server { listen 80 default_server; listen [::]:80 default_server; server_name _; location /.well-known/acme-challenge { try_files $uri =404; } return 301 https://$host$request_uri; } server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; ssl on; ssl_certificate /etc/letsencrypt/live-ecdsa/lijero.co/chain.pem; ssl_certificate_key /etc/letsencrypt/live-ecdsa/lijero.co/privkey.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; ssl_protocols TLSv1.2; # ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256'; ssl_prefer_server_ciphers on; ssl_ecdh_curve secp384r1:secp521r1; add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"; ssl_stapling on; ssl_stapling_verify on; resolver 192.168.1.1; # resolver 8.8.4.4; ssl_trusted_certificate /etc/letsencrypt/live-ecdsa/lijero.co/chain.pem; root /var/www/html; index index.xhtml; server_name _; #add_header Content-Security-Policy "default-src 'none'; image-src 'self'; style-src 'self';"; location / { add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"; add_header Link "; rel=preload; as=style;"; try_files $uri $uri/ =404; gzip on; } location /res/ { add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"; # expires 7d; # add_header Cache-Control "public"; gzip on; } location /res/cc-by-sa-small.png { expires 180d; } location /res/icon/ { add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"; expires 30d; gzip on; add_header Cache-Control "public"; } location /favicon.png { add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"; add_header Cache-Control "public"; expires 60d; gzip on; } location ~ \.php$ { add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"; include snippets/fastcgi-php.conf; fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; } }