nginx.conf

ocha.one.conf

    server {
        listen 80;
        server_name ocha.one;
        if ($request_uri !~ ^/\.well-known) {
            return 301 https://ocha.one$request_uri;
        }
        #PLZ HTTP*S*
    }

    server {
        listen 443 ssl http2;
	      listen [::]:443 ssl http2;
        server_name ocha.one default_server;

        location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
        }

        location ~ /\.(ht|svn|git) {
            deny all;
        }

        location /favicon {
            empty_gif;
            access_log    off;
            log_not_found off;
        }
        
        location ~ /.well-known {
            location ~ /.well-known/acme-challenge/(.*) {
                add_header Content-type application/json;
            }
        }
        
        ssl_certificate /etc/letsencrypt/live/ocha.one/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/ocha.one/privkey.pem;
        ssl_trusted_certificate /etc/letsencrypt/live/ocha.one/chain.pem;

	include /etc/nginx/conf.d/ssl.conf;	

        #HSTS 
        #add_header Strict-Transport-Security max-age=259200;
    }

ssl.conf

    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;
    ssl_session_tickets off;

    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
    ssl_early_data on;   

    add_header Strict-Transport-Security "max-age=15552000" always;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;

    resolver 8.8.4.4 8.8.8.8 valid=300s;