Just for future reference for myself.
user nginx;
worker_processes auto;
pcre_jit on;
error_log /var/log/nginx/error.log warn;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
charset utf-8;
charset_types text/* application/javascript application/json;
server_tokens off;
client_max_body_size 1m;
sendfile on;
tcp_nopush on;
ssl_protocols TLSv1.3;
ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384;
ssl_prefer_server_ciphers on;
ssl_conf_command Groups X25519MLKEM768;
ssl_session_cache shared:SSL:2m;
ssl_session_timeout 1h;
ssl_session_tickets off;
ssl_certificate /etc/acmeleaf/lindenii.org/leaf-chain.pem;
ssl_certificate_key /etc/acmeleaf/lindenii.org/key.pem;
gzip off;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Strictly speaking this is wrong if someone sets up HTTPS on port 80
# or HTTP on 443, but nobody does that
map $server_port $port_suffix {
default ":$server_port";
"80" "";
"443" "";
}
proxy_http_version 1.1;
proxy_set_header Host $host$port_suffix;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host$port_suffix;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-SSL-Protocol $ssl_protocol;
proxy_set_header X-SSL-Cipher $ssl_cipher;
proxy_set_header X-SSL-Curve $ssl_curve;
proxy_set_header X-SSL-Curves $ssl_curves;
proxy_set_header X-SSL-Ciphers $ssl_ciphers;
proxy_set_header X-SSL-ALPN $ssl_alpn_protocol;
proxy_set_header X-SSL-Session-ID $ssl_session_id;
proxy_set_header X-SSL-Session-Reused $ssl_session_reused;
proxy_set_header X-SSL-Early-Data $ssl_early_data;
proxy_set_header X-SSL-Server-Name $ssl_server_name;
proxy_set_header X-SSL-Client-Verify $ssl_client_verify;
proxy_set_header X-SSL-Client-DN $ssl_client_s_dn;
proxy_set_header X-SSL-Client-Issuer $ssl_client_i_dn;
proxy_set_header X-SSL-Client-Serial $ssl_client_serial;
proxy_set_header X-SSL-Client-Fingerprint $ssl_client_fingerprint;
proxy_set_header X-SSL-Client-Cert $ssl_client_escaped_cert;
proxy_set_header X-SSL-Client-Not-Before $ssl_client_v_start;
proxy_set_header X-SSL-Client-Not-After $ssl_client_v_end;
proxy_set_header X-SSL-Client-Days-Remaining $ssl_client_v_remain;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
include /etc/nginx/http.d/*.conf;
}