www/etc/nginx/sites-available/troyito.com.conf

# troyito.com
# www.troyito.com

server {
    server_name troyito.com;
    root /var/xyzzy/html/troyito;
    index index.html;

    location / {
        try_files $uri $uri/ =404;
    }

    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/troyito.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/troyito.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    # https://ssl-config.mozilla.org/
    add_header Strict-Transport-Security "max-age=15724800" always;

    # https://observatory.mozilla.org
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Content-Type-Options "nosniff";
    add_header X-XSS-Protection "1; mode=block";
    add_header Referrer-Policy "strict-origin-when-cross-origin";
    add_header Content-Security-Policy "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'self';";
}

server {
    server_name www.troyito.com;
    root /var/xyzzy/html/troyito;
    index index.html;

    location ~ /\.well-known {
        allow all;
    }

    location ~ / {
        return 301 $scheme://troyito.com$request_uri;
    }

    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/troyito.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/troyito.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

    # https://ssl-config.mozilla.org/
    add_header Strict-Transport-Security "max-age=15724800" always;

    # https://observatory.mozilla.org
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Content-Type-Options "nosniff";
    add_header X-XSS-Protection "1; mode=block";
    add_header Referrer-Policy "strict-origin-when-cross-origin";
    add_header Content-Security-Policy "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; base-uri 'self'; form-action 'self'; frame-ancestors 'self';";
}

server {
    if ($host = troyito.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    listen [::]:80;
    server_name troyito.com;
    root /var/xyzzy/html/troyito;
    index index.html;
    return 404; # managed by Certbot
}

server {
    if ($host = www.troyito.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    listen [::]:80;
    server_name www.troyito.com;
    root /var/xyzzy/html/troyito;
    index index.html;
    return 404; # managed by Certbot
}