http { log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; keepalive_timeout 65; types_hash_max_size 4096; include /etc/nginx/mime.types; default_type application/octet-stream; # Load modular configuration files from the /etc/nginx/conf.d directory. # See http://nginx.org/en/docs/ngx_core_module.html#include # for more information. include /etc/nginx/conf.d/*.conf; server { listen 80; listen [::]:80; return 301 https://$host$request_uri; } # Settings for a TLS enabled server. # server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name {{ host_fqdn }}; root /usr/share/nginx/html; ssl_certificate /etc/letsencrypt/live/{{ server_nginx_certname }}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/{{ server_nginx_certname }}/privkey.pem; # Allow TLS version 1.2 only, which is a recommended default these days # by international information security standards. ssl_protocols TLSv1.2; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; error_page 404 /404.html; location = /404.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } location ~ /\.git { return 404; } location ~ ^/~(.+?)(/.*)?$ { alias /home/$1/public_html$2; autoindex on; } } map $http_upgrade $connection_upgrade { default upgrade; '' close; } }