server {
    listen 443 ssl;
    root /keeweb;
    index index.html;
    server_name localhost;
    ssl_certificate /etc/nginx/external/cert.pem;
    ssl_certificate_key /etc/nginx/external/key.pem;

    server_tokens off;
    add_header X-Content-Type-Options nosniff;

    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";

    # https://scotthelme.co.uk/a-plus-rating-qualys-ssl-test/
    # http://www.howtoforge.com/ssl-perfect-forward-secrecy-in-nginx-webserver

    ssl_dhparam /etc/nginx/external/dh.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # disable poodle
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

    location / {
        try_files $uri $uri/ =404;
    }
    location ~ /\. {
        deny all;
    }
}

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
}