# See https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=modern&openssl=1.1.1d&guideline=5.6 server { listen 80 default_server; listen [::]:80 default_server; location / { return 301 https://$host$request_uri; } } server { listen 443 ssl http2; listen [::]:443 ssl http2; client_max_body_size 20M; ## Basic authentication # auth_basic "Restricted area"; # auth_basic_user_file /etc/nginx/.htpasswd; access_log /var/log/{host_name}/access.log; error_log /var/log/{host_name}/error.log; server_name {host_name}; ssl_certificate /etc/letsencrypt/archive/{host_name}/fullchain1.pem; ssl_certificate_key /etc/letsencrypt/archive/{host_name}/privkey1.pem; ssl_protocols TLSv1.3; ssl_prefer_server_ciphers off; # HSTS (ngx_http_headers_module is required) (63072000 seconds) add_header Strict-Transport-Security "max-age=63072000" always; ssl_dhparam /etc/ssl/dh4096.pem; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/letsencrypt/archive/{host_name}/chain1.pem; keepalive_timeout 60; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; resolver 1.1.1.1 valid=300s; resolver_timeout 10s; location ~ ^/.*$ { proxy_pass http://192.168.196.1:3000; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_hide_header Cross-Origin-Resource-Policy; add_header Cross-Origin-Resource-Policy cross-origin; proxy_hide_header Cross-Origin-Embedder-Policy; add_header Cross-Origin-Embedder-Policy require-corp; } location ~ /\.env { deny all; } location /\.git(|hub)/ { deny all; } }