listen 443 ssl http2;
listen [::]:443 ssl http2;

ssl_protocols TLSv1.1 TLSv1.2;

ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:DES-CBC3-SHA:AES128-SHA:AES128-GCM-SHA256';
ssl_prefer_server_ciphers  on;
ssl_dhparam /etc/pki/tls/dhparams.pem;

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";

resolver 127.0.0.1;
ssl_stapling on;
ssl_stapling_verify on;

location '/.well-known/acme-challenge' {
  default_type "text/plain";
    root        /usr/share/nginx/html;
  }

