server {
    listen 80 ;
    listen 443 ssl http2 ;
    server_name note.sugarscat.cn;

    # 重定向
    if ($scheme = http) {
        return 301 https://$host$request_uri;
    }

    # ssl 设置
    ssl_certificate /etc/nginx/ssl/fullchain.crt;
    ssl_certificate_key /etc/nginx/ssl/privkey.key;

    ssl_protocols TLSv1.3 TLSv1.2 TLSv1.1 TLSv1;
    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    add_header Strict-Transport-Security "max-age=31536000";
    error_page 497 https://$host$request_uri;
    proxy_set_header X-Forwarded-Proto https;
    ssl_stapling on;
    ssl_stapling_verify on;

    root /var/www/note;
    index index.html;
    
    try_files $uri $uri.html $uri/ =404;

    error_page 404 /404.html;
    error_page 403 /404.html;

    location ~* ^/assets/ {
        expires 1y;
        add_header Cache-Control "public, immutable";
    }
}