jacobw56/gist:dd642e574257bfcc788bc0890b9aec29

## gistfile1.txt
# Used this config to get a React FE (https)
# to speak with a Clojure BE (port 8001) over wss

# redirect all http requests to https
# and also listen on IPv6 addresses
server {
  listen 80;
  listen [::]:80;
  server_name domain.com www.domain.com _;

  return 301 https://domain.com$request_uri;
}

# redirect all http requests to https
# and also listen on IPv6 addresses
server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name www.domain.com _;

  return 301 https://domain.com$request_uri;
}

# the main server directive for ssl connections
server {
  listen 443 ssl http2 default_server;
  listen [::]:443 ssl http2 default_server;
  server_name domain.com;
  root /var/www/html;

  # SSL Stuff
  ssl on;

  # paths to certificate and key provided by Let's Encrypt
  ssl_certificate /etc/.../fullchain.pem;
  ssl_certificate_key /etc/.../privkey.pem;

  # SSL settings that currently offer good results in the SSL check
  # and have a reasonable backwards-compatibility, taken from
  # - https://cipherli.st/
  # - https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
  ssl_ecdh_curve secp384r1;
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_dhparam /etc/.../dhparam.pem;
  resolver 8.8.8.8 8.8.4.4 valid=600s;
  resolver_timeout 5s;

  # security enhancements
  add_header Strict-Transport-Security "includeSubdomains";
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;

  location /socket {
    proxy_pass http://localhost:8001;
    proxy_redirect off;

    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Proto $scheme;

    proxy_http_version 1.1;
    proxy_set_header Upgrade websocket;
    proxy_set_header Connection upgrade;
    proxy_read_timeout 86400;
  }
}
	# Used this config to get a React FE (https)
	# to speak with a Clojure BE (port 8001) over wss

	# redirect all http requests to https
	# and also listen on IPv6 addresses
	server {
	listen 80;
	listen [::]:80;
	server_name domain.com www.domain.com _;

	return 301 https://domain.com$request_uri;
	}

	# redirect all http requests to https
	# and also listen on IPv6 addresses
	server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name www.domain.com _;

	return 301 https://domain.com$request_uri;
	}

	# the main server directive for ssl connections
	server {
	listen 443 ssl http2 default_server;
	listen [::]:443 ssl http2 default_server;
	server_name domain.com;
	root /var/www/html;

	# SSL Stuff
	ssl on;

	# paths to certificate and key provided by Let's Encrypt
	ssl_certificate /etc/.../fullchain.pem;
	ssl_certificate_key /etc/.../privkey.pem;

	# SSL settings that currently offer good results in the SSL check
	# and have a reasonable backwards-compatibility, taken from
	# - https://cipherli.st/
	# - https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
	ssl_ecdh_curve secp384r1;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_dhparam /etc/.../dhparam.pem;
	resolver 8.8.8.8 8.8.4.4 valid=600s;
	resolver_timeout 5s;

	# security enhancements
	add_header Strict-Transport-Security "includeSubdomains";
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;

	location /socket {
	proxy_pass http://localhost:8001;
	proxy_redirect off;

	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Host $http_host;
	proxy_set_header X-Forwarded-Proto $scheme;

	proxy_http_version 1.1;
	proxy_set_header Upgrade websocket;
	proxy_set_header Connection upgrade;
	proxy_read_timeout 86400;
	}
	}