theukedge/gist:a64a4790e00159febe73

## gistfile1.txt
# redirect http to https
server {
	listen   80; ## listen for ipv4; this line is default and implied
	listen   [::]:80; ## listen for ipv6

	server_name dave.pe www.dave.pe;

	return 301 https://dave.pe$request_uri;
}

# redirect https://www to https://
server {
	listen   443 ssl;
	listen   [::]:443 ssl;

	server_name www.dave.pe;

	ssl_certificate /etc/letsencrypt/live/dave.pe/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/dave.pe/privkey.pem;
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:10m;

	# openssl dhparam -out dhparam.pem 2048
	ssl_dhparam /etc/nginx/dhparam.pem;

	ssl_protocols TLSv1.1 TLSv1.2;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
	ssl_prefer_server_ciphers on;

	add_header Strict-Transport-Security max-age=15768000;

	ssl_stapling on;
	ssl_stapling_verify on;

	## verify chain of trust of OCSP response using Root CA and Intermediate certs
	#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
	ssl_trusted_certificate /etc/letsencrypt/live/dave.pe/chain.pem;
	resolver 8.8.8.8 8.8.4.4 valid=86400;
	resolver_timeout 10;

	return 302 https://dave.pe$request_uri;
}
	# redirect http to https
	server {
	listen 80; ## listen for ipv4; this line is default and implied
	listen [::]:80; ## listen for ipv6

	server_name dave.pe www.dave.pe;

	return 301 https://dave.pe$request_uri;
	}

	# redirect https://www to https://
	server {
	listen 443 ssl;
	listen [::]:443 ssl;

	server_name www.dave.pe;

	ssl_certificate /etc/letsencrypt/live/dave.pe/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/dave.pe/privkey.pem;
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:10m;

	# openssl dhparam -out dhparam.pem 2048
	ssl_dhparam /etc/nginx/dhparam.pem;

	ssl_protocols TLSv1.1 TLSv1.2;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
	ssl_prefer_server_ciphers on;

	add_header Strict-Transport-Security max-age=15768000;

	ssl_stapling on;
	ssl_stapling_verify on;

	## verify chain of trust of OCSP response using Root CA and Intermediate certs
	#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
	ssl_trusted_certificate /etc/letsencrypt/live/dave.pe/chain.pem;
	resolver 8.8.8.8 8.8.4.4 valid=86400;
	resolver_timeout 10;

	return 302 https://dave.pe$request_uri;
	}