# http://nginx.org/en/docs/http/websocket.html map $http_upgrade $connection_upgrade { default upgrade; '' close; } # http server server { listen 80; listen [::]:80; server_name www.c2a-systeme.fr; location / { # redirect everything to HTTPS return 301 https://$host$request_uri; } } # https server server { server_name www.c2a-systeme.fr; listen 443 http2; listen [::]:443 http2; ssl on; ssl_certificate /etc/letsencrypt/live/www.c2a-systeme.fr/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.c2a-systeme.fr/privkey.pem; ssl_session_timeout 10m; ssl_session_cache shared:SSL:50m; # Enable server-side protection against BEAST attacks ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE ssl_prefer_server_ciphers on; ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384"; # RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096 ssl_dhparam /etc/ssl/ffdhe4096.pem; ssl_ecdh_curve secp521r1:secp384r1; # Enable OCSP stapling # ref. http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/letsencrypt/live/www.c2a-systeme.fr/fullchain.pem; resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare resolver_timeout 5s; root /var/www/html/c2a-web-platform; index index.html; # Required for LE certificate enrollment using certbot location '/.well-known/acme-challenge' { default_type "text/plain"; root /var/www/html; } location / { try_files $uri $uri/ /index.html =404; } }