forksand-it-manual/source/resources/apps/Ansible-Gitea/roles/nginx/templates/nginxssl.conf.j2

server {
  # Bindings
  listen 443 default_server ssl http2;
  server_name {{ nginx_domain_name }};
  root /var/www/html;
  index index.php index.html index.htm;

  # Certificate information
  ssl_certificate  /etc/letsencrypt/live/{{ nginx_domain_name }}/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/{{ nginx_domain_name }}/privkey.pem;

  # Limit ciphers to PCI DSS compliant ciphers.
  ssl_ciphers HIGH:!aNULL:!MD5;
  ssl_protocols TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_dhparam    /etc/nginx/dhparams.pem;
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;

  add_header X-Frame-Options "SAMEORIGIN";
  add_header X-XSS-Protection "1; mode=block";

  gzip  on;
  gzip_http_version 1.0;
  gzip_comp_level 2;
  gzip_min_length 1100;
  gzip_buffers     4 8k;
  gzip_proxied any;
  gzip_types
        # text/html is always compressed by HttpGzipModule
        text/css
        text/javascript
        text/xml
        text/plain
        text/x-component
        application/javascript
        application/json
        application/xml
        application/rss+xml
        font/truetype
        font/opentype
        application/vnd.ms-fontobject
        image/svg+xml;

   gzip_static on;

   gzip_proxied        expired no-cache no-store private auth;
   gzip_vary on;

   location / {
        proxy_pass http://127.0.0.1:{{ gitea_http_port }};
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }


}