map $http_upgrade $connection_upgrade {
 default upgrade;
 '' close;
}

server {
	 listen 443 ssl http2;
	 listen [::]:443 ssl http2;
	 server_name g1.cipherbliss.com;

	 # Ne s'applique pas si vous utilisez un sous-domaine
	 if ($host = www.g1.cipherbliss.com) {
	  return 301 https://g1.cipherbliss.com$request_uri;
	 }

	 access_log /var/log/nginx/duniter-access.log;
	 error_log /var/log/nginx/duniter-error.log;

	    location / {
		proxy_pass http://127.0.0.1:10901;
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection 'upgrade';
		proxy_set_header Host $host;
		proxy_cache_bypass $http_upgrade;
	    }

	    location /ws2p {
		        proxy_pass http://127.0.0.1:10901;
		        proxy_http_version 1.1;
		        proxy_set_header Upgrade $http_upgrade;
		        proxy_set_header Connection "upgrade";
	    }

	 # HTTPS
	 ssl_certificate /etc/letsencrypt/live/g1.cipherbliss.com/fullchain.pem;
	 ssl_certificate_key /etc/letsencrypt/live/g1.cipherbliss.com/privkey.pem;
	 ssl_protocols TLSv1.2;
	 ssl_ecdh_curve prime256v1;
	 ssl_ciphers EECDH+AESGCM:EECDH+AES;
	 ssl_prefer_server_ciphers on;
	 resolver 80.67.169.12 80.67.169.40 valid=300s;
	 resolver_timeout 5s;
	 ssl_session_cache shared:SSL:10m;
	 add_header Strict-Transport-Security "max-age=15768000";

	 add_header Referrer-Policy "strict-origin-when-cross-origin";
 }