Containerised NGINX config for HTTPS with HTTP/2 with Let's Encrypt certificates. https://tomlankhorst.nl/secure-nginx-docker-container-with-lets-encrypt/

## nginx.conf
# Used on nginx/1.15.5
# https://tomlankhorst.nl/secure-nginx-docker-container-with-lets-encrypt/
#
# see: https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.15.5a&openssl=1.0.1e&hsts=yes&profile=modern
# Oldest compatible clients: Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8
server {

    listen 80 default_server;

    root /application/public/;

    # allow access to /.well-known through HTTP
    location /.well-known {
        try_files $uri $uri/ =404;
    }

    # redirect all other requests to HTTPS
    location / {
        return 301 https://$host$request_uri;
    }
}

server {

    # Listen to HTTPS on 443 and allow HTTP/2
    listen 443 ssl http2 default;

    # Path to the chain and privkey (Let's Encrypt)
    ssl_certificate /certs/fullchain.pem;
    ssl_certificate_key /certs/privkey.pem;

    # Improve HTTPS performance with session resumption
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Enable server-side protection against BEAST attacks
    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

    # Diffie-Hellman parameter for DHE ciphersuites
    # $ openssl dhparam -out dhparam.pem 4096
    ssl_dhparam /certs/dhparam.pem;

    # Enable OCSP stapling (http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox)
    # uses Google DNS servers
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /certs/fullchain.pem;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    # Logging in a container
    access_log /dev/stdout;
    error_log stderr error;
    error_log /dev/stdout info;

    root /application/public/;
    index index.html index.htm;

    charset utf-8;

    # TODO: Compression, interpreters, websocket proxies, logging, XSS headers, ...

}
	# Used on nginx/1.15.5
	# https://tomlankhorst.nl/secure-nginx-docker-container-with-lets-encrypt/
	#
	# see: https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.15.5a&openssl=1.0.1e&hsts=yes&profile=modern
	# Oldest compatible clients: Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8
	server {

	listen 80 default_server;

	root /application/public/;

	# allow access to /.well-known through HTTP
	location /.well-known {
	try_files $uri $uri/ =404;
	}

	# redirect all other requests to HTTPS
	location / {
	return 301 https://$host$request_uri;
	}
	}

	server {

	# Listen to HTTPS on 443 and allow HTTP/2
	listen 443 ssl http2 default;

	# Path to the chain and privkey (Let's Encrypt)
	ssl_certificate /certs/fullchain.pem;
	ssl_certificate_key /certs/privkey.pem;

	# Improve HTTPS performance with session resumption
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;

	# Enable server-side protection against BEAST attacks
	ssl_protocols TLSv1.2;
	ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
	ssl_prefer_server_ciphers on;

	# Diffie-Hellman parameter for DHE ciphersuites
	# $ openssl dhparam -out dhparam.pem 4096
	ssl_dhparam /certs/dhparam.pem;

	# Enable OCSP stapling (http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox)
	# uses Google DNS servers
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_trusted_certificate /certs/fullchain.pem;
	resolver 8.8.8.8 8.8.4.4 valid=300s;
	resolver_timeout 5s;

	# Logging in a container
	access_log /dev/stdout;
	error_log stderr error;
	error_log /dev/stdout info;

	root /application/public/;
	index index.html index.htm;

	charset utf-8;

	# TODO: Compression, interpreters, websocket proxies, logging, XSS headers, ...

	}