server {
    server_name __LOCAL__ __DOMAIN__;

    # ssl: https://ssl-config.mozilla.org / intermediate config

    listen 80;
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;

    ssl_certificate /data/nginx/certs/ofm_le.cert;
    ssl_certificate_key /data/nginx/certs/ofm_le.key;

    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
    ssl_session_tickets off;

    ssl_dhparam /etc/nginx/ffdhe2048.txt;

    # intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
    ssl_prefer_server_ciphers off;

    # access log disabled by default
    access_log /data/ofm/http_host/logs_nginx/le-access.jsonl access_json buffer=32k;
    #access_log off;

    error_log /data/ofm/http_host/logs_nginx/le-error.log;

    location ^~ /.well-known/acme-challenge/ {
        # trailing slash
        root /data/nginx/acme-challenges;
        try_files $uri =404;
    }

    __LOCATION_BLOCKS__

    # catch-all block to deny all other requests
    location / {
        deny all;
        error_log /data/ofm/http_host/logs_nginx/__LOCAL__-error.log error;
    }
}