server {
	listen 80;
	listen [::]:80;
	server_name neonaluminum.com www.neonaluminum.com;
	#3 configure a new HTTP (80) server block to redirect all http requests to your webserver to https
	return 301 https://neonaluminum.com$request_uri;
}
server {
	listen 443 ssl; # managed by Certbot
	server_name neonaluminum.com;
	#1 Where are the root key and root certificate located? 
	ssl_certificate /etc/letsencrypt/live/www.neonaluminum.com/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/www.neonaluminum.com/privkey.pem; # managed by Certbot
	include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
	#4  enabling secure cipher suites and TLS protocols only within the 443 SSL server block.
	# ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	# ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
	#5 Add HTTP Strict Transport Security (HSTS) within the 443 SSL server block. 
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
	#6 Server_tokens off
	server_tokens off;
	#8 disable content-type sniffing on some browsers
	add_header X-Content-Type-Options nosniff;
	#7 set the X-Frame-Options header to same origin 
	add_header X-Frame-Options SAMEORIGIN;
	#9 enable cross-site scripting filter built in
	#  https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	add_header X-XSS-Protection "1; mode=block";
	# disable sites with potentially harmful code
	# https://content-security-policy.com/
	add_header Content-Security-Policy "default-src 'self'; script-src 'self' ajax.googleapis.com; object-src 'self';";
	# referrer policy
	add_header Referrer-Policy "no-referrer-when-downgrade";
	# certificate transparency
	# https://thecustomizewindows.com/2017/04/new-security-header-expect-ct-header-nginx-directive/
	add_header Expect-CT max-age=3600;

	root /var/www/neonaluminum.com/html;
	index index.html;
}