## RaspiBlitz NGINX config: blitzweb.conf

server {

    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;

    server_name _;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRS
A+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED";

    add_header Strict-Transport-Security "max-age=31536000";

    # ToDo(frennkie) might make sense to use lua to check if files are there (e.g. no disk) and use fallback certs)
    ssl_certificate /mnt/hdd/app-data/nginx/tls.cert;
    ssl_certificate_key /mnt/hdd/app-data/nginx/tls.key;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access_raspiblitz.log;
    error_log /var/log/nginx/error_raspiblitz.log;

    root /var/www/blitzweb;

}