server { listen 443 ssl http2; listen [::]:443 ssl http2; {% if proxy_protocol %} # Alternate Port for PROXY PROTOCOL incoming connections listen 10443 ssl http2 proxy_protocol; listen [::]:10443 ssl http2 proxy_protocol; # RealIP rewrite authorized for connection from reverse-proxy set_real_ip_from {{ hostvars | ip_from_inventory('vm_gateway') }}; real_ip_header proxy_protocol; {% endif %} # Do not advertise nginx version number server_tokens off; # Certificates location from CertBot ssl_certificate /etc/letsencrypt/live/{{ server_fqdn }}/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/{{ server_fqdn }}/privkey.pem; # TLS Mozilla Guideline v5.4, # nginx 1.14.2, OpenSSL 1.1.1d, modern configuration ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; ssl_session_tickets off; # modern configuration ssl_protocols TLSv1.3; ssl_prefer_server_ciphers off; # HSTS (2 years, no preloading) add_header Strict-Transport-Security "max-age=63072000" always; # OCSP stapling ssl_stapling on; ssl_stapling_verify on; # verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate /etc/letsencrypt/live/{{ server_fqdn }}/chain.pem; # Include custom locations include /etc/nginx/locations/{{ server_fqdn }}/*.conf; }