nginx.conf

user nginx;
worker_processes auto;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 2048;
}

http {
    ##
    # Basic Settings
    ##
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 4096;
    server_tokens       off;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    ##
    # Logging Settings
    ##
    log_format          main '$remote_addr - $remote_user [$time_local] "$request" '
                             '$status $body_bytes_sent "$http_referer" '
                             '"$http_user_agent" "$http_x_forwarded_for"';
    access_log          /var/log/nginx/access.log  main;
    error_log           /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##
    gzip on;
    gzip_disable "msie6";
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml;
    gzip_vary on;

    ##
    # Caching Settings
    ##
    map $sent_http_content_type $expires {
        default                    on;
        text/html                  max;
        text/css                   max;
        application/javascript     max;
        application/woff2          max;
        ~image/                    30d;
    }

    server {
        listen      80;
        listen      [::]:80;
        server_name www.decred.org decred.org default_server;
        return      301 https://www.decred.org$request_uri;
    }

    server {
        listen                    443 ssl http2;
        listen                    [::]:443 ssl http2;
        server_name               www.decred.org decred.org default_server;
        expires $expires;

        access_log                /var/log/nginx/www.decred.org.access.log main;
        error_log                 /var/log/nginx/www.decred.org.error.log;

        ssl_certificate           /etc/pki/decred.org.crt;
        ssl_certificate_key       /etc/pki/private/decred.org.key;

        ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers               EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

        ssl_prefer_server_ciphers on;
        add_header                Strict-Transport-Security max-age=15552001;

        location / {
            proxy_set_header   Host $host;
            proxy_set_header   X-Forwarded-For $remote_addr;
            proxy_http_version 1.1;
            proxy_set_header   Upgrade $http_upgrade;
            proxy_set_header   Connection "upgrade";
            proxy_cache_bypass $http_upgrade;
            proxy_pass         http://127.0.0.1:8000;
        }
    }
}