Nginx

This is my example Nginx reverse-proxy + hardened https config (you need nginx/1.9.9):

# redirect all http requests to https
server {
    listen       80;
    server_name  www.werise.de;
    server_name  alias.werise.de;
    return       301 https://$server_name$request_uri;
}

# define a new cache (use different names and paths for different caches!
proxy_cache_path    /var/nginx_cache/blog.werise.de levels=1:2 keys_zone=blog_cache:10m max_size=512m inactive=60m use_temp_path=off;

# https server block
server {
    listen       443 ssl http2;
    listen  [::]:443 ssl http2;
    server_name  blog.werise.de;

    ssl_certificate      /etc/letsencrypt/live/mydomain.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/mydomain.com/privkey.pem;

    ssl_session_cache           shared:SSL:20m;
    ssl_session_timeout         60m;

    ssl_prefer_server_ciphers   on;

    ssl_ciphers                 ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

    # create a new dhparam by executing:
    # openssl dhparam -out /etc/nginx/cert/dhparam.pem_4096.pem 4096
    ssl_dhparam                 /etc/nginx/cert/dhparam_4096.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/mydomain.com/fullchain.pem;
    resolver 8.8.8.8 8.8.4.4;

    add_header Strict-Transport-Security "max-age=31536000" always;

    location / {
        proxy_cache           blog_cache;
        proxy_cache_min_uses  3;
        proxy_cache_lock      on;

        proxy_pass http://my-upstream-server/;
    }

}

We all know that the Five Eyes (and alot of other ugly people) collect massive amounts of metadata from public internet traffic, and you want to do something about it.

Yes, you can do something, too. If we spam them with encrypted traffic, the amount of work needed to decrypt and read it will become unbearable for them.

Letsencrypt offers a free way to get ssl certificates for your http(s) web-server. Read more about it here.