First commit

http_upgrade

@@ -0,0 +1,27 @@
+# Security
+server_tokens off;
+add_header X-Frame-Options                   "SAMEORIGIN"               always;
+add_header X-Content-Type-Options            "nosniff"                  always;
+add_header X-XSS-Protection                  "1; mode=block"            always;
+add_header Referrer-Policy                   "no-referrer"              always;
+add_header X-Permitted-Cross-Domain-Policies "none"                     always;
+add_header X-Robots-Tag                      "noindex, nofollow"        always;
+# CSP breaks some webapps
+# add_header Content-Security-Policy         "default-src 'self';"      always;
+
+# http2
+http2 on;
+
+# http3
+# Open port 443/udp to use http3
+# Add reuseport to ONLY ONE virtual host: listen 443 quic reuseport;
+listen 443 quic;
+add_header Alt-Svc 'h3=":443"; ma=86400';
+quic_retry on;
+http3 on;
+
+# Certbot defaults
+listen 443 ssl;
+include /etc/letsencrypt/options-ssl-nginx.conf;
+ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+add_header Strict-Transport-Security "max-age=31536000" always;