server {
    listen 443 ssl; # managed by Certbot
    listen [::]:443 ssl; # managed by Certbot
    server_name example.com; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    # HSTS (ngx_http_headers_module is required) (2 years)
    add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload' always;

    #include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_session_cache shared:le_nginx_SSL:10m;
    ssl_session_timeout 1440m;
    ssl_session_tickets off;
    
    ssl_protocols TLSv1.2 TLSv1.3;

    ssl_prefer_server_ciphers on;
    ssl_ecdh_curve secp521r1:secp384r1;
    ssl_ciphers EECDH+AESGCM:EECDH+AES256;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 127.0.0.1; # or other DNS server

    root /var/www/html/;
    
    location ~ /\.ht { deny all; }
    
    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ =404;
    }

    index index.html index.htm index.nginx-debian.html;

}
server {
    if ($host = example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    listen [::]:80;
    server_name example.com;
    return 404; # managed by Certbot
}