server { listen 80 default_server proxy_protocol; server_name example.com; # proxy protocol settings set_real_ip_from 10.0.0.1/32; real_ip_header proxy_protocol; real_ip_recursive on; # logging access_log syslog:server=log.example.local vhost; error_log syslog:server=log.example.local; location ^~ /.well-known/acme-challenge { alias /mnt/certs/challenge; } # health uri location /health { # return 'rp-ok' in plain text add_header Content-Type text/plain; return 200 'waf-ok'; } location / { return 301 https://$host$request_uri; } } server { listen 443 default_server http2 proxy_protocol ssl; server_name example.com; # proxy protocol settings set_real_ip_from 10.0.0.1/32; real_ip_header proxy_protocol; real_ip_recursive on; # logging access_log syslog:server=log.example.local vhost; error_log syslog:server=log.example.local; # certificates ssl_certificate /mnt/certs/certs/example.com/fullchain.pem; ssl_certificate_key /mnt/certs/certs/example.com/privkey.pem; # tls settings ssl_dhparam /etc/nginx/dhparam.pem; ssl_session_timeout 4h; ssl_session_tickets off; ssl_session_cache shared:SSL:20m; ssl_ecdh_curve secp384r1; ssl_prefer_server_ciphers off; ssl_protocols TLSv1.3 TLSv1.2; ssl_stapling on; ssl_stapling_verify on; # health uri location /health { # return 'rp-ok' in plain text add_header Content-Type text/plain; return 200 'rp-ok'; } location / { return 301 https://example.com; } }