Ngnix server config

1. server {
2. listen 80;
3. server_name www.domain.gq domain.gq localhost;
4.  
5. location / {
6. proxy_pass http://127.0.0.1:32400;
7. }
8. }
9. server {
10. listen 443 ssl http2;
11. listen [::]:443 ssl http2;
12. server_name www.domain.gq domain.gq localhost;
13. ssl_certificate /etc/letsencrypt/live/domain.gq/fullchain.pem;
14. ssl_certificate_key /etc/letsencrypt/live/domain.gq/privkey.pem;
15.  
16. ssl_session_cache shared:SSL:10m;
17. ssl_session_timeout 10m;
18.  
19. ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
20. ssl_prefer_server_ciphers on;
21. ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
22.  
23. ssl_dhparam /etc/ssl/ffdhe4096.pem;
24. ssl_ecdh_curve secp521r1:secp384r1;
25.  
26. add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
27.  
28. add_header X-Frame-Options DENY always;
29.  
30. add_header X-Content-Type-Options nosniff always;
31.  
32. add_header X-Xss-Protection "1; mode=block" always;
33.  
34. ssl_stapling on;
35. ssl_stapling_verify on;
36. ssl_trusted_certificate /etc/letsencrypt/live/domain.gq/fullchain.pem;
37. resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s;
38. resolver_timeout 5s;
39.  
40. # Required for LE certificate enrollment using certbot
41. location '/.well-known/acme-challenge' {
42. default_type "text/plain";
43. root /var/www/html;
44. }
45. location / {
46. proxy_pass https://127.0.0.1:32400;
47. }
48. }