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header Content-Security-Policy "default-src 'self' https://fonts.googleapis.com; script-src 'self' https://ssl.google-analytics.com; img-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com; frame-src 'none'; object-src 'none'; connect-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com";

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    location / {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-NginX-Proxy true;
        proxy_read_timeout 90;
        proxy_pass http://127.0.0.1:3000/;
        proxy_redirect http://127.0.0.1:3000/ http://$server_name/;
    }

    location ~ /.well-known {
        alias /var/www/example.com/.well-known;
        allow all;
    }

    access_log off;
    error_log  /var/log/nginx/example.com-error.log error;
    client_max_body_size 5m;
}
	server {
	listen 80;
	server_name example.com www.example.com;

	rewrite ^ https://$host$request_uri? permanent;
	}

	server {
	listen 443 ssl;
	server_name example.com www.example.com;
	charset utf-8;
	server_tokens off;

	add_header X-Frame-Options SAMEORIGIN always;
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block" always;
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
	add_header Content-Security-Policy "default-src 'self' https://fonts.googleapis.com; script-src 'self' https://ssl.google-analytics.com; img-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com; frame-src 'none'; object-src 'none'; connect-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com";

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
	ssl_ecdh_curve secp384r1;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_dhparam /etc/ssl/certs/dhparam.pem;

	resolver 8.8.8.8 8.8.4.4 valid=300s;
	resolver_timeout 5s;

	ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

	location / {
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header X-NginX-Proxy true;
	proxy_read_timeout 90;
	proxy_pass http://127.0.0.1:3000/;
	proxy_redirect http://127.0.0.1:3000/ http://$server_name/;
	}

	location ~ /.well-known {
	alias /var/www/example.com/.well-known;
	allow all;
	}

	access_log off;
	error_log /var/log/nginx/example.com-error.log error;
	client_max_body_size 5m;
	}