worker_processes 1; events { worker_connections 1024; } http { include mime.types; include ./conf.d/*.conf; default_type application/octet-stream; sendfile on; server_tokens off; server { listen 80 default_server; return 301 https://www.site1.com$1; } server { listen 443 ssl http2; server_name www.site1.com; ssl_certificate /etc/ssl/certs/site1.com.crt; ssl_certificate_key /etc/ssl/private/site1.com.key; ssl_trusted_certificate /etc/ssl/certs/ca.pem; ssl_stapling on; ssl_stapling_verify on; ssl_session_cache shared:SSL:20m; ssl_session_timeout 180m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DHE+AES128:!ADH:!AECDH:!MD5; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options DENY; location / { proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header Host $http_host; proxy_pass "http://127.0.0.1:3000"; } } }