Nginx

This is my example Nginx reverse-proxy + hardened https config (you need nginx/1.9.9): # redirect all http requests to https server { listen 80; server_name www.werise.de; server_name alias.werise.de; return 301 https://$server_name$request_uri; } # define a new cache (use different names and paths for different caches! proxy_cache_path /var/nginx_cache/blog.werise.de levels=1:2 keys_zone=blog_cache:10m max_size=512m inactive=60m use_temp_path=off; # https server block server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name blog.werise.de; ssl_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/mydomain.

We all know that the Five Eyes (and alot of other ugly people) collect massive amounts of metadata from public internet traffic, and you want to do something about it. Yes, you can do something, too. If we spam them with encrypted traffic, the amount of work needed to decrypt and read it will become unbearable for them. Letsencrypt offers a free way to get ssl certificates for your http(s) web-server.