```
listen
0.0.0.0:443 ssl ;
listen [::]:443 ssl ;
listen
0.0.0.0:443 quic ;
listen [::]:443 quic ;
http2 on;
server_name xxx;
location /.well-known/acme-challenge {
root /var/lib/acme/acme-challenge;
auth_basic off;
}
ssl_certificate /var/lib/acme/xxx/fullchain.pem;
ssl_certificate_key /var/lib/acme/xxx/key.pem;
ssl_trusted_certificate /var/lib/acme/xxx/chain.pem;
# Do not allow this site to be displayed in iframes
more_set_headers "X-Frame-Options: SAMEORIGIN";
# Do not permit Content-Type sniffing.
more_set_headers "X-Content-Type-Options: nosniff";
# Reenable XSS Filter even when disabled by user
more_set_headers "X-XSS-Protection: 1; mode=block";
# Do not send referrer header when navigating from HTTPS to HTTP
more_set_headers "Referrer-Policy: no-referrer-when-downgrade";
include "/nix/store/jz0dx3b01kc0bibspzl1dxi9hdi5n11b-nginx-error-pages-iis6.conf";
location / {
proxy_pass
http://127.0.0.1:3690/;
include /nix/store/h7yhsdwp7h51cqwpxzp1p80gwgwf04bd-nginx-proxy-headers.conf;
set $fixed_destination $http_destination;
if ( $http_destination ~* ^https(.*)$ ) {
set $fixed_destination http$1;
}
proxy_set_header Destination $fixed_destination;
}
location = /.well-known/security.txt {
alias /nix/store/fscnlbcafyzs4lmh3jv8f3p1cxh5hr1f-security.txt;
}
allow
10.64.0.0/12;
deny all;
```