server { listen 80 default_server; listen [::]:80; server_name lokal.ccc.de local.ccc.de; access_log /dev/null; location /.well-known { root /var/plainwww; } location / { rewrite ^ https://cpu.ccc.de$request_uri? permanent; } } server { listen443 ssl http2; listen [::]:443 ssl http2; server_name cpu.ccc.de; ssl on; ssl_certificate /home/acme/.acme.sh/lokal.ccc.de/fullchain.cer; ssl_certificate_key /home/acme/.acme.sh/lokal.ccc.de/lokal.ccc.de.key; ssl_session_timeout 5m; ssl_protocols TLSv1.2; # TLSv1.1 TLSv1.2 TLSv1 ; ssl_prefer_server_ciphers on; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_dhparam /etc/nginx/ssl/dhparam.pem; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /home/acme/.acme.sh/lokal.ccc.de/fullchain.cer; resolver 141.1.1.1; ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'; access_log /var/log/nginx/access.cpu.ccc.de.log noip; gzip on; gzip_disable "MSIE [1-6]\.(?!.*SV1)"; gzip_proxied any; gzip_buffers 16 8k; gzip_types text/plain text/html text/css text/xml application/x-javascript application/xml application/xml+rss text/javascript application/javascript text/javascript; gzip_vary on; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; add_header X-Frame-Options SAMEORIGIN; add_header Cache-Control "max-age=3600, must-revalidate"; add_header X-Clacks-Overhead "GNU Terry Pratchett"; add_header Content-Security-Policy "default-src 'none'; script-src 'unsafe-eval' 'unsafe-inline' 'self' ; connect-src wss://cpu.ccc.de 'self' ; img-src 'self' data: blob: filesystem: ; style-src 'self' 'unsafe-inline' 'unsafe-eval' ; media-src 'self' ; font-src 'self' data: blob: filesystem; child-src 'self'"; add_header X-Content-Type-Options 'nosniff'; root /srv/www/cpu.ccc.de; index index.html; default_type text/plain; location / { try_files $uri $uri/ =404; location /feed/ { default_type application/rss+xml; types { text/xml application/rss+xml; } } location /rss { default_type application/rss+xml; } } } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name lokal.ccc.de local.ccc.de; root /srv/www/cpu.ccc.de; access_log /dev/null; ssl on; ssl_certificate /home/acme/.acme.sh/lokal.ccc.de/fullchain.cer; ssl_certificate_key /home/acme/.acme.sh/lokal.ccc.de/lokal.ccc.de.key; ssl_session_timeout 5m; ssl_protocols TLSv1.2; # TLSv1.1 TLSv1.2 TLSv1 ; ssl_prefer_server_ciphers on; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_dhparam /etc/nginx/ssl/dhparam.pem; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /home/acme/.acme.sh/lokal.ccc.de/fullchain.cer; resolver 141.1.1.1; ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'; location / { rewrite ^ https://cpu.ccc.de$request_uri? permanent; } }