server { listen ${NGINX_PORT} default_server; listen ${NGINX_SSL_PORT} ssl http2 default_server; server_name ${NGINX_HOST}; ssl_certificate ${CERTIFICATE_PATH}; ssl_certificate_key ${CERTIFICATE_KEY_PATH}; ssl_protocols ${SSL_PROTOCOLS}; ssl_ciphers ${SSL_CIPHERS}; ssl_prefer_server_ciphers off; ssl_dhparam /etc/nginx/certs/dhparams.pem; # Logjam ssl_session_timeout 1d; ssl_session_tickets off; ssl_session_cache shared:TLS:10m; # About 40k sessions # OCSP stapling ssl_stapling on; ssl_stapling_verify on; # Set HSTS to 365 days add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains' always; # resolver 127.0.0.1; # DDoS client_body_buffer_size ${CLIENT_BODY_BUFFER_SIZE}; client_header_buffer_size ${CLIENT_HEADER_BUFFER_SIZE}; client_max_body_size ${CLIENT_MAX_BODY_SIZE}; large_client_header_buffers ${LARGE_CLIENT_HEADER_BUFFERS}; location / { root /var/www/html; index index.html index.htm index.php; } }