server { listen [::]:80; listen [::]:443 ssl http2; listen 80; listen 443 ssl http2; server_name dokumente.foo.com; # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate ssl_certificate /var/dehydrated/certs/dokumente.foo.com/fullchain.pem; ssl_certificate_key /var/dehydrated/certs/dokumente/privkey.pem; ssl_dhparam /usr/local/etc/nginx/dhparams-4096.pem; ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; # modern configuration. tweak to your needs. ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA25 6:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-S HA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'; ssl_prefer_server_ciphers on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; client_max_body_size 300M; location ~ ^/(Public|static|dropzone) { proxy_pass http://127.0.1.9:8000; } location ~ ^/Dokumente/([^/]+)(/.*)? { auth_basic "Dokumente Admin Area"; auth_basic_user_file /var/run/Filer/Daten/Mandanten/$1; proxy_pass http://127.0.1.9:8000; } location /admin { auth_basic "Administratorenbereich"; auth_basic_user_file //var/run/Filer/Daten/admin.pw; proxy_pass http://127.0.1.9:8000; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto https; proxy_set_header X-Scheme $scheme; proxy_set_header X-Forwarded-For $remote_addr; } location /.well-known/acme-challenge/ { alias /usr/local/www/dehydrated/; } }