example-nginx.conf

#
# Example nginx vhost config
#
# This config file would serve for production. Changing the port below to 4000
# and the server_name instances to stage.XXX would create the staging conf.
# The letsencrypt key and cert locations will depend upon the domain used.
# Traffic will be redirected from http to https and from the naked domain to
# the www subdomain.
#

map $sent_http_content_type $expires {
    "text/html"                 epoch;
    "text/html; charset=utf-8"  epoch;
    default                     off;
}

server {
    server_name XXX.com;
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/XXX/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/XXX/privkey.pem; # managed by Certbot
    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    return 301 https://www.XXX.com$request_uri;
}

server {
    server_name www.XXX.com;
    index index.html;
    gzip            on;
    gzip_types      text/plain application/xml text/css application/javascript;
    gzip_min_length 1000;
    charset utf-8;
    location / {
        expires $expires;
        proxy_redirect                      off;
        proxy_set_header Host               $host;
        proxy_set_header X-Real-IP          $remote_addr;
        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto  $scheme;
        proxy_read_timeout          1m;
        proxy_connect_timeout       1m;
        proxy_pass                          http://127.0.0.1:3000; # set the address of the Node.js instance here
    }
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/XXX/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/XXX/privkey.pem; # managed by Certbot
    #include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}

server {
    if ($host = www.XXX.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    if ($host = XXX.com) {
        return 301 https://www.$host$request_uri;
    } # managed by Certbot
    server_name XXX.com www.XXX.com;
    listen 80;
    return 404; # managed by Certbot
}