server {
    server_name __LOCAL__ __DOMAIN__;

    # ssl: https://ssl-config.mozilla.org / intermediate config

    listen 80;
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;

    ssl_certificate /data/nginx/certs/ofm_ledns.cert;
    ssl_certificate_key /data/nginx/certs/ofm_ledns.key;

    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
    ssl_session_tickets off;

    ssl_dhparam /etc/nginx/ffdhe2048.txt;

    # intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
    ssl_prefer_server_ciphers off;

    # access log disabled by default
    access_log /data/ofm/http_host/logs_nginx/ledns-access.jsonl access_json buffer=32k;
    #access_log off;

    error_log /data/ofm/http_host/logs_nginx/ledns-error.log;

    __LOCATION_BLOCKS__

    # catch-all block to deny all other requests
    location / {
        deny all;
        error_log /data/ofm/http_host/logs_nginx/__LOCAL__-error.log error;
    }
}