rublev.io.conf

server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name rublev.io www.rublev.io;
	return 301 https://$server_name$request_uri;
}

server {
	listen 443 ssl http2 default_server;
	listen [::]:443 ssl http2 default_server;
	include snippets/ssl-rublev.io.conf;
	include snippets/ssl-params.conf;
	server_name rublev.io www.rublev.io;
	root /home/rublev/sites/rublev.io;
	index index.html;
	location / {
		try_files $uri $uri/ =404;
	}
	location ~ /.well-known {
		allow all;
	}
}

upstream jenkins {
	server 127.0.0.1:8081 fail_timeout=0;
}

server {
	listen 80;
	server_name jenkins.rublev.io;
	return 301 https://$host$request_uri;
}

server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;
	server_name jenkins.rublev.io;

	ssl_certificate /etc/letsencrypt/live/jenkins.rublev.io/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/jenkins.rublev.io/privkey.pem;
	location ~ /.well-known {
		allow all;
	}
	location / {
		proxy_set_header        Host $host:$server_port;
		proxy_set_header        X-Real-IP $remote_addr;
		proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header        X-Forwarded-Proto $scheme;
		proxy_redirect http:// https://;
		proxy_pass              http://jenkins;
		# Required for new HTTP-based CLI
		proxy_http_version 1.1;
		proxy_request_buffering off;
	}
}

ssl-params.conf

# ORIGINAL PARAMS FROM CYPHERLI.ST
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

	# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	# ssl_prefer_server_ciphers on;
	# ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
	# ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
	# ssl_session_cache shared:SSL:10m;
	# ssl_session_tickets off; # Requires nginx >= 1.5.9
	# ssl_stapling on; # Requires nginx >= 1.3.7
	# ssl_stapling_verify on; # Requires nginx => 1.3.7
	# resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
	# resolver_timeout 5s;
	# add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
	# add_header X-Frame-Options DENY;
	# add_header X-Content-Type-Options nosniff;

# MODIFIED DIGITALOCEAN PARAMS
# https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04#step-1-install-let's-encrypt-client

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
	ssl_ecdh_curve secp384r1;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.8.8 8.8.4.4 valid=300s;
	resolver_timeout 5s;
	# Disable preloading HSTS for now.  You can use the commented out header line that includes
	# the "preload" directive if you understand the implications.
	#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;

	ssl_dhparam /etc/ssl/certs/dhparam.pem;

ssl-rublev.io.conf

ssl_certificate /etc/letsencrypt/live/rublev.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/rublev.io/privkey.pem;