# map of content type -> expires header map $sent_http_content_type $expires { default off; text/html epoch; text/css max; application/javascript max; ~image/ max; } # listen for BS traffic on 80 that lacks a hostname, and just serve # the "welcome to NGINX" page server { listen 80 default_server; listen [::]:80 default_server; server_name _; root /user/share/nginx/html; } # listen on 80, and 301 all traffic to https # allow .well-known on 80 though, for Let's Encrypt checks server { listen [::]:80; listen 80; server_name tomaskrejci.com www.tomaskrejci.com; root /var/www/ghost/; location ~ /.well-known { allow all; break; } location / { return 301 https://tomaskrejci.com$request_uri; } } # listen on 443, and forward all www traffic to non-www server { listen [::]:443 ssl http2; listen 443 ssl http2; server_name www.tomaskrejci.com; location / { return 301 https://tomaskrejci.com$request_uri; } } # what we're actually listening on server { # allow ssl and http2 traffic listen [::]:443 ssl http2 default_server; listen 443 ssl http2 default_server; # our server name is our hostname server_name tomaskrejci.com; # point at our SSL certificates ssl_certificate /etc/letsencrypt/live/tomaskrejci.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/tomaskrejci.com/privkey.pem; # setup our access and error logs access_log /var/log/nginx/tomaskrejci.com.access.log; error_log /var/log/nginx/tomaskrejci.com.error.log; # add expires headers for static content expires $expires; # proxy all of our traffic to Ghost location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header HOST $http_host; proxy_set_header X-NginX-Proxy true; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://127.0.0.1:2368; proxy_redirect off; } # allow Let's Encrypt checks on .well-known without proxying location ~ /.well-known { allow all; } }