nginx-config/sites-available/blog

server {
  # allow access from localhost
  listen 443 quic reuseport backlog=1024;
  listen 443 http2 ssl backlog=1024;
  server_name blog.kazu634.com;

  ssl_certificate /etc/lego/.lego/certificates/_.kazu634.com.crt;
  ssl_certificate_key /etc/lego/.lego/certificates/_.kazu634.com.key;
  ssl_dhparam /etc/lego/dhparams_4096.pem;

  ssl_session_timeout 1d;
  ssl_session_cache   shared:SSL:3m;
  ssl_buffer_size     4k;
  ssl_session_tickets off;

  ssl_protocols TLSv1.3 TLSv1.2;
  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

  ssl_stapling on;
  ssl_stapling_verify on;

  resolver 8.8.4.4 8.8.8.8 valid=300s;
  resolver_timeout 10s;

  # Enable HSTS (HTTP Strict Transport Security)
  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

  root /var/www/blog;
  index index.html index.htm;

  access_log   /var/log/nginx/blog.access.log   json;
  error_log    /var/log/nginx/blog.error.log;

  location / {
    # http2 server push:
    http2_push_preload on;

    http2_push /apple-touch-icon.png;
    http2_push /lib/normalize/normalize.min.css;
    http2_push /css/style.min.css;
    http2_push /lib/lightgallery/lightgallery.min.css;
    http2_push /lib/katex/katex.min.css;
    http2_push /lib/katex/copy-tex.min.css;
    http2_push /lib/mapbox-gl/mapbox-gl.min.css;
    http2_push /lib/smooth-scroll/smooth-scroll.min.js;
    http2_push /lib/lazysizes/lazysizes.min.js;
    http2_push /lib/twemoji/twemoji.min.js;
    http2_push /lib/lightgallery/lightgallery.min.js;
    http2_push /lib/lightgallery/lg-zoom.min.js;
    http2_push /lib/clipboard/clipboard.min.js;
    http2_push /lib/sharer/sharer.min.js;
    http2_push /lib/katex/katex.min.js;
    http2_push /lib/katex/auto-render.min.js;
    http2_push /lib/katex/copy-tex.min.js;
    http2_push /lib/katex/mhchem.min.js;
    http2_push /js/theme.min.js;
    http2_push https://embedr.flickr.com/assets/client-code.js;
    http2_push https://platform.twitter.com/widgets.js;

    # used to advertise the availability of HTTP/3
    add_header Alt-Svc 'h3=":443"; ma=86400';

    if (-e "/tmp/maintenance") {
      return 503;
    }

    location /feed {
      return 301 http://blog.kazu634.com/index.xml;
    }

    location /wp-content {
      return 404;
    }

    location ~* \.css {
      gzip_static always;

      expires max;
    }

    location ~* \.js {
      gzip_static always;

      expires max;
    }

    location /images {
      gzip_static always;

      expires max;
    }

    location = /favicon.ico {
      access_log off;
      empty_gif;
      expires max;
    }

    try_files $uri $uri/ /index.html;
  }
}