geerlingguy-ansible-for-devops/https-self-signed/provisioning/templates/https.test.conf.j2

# HTTPS Test server configuration.

# Redirect HTTP traffic to HTTPS.
server {
    listen 80 default_server;
    server_name _;
    index index.html;
    return 301 https://$host$request_uri;
}

# Serve HTTPS traffic using the self-signed certificate created by Ansible.
server {
    listen 443 ssl default_server;
    server_name {{ server_hostname }};
    index index.html;
    root {{ nginx_docroot }};

    ssl_certificate {{ certificate_dir }}/{{ server_hostname }}/fullchain.pem;
    ssl_certificate_key {{ certificate_dir }}/{{ server_hostname }}/privkey.pem;
    ssl_trusted_certificate {{ certificate_dir }}/{{ server_hostname }}/fullchain.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    ssl_protocols TLSv1.2;
    ssl_ciphers EECDH+AESGCM:EECDH+AES;
    ssl_ecdh_curve secp384r1;
    ssl_prefer_server_ciphers on;

    ssl_stapling on;
    ssl_stapling_verify on;

    add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
}