--- /dev/null
+user http;
+worker_processes 1;
+
+events {
+ worker_connections 1024;
+}
+
+http {
+ include mime.types;
+ default_type application/octet-stream;
+
+ sendfile on;
+ tcp_nopush on;
+ tcp_nodelay on;
+ keepalive_timeout 65;
+
+ access_log syslog:server=unix:/dev/log,tag=nginx,nohostname,severity=info combined;
+ error_log syslog:server=unix:/dev/log,tag=nginx,nohostname,severity=error;
+
+ include sites-enabled/*;
+}
--- /dev/null
+server {
+ include snippets/listen-http.conf;
+ include snippets/listen-tls.conf;
+
+ return 404;
+}
--- /dev/null
+server {
+ include snippets/listen-tls.conf;
+ server_name example.com;
+
+ root /srv/http/example.com;
+
+ include snippets/standard-server.conf;
+}
+
+server {
+ include snippets/listen-http.conf;
+ server_name example.com;
+
+ return 301 https://example.com$request_uri;
+}
--- /dev/null
+../sites-available/default
\ No newline at end of file
--- /dev/null
+listen 80;
+listen [::]:80;
--- /dev/null
+listen 443 ssl;
+listen [::]:443 ssl;
+
+ssl_certificate /home/letsencrypt/output/latest.pem;
+ssl_certificate_key /home/letsencrypt/domain-key.pem;
+
+# https://wiki.mozilla.org/Security/Server_Side_TLS
+ssl_protocols TLSv1.2;
+ssl_prefer_server_ciphers on;
+ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
+
+add_header "Strict-Transport-Security" "max-age=7776000; includeSubdomains" always;
+add_header X-Frame-Options "DENY" always;
+add_header Content-Security-Policy "upgrade-insecure-requests" always;
--- /dev/null
+location ~ /\.git/ {
+ return 403;
+}
+
+
+location = /favicon.ico {
+ log_not_found off;
+ access_log off;
+}
+
+location ~ /apple-touch-icon[^/]*.png {
+ log_not_found off;
+ access_log off;
+}
+
+location = /robots.txt {
+ log_not_found off;
+ access_log off;
+}
+
+location /.well-known/acme-challenge {
+ alias /home/letsencrypt/web-acme-challenge;
+ auth_basic off;
+}
+
+location /healthcheck {
+ return 200;
+}