server { listen 443 ssl; listen [::]:443 ssl; server_name ; root /path/to/frontend/; index index.html; ssl_certificate /etc/letsencrypt/live//fullchain.pem; ssl_certificate_key /etc/letsencrypt/live//privkey.pem; # This block should go into a `ssl_options` file and included inside server block of all vhosts. # Remove this line below if you are not using Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; ssl_session_cache shared:le_nginx_SSL:10m; ssl_session_timeout 1440m; ssl_session_tickets off; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers off; ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA"; access_log /var/log/nginx/.access.log; error_log /var/log/nginx/.error.log; large_client_header_buffers 4 32k; location ~ ^.*fonts\/(.*)$ { add_header Access-Control-Allow-Origin *; proxy_pass http:///api/theme/fonts/$1; proxy_http_version 1.1; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-NginX-Proxy true; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location / { try_files $uri @index; } location @index { add_header Cache-Control "no-store, no-cache, must-revalidate"; expires 0; try_files /index.html =404; } } server { listen 80; listen [::]:80; server_name ; return 301 https://$host$request_uri; }