root@192.168.1.240 (1 users) [80.220.89.6] /opt/services/nginx # cat sites-available/pve.conf
server {
  listen 443 ssl;
  listen [::]:443 ssl;
  server_name pve.intra.protokolla.fi;
  include /etc/nginx/extra/ssl-intra-protokolla.conf;
  location / {
    include /etc/nginx/extra/proxy.conf;
    include /etc/nginx/extra/intra-acl.conf;
    proxy_pass https://192.168.1.11:8006;
  }
}

root@192.168.1.240 (1 users) [80.220.89.6] /opt/services/nginx # cat extra/proxy.conf
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;

# Do not log requests from status page
if ( $remote_addr = "141.147.62.229" ) {
  access_log off;
}


root@192.168.1.240 (1 users) [80.220.89.6] /opt/services/nginx # cat extra/ssl-intra-protokolla.conf
ssl_certificate /etc/nginx/certs/intra.protokolla.fi/full.pem;
ssl_certificate_key /etc/nginx/certs/intra.protokolla.fi/key.pem;

ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_prefer_server_ciphers on;

#add_header strict-transport-security "max-age=63072000; includeSubdomains; preload" always;
add_header x-xss-protection 0 always;
add_header x-content-type-options nosniff always;
add_header x-frame-options SAMEORIGIN always;