jkcgs/default.conf

## default.conf
upstream backend {
    server unix:///tmp/backend.sock;
}

server {
    listen 80;
    listen       443 ssl http2;
    server_name example.com;

    include ssl_rules;
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    location /static/ {
        alias   /home/web/static/;
        gzip on;
    }

    location ~ /.well-known/ {
        root /var/www/letsencrypt;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

    location ~ /\.ht {
        deny  all;
    }

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;

        uwsgi_pass backendd;
        include uwsgi_params;
    }

    # Example for http proxy, no need for upstream block
    #location / {
    #    proxy_pass        http://127.0.0.1:8989;
    #    proxy_set_header  X-Real-IP  $remote_addr;
    #    proxy_set_header        Host            $host;
    #    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    #    proxy_set_header        X-Forwarded-Proto $scheme;
    #    proxy_redirect off;
    #    proxy_buffering off;
    #}
}

## ssl_rules
ssl_protocols TLSv1.2;
ssl_ciphers "ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA";

ssl_ecdh_curve secp384r1;
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_buffer_size 8k;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:TLS:2m;
ssl_session_timeout 10m;
ssl_session_tickets off;

# Run the following command and move the file to the path in the value here
# openssl dhparam -out dhparam.pem 4096
ssl_dhparam /etc/ssl/dhparam.pem;

ssl_stapling on;
ssl_stapling_verify on;
resolver 1.1.1.1 1.0.0.1 valid=300s;
resolver_timeout 5s;

add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
	upstream backend {
	server unix:///tmp/backend.sock;
	}

	server {
	listen 80;
	listen 443 ssl http2;
	server_name example.com;

	include ssl_rules;
	ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

	location /static/ {
	alias /home/web/static/;
	gzip on;
	}

	location ~ /.well-known/ {
	root /var/www/letsencrypt;
	}

	error_page 500 502 503 504 /50x.html;
	location = /50x.html {
	root /usr/share/nginx/html;
	}

	location ~ /\.ht {
	deny all;
	}

	location / {
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Host $http_host;
	proxy_redirect off;

	uwsgi_pass backendd;
	include uwsgi_params;
	}

	# Example for http proxy, no need for upstream block
	#location / {
	# proxy_pass http://127.0.0.1:8989;
	# proxy_set_header X-Real-IP $remote_addr;
	# proxy_set_header Host $host;
	# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	# proxy_set_header X-Forwarded-Proto $scheme;
	# proxy_redirect off;
	# proxy_buffering off;
	#}
	}
	ssl_protocols TLSv1.2;
	ssl_ciphers "ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA";

	ssl_ecdh_curve secp384r1;
	ssl_session_cache shared:le_nginx_SSL:1m;
	ssl_buffer_size 8k;
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:TLS:2m;
	ssl_session_timeout 10m;
	ssl_session_tickets off;

	# Run the following command and move the file to the path in the value here
	# openssl dhparam -out dhparam.pem 4096
	ssl_dhparam /etc/ssl/dhparam.pem;

	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 1.1.1.1 1.0.0.1 valid=300s;
	resolver_timeout 5s;

	add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";