Negaihoshi · August 6, 2018 07:03
diff --git a/nginx.conf b/nginx.conf
 server {
    listen 80;
    listen [::]:80;

    server_name domain;
    root /home/user/nginx;

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:2369;

    }

    location ~ /.well-known {
        allow all;
    }

    client_max_body_size 50m;


    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot
 }
 server {
    listen [::]:443 ssl http2  default_server;
    listen 443 ssl http2;
    server_name domain;

    access_log /var/log/nginx/ghost.access.log;
    error_log  /var/log/nginx/ghost.error.log;

    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;
    ssl_session_timeout 1d;
    ssl_certificate /etc/letsencrypt/live/domain/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/domain/privkey.pem; # managed by Certbot
    ssl_dhparam /etc/nginx/cert/dhparam.pem;
    #ssl_ciphers [TLS13+AESGCM+AES128|TLS13+AESGCM+AES256|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA;
    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!DSS:!aNULL;
    ssl_ecdh_curve secp384r1;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/domain/chain.pem;
    add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
    keepalive_timeout 70;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    location ^~ /.well-known/acme-challenge/ {
        root /var/www/html;
    }
 }
	server {
	listen 80;
	listen [::]:80;

	server_name domain;
	root /home/user/nginx;

	location / {
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header Host $http_host;
	proxy_pass http://127.0.0.1:2369;

	}

	location ~ /.well-known {
	allow all;
	}

	client_max_body_size 50m;


	if ($scheme != "https") {
	return 301 https://$host$request_uri;
	} # managed by Certbot
	}
	server {
	listen [::]:443 ssl http2 default_server;
	listen 443 ssl http2;
	server_name domain;

	access_log /var/log/nginx/ghost.access.log;
	error_log /var/log/nginx/ghost.error.log;

	ssl_protocols TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;
	ssl_session_timeout 1d;
	ssl_certificate /etc/letsencrypt/live/domain/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/domain/privkey.pem; # managed by Certbot
	ssl_dhparam /etc/nginx/cert/dhparam.pem;
	#ssl_ciphers [TLS13+AESGCM+AES128\|TLS13+AESGCM+AES256\|TLS13+CHACHA20]:[EECDH+ECDSA+AESGCM+AES128\|EECDH+ECDSA+CHACHA20]:EECDH+ECDSA+AESGCM+AES256:EECDH+ECDSA+AES128+SHA:EECDH+ECDSA+AES256+SHA:[EECDH+aRSA+AESGCM+AES128\|EECDH+aRSA+CHACHA20]:EECDH+aRSA+AESGCM+AES256:EECDH+aRSA+AES128+SHA:EECDH+aRSA+AES256+SHA;
	ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!DSS:!aNULL;
	ssl_ecdh_curve secp384r1;
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_trusted_certificate /etc/letsencrypt/live/domain/chain.pem;
	add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';
	keepalive_timeout 70;
	resolver 8.8.8.8 8.8.4.4 valid=300s;
	resolver_timeout 5s;
	location ^~ /.well-known/acme-challenge/ {
	root /var/www/html;
	}
	}