listen  80;
listen  [::]:80;
listen  443 ssl;
listen  [::]:443 ssl;

if ($scheme != "https") {
	return	302 https://$host$request_uri;
}

# https://wiki.mozilla.org/Security/Server_Side_TLS
# https://ssl-config.mozilla.org/
ssl_certificate		ssl.cer;
ssl_certificate_key	ssl.key;
ssl_session_timeout	1d;
ssl_session_cache	shared:SSL:10m;
ssl_session_tickets	off;
ssl_protocols		TLSv1.2 TLSv1.3;
ssl_ciphers		ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers	off;
add_header		Strict-Transport-Security "max-age=63072000" always;	# HSTS (needs ngx_http_headers_module)
ssl_stapling		on;	# OCSP stapling
ssl_stapling_verify     on;

location /.well-known/ {
	root /var/www;
}