map $http_upgrade $connection_upgrade { default upgrade; "" close; } ssl_protocols TLSv1.2 TLSv1.3; ssl_ecdh_curve X25519:prime256v1:secp384r1; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; ssl_prefer_server_ciphers on; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; ssl_session_tickets off; server { server_name app.cxap.quest; listen unix:/dev/shm/nginx.sock ssl proxy_protocol; http2 on; ssl_certificate "/etc/nginx/ssl/node/fullchain.pem"; ssl_certificate_key "/etc/nginx/ssl/node/privkey.pem"; ssl_trusted_certificate "/etc/nginx/ssl/node/fullchain.pem"; root /var/www/html; index index.html; } server { listen unix:/dev/shm/nginx.sock ssl proxy_protocol default_server; server_name _; ssl_reject_handshake on; return 444; }