server {  
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name ots.*;

    ssl_certificate /config/keys/cert.crt;
    ssl_certificate_key /config/keys/cert.key;
    ssl_session_timeout 10m;
    ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
    ssl_session_tickets off;

    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
    ssl_dhparam /config/nginx/dhparam4096.pem;

    # intermediate configuration
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_conf_command Options PrioritizeChaCha;
    ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256;
    ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_ecdh_curve X25519:X448:secp521r1:secp384r1;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;

    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /config/keys/cert.crt;

    # Optional additional headers
    add_header Permissions-Policy "interest-cohort=()";

    # Add Onion-Location Header
    add_header Onion-Location http://5bi7xhmcmji4gfuok5z4j4bgmif2cryuf6was6c7275i3wwfvoolbryd.onion$request_uri;

    location / {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app ots;
        set $upstream_port 3000;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
}