docker/nginx.conf

worker_processes auto;
events {
    worker_connections 1024;
}

http {
  server {
    listen 80;
    server_name wp.lan;
    return 301 https:/$host$request_uri;
  }

  server {
    listen 443 ssl;
    http2 on;
    server_name wp.lan;

    ssl_certificate /etc/nginx/certs/lan.pem;
    ssl_certificate_key /etc/nginx/certs/lan-key.pem;

    index index.php;

    location / {
      proxy_set_header   X-Forwarded-For $remote_addr;
      proxy_set_header   Host $http_host;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_pass "http://wordpress";
    }
  }

  server {
    server_name   mz.lan;

    listen         80;
    listen         [::]:80;

    return         301 https://$server_name$request_uri;
  }

  server {
    server_name mz.lan;

    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    ssl_session_timeout 5m;

    # Uncomment once you get the certificates
    ssl_trusted_certificate /etc/nginx/certs/lan.pem;
    ssl_certificate /etc/nginx/certs/lan.pem;
    ssl_certificate_key /etc/nginx/certs/lan-key.pem;

    # Add TLSv1.3 if it's supported by your system
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA';
    ssl_prefer_server_ciphers on;
    ssl_ecdh_curve prime256v1;
    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security "max-age=31536000";

    gzip on;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript application/activity+json application/atom+xml;

    # the nginx default is 1m, not enough for large media uploads
    client_max_body_size 16m;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

    # Just use the proxy for everything
    location / {
      expires off;
      add_header Cache-Control "public, max-age=0, s-maxage=0, must-revalidate" always;
      proxy_pass "http://mobilizon:4000";
    }
  }
}