server { server_name changethis; listen 443 ssl; listen [::]:443 ssl; http2 on; ssl_certificate /etc/letsencrypt/live/changethis/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/changethis/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; add_header strict_sni on; add_header strict_sni_header on; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header Content-Security-Policy upgrade-insecure-requests; add_header X-XSS-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options "DENY"; add_header Clear-Site-Data "cookies"; add_header Referrer-Policy "no-referrer"; add_header Permissions-Policy "interest-cohort=(),accelerometer=(),ambient-light-sensor=(),autoplay=(),camera=(),encrypted-media=(),focus-without-user-activation=(),geolocation=(),gyroscope=(),magnetometer=(),microphone=(),midi=(),payment=(),picture-in-picture=(),speaker=(),sync-xhr=(),usb=(),vr=()"; resolver 1.1.1.1; ssl_trusted_certificate /etc/letsencrypt/live/changethis/chain.pem; ssl_stapling on; ssl_stapling_verify on; access_log /dev/null; error_log /dev/null; location / { proxy_set_header X-Forwarded-For $remote_addr; proxy_pass http://localhost:8280; } } server { listen 80; listen [::]:80; server_name changethis; return 301 https://changethis$request_uri; }