server { listen 80; listen [::]:80 ipv6only=on; server_name www.i

1. server {
2.     listen 80;
3.     listen [::]:80 ipv6only=on;
4.     server_name www.ilcoloncares.org;
5.  
6.     return 301 https://$server_name$request_uri;
7. }
8.  
9. upstream nodejs {
10.   server 127.0.0.1:8080 max_fails=0;
11. }
12.  
13. server {
14.     listen 443 ssl http2;
15.     listen [::]:443 ssl ipv6only=on http2;
16.     server_name www.ilcoloncares.org;
17.  
18.     ssl_certificate /etc/nginx/ssl/ilcoloncares.crt;
19.     ssl_certificate_key /etc/nginx/ssl/ilcoloncares.key;
20.     ssl_session_cache shared:SSL:10m;
21.     ssl_session_tickets off;
22.  
23.     ssl_protocols TLSv1.2;
24.     ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
25.     ssl_prefer_server_ciphers on;
26.  
27.     # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
28.     add_header Strict-Transport-Security max-age=15768000;
29.  
30.     # OCSP Stapling ---
31.     # fetch OCSP records from URL in ssl_certificate and cache them
32.     ssl_stapling on;
33.     ssl_stapling_verify on;
34.  
35.     ## verify chain of trust of OCSP response using Root CA and Intermediate certs
36.     # ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
37.  
38.     resolver 209.208.127.65 209.208.25.18 valid=300s;
39.     resolver_timeout 5s;
40.  
41.     location / {
42.         proxy_pass  http://nodejs;
43.         proxy_redirect off;
44.         proxy_set_header Host $host ;
45.         proxy_set_header X-Real-IP $remote_addr ;
46.         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;
47.         proxy_set_header X-Forwarded-Proto https;
48.     }
49. }