# redirect http to https
server {
	listen 80;
	listen [::]:80;
	server_name _;
	return 307 https://$host$request_uri;
}

# nginx config for tls
server {
	listen 443 ssl;
	listen [::]:443 ssl;
	server_name nsite;

	ssl_certificate /path/to/certificate/fullchain1.pem;
	ssl_certificate_key /path/to/certificate/privkey1.pem;

	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_prefer_server_ciphers on;
	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

	location / {
		proxy_cache request_cache;
		proxy_cache_valid 200 60m;
		proxy_cache_valid 404 10m;
		proxy_cache_key $host$uri;
		proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;

		expires 30d;
		add_header Cache-Control "public, no-transform";

		proxy_set_header Host $host;
		proxy_pass http://127.0.0.1:3000;
	}
}