From 8bd1ec0408d902b99a1bf05eee3bf43c4d3b5016 Mon Sep 17 00:00:00 2001
From: Shane Jaroch <chown_tee@proton.me>
Date: Mon, 19 Jan 2026 03:18:41 -0500
Subject: [PATCH] update with http3

---
 etc/nginx/conf.d/default.dev.conf  | 19 +++++++++++++++++++
 etc/nginx/conf.d/default.prod.conf | 20 ++++++++++++++++++++
 2 files changed, 39 insertions(+)

diff --git a/etc/nginx/conf.d/default.dev.conf b/etc/nginx/conf.d/default.dev.conf
index b866859..1621935 100644
--- a/etc/nginx/conf.d/default.dev.conf
+++ b/etc/nginx/conf.d/default.dev.conf
@@ -11,6 +11,7 @@ server {
   add_header Alt-Svc 'h3=":443"; ma=86400' always;
   # HSTS
   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+  ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
 
   # Sanic
   location / {
@@ -45,6 +46,8 @@ server {
   http2 on;
   http3 on;
   add_header Alt-Svc 'h3=":443"; ma=86400' always;
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+  ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
   location / {
     proxy_pass http://localhost:8000;
   }
@@ -61,6 +64,8 @@ server {
   http2 on;
   http3 on;
   add_header Alt-Svc 'h3=":443"; ma=86400' always;
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+  ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
   location / {
     proxy_pass http://localhost:9000;
   }
@@ -157,6 +162,11 @@ server {
   include /etc/letsencrypt/options-ssl-nginx.conf;
   ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 
+  # HTTP3 and Security Headers
+  add_header Alt-Svc 'h3=":443"; ma=86400' always;
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+  ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
+
   return 301 https://dev.nutra.tk$request_uri;
 }
 
@@ -169,6 +179,8 @@ server {
   http2 on;
   http3 on;
   add_header Alt-Svc 'h3=":443"; ma=86400' always;
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+  ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
   server_name matrix.nutra.tk chat.nutra.tk;
 
   location / {
@@ -187,6 +199,13 @@ server {
 server {
   listen 8448 ssl default_server;
   listen [::]:8448 ssl default_server;
+  listen 8448 quic default_server;
+  listen [::]:8448 quic default_server;
+  http2 on;
+  http3 on;
+  add_header Alt-Svc 'h3=":8448"; ma=86400' always;
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+  ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
   server_name dev.nutra.tk;
 
   location / {
diff --git a/etc/nginx/conf.d/default.prod.conf b/etc/nginx/conf.d/default.prod.conf
index cf6bb9b..ed48274 100644
--- a/etc/nginx/conf.d/default.prod.conf
+++ b/etc/nginx/conf.d/default.prod.conf
@@ -19,6 +19,7 @@ server {
   add_header Alt-Svc 'h3=":443"; ma=86400' always;
   # HSTS
   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+  ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
 
   # Sanic
   location / {
@@ -53,6 +54,8 @@ server {
   http2 on;
   http3 on;
   add_header Alt-Svc 'h3=":443"; ma=86400' always;
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+  ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
   location / {
     proxy_pass http://localhost:8000;
   }
@@ -69,6 +72,8 @@ server {
   http2 on;
   http3 on;
   add_header Alt-Svc 'h3=":443"; ma=86400' always;
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+  ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
   location / {
     proxy_pass http://localhost:9000;
   }
@@ -160,6 +165,12 @@ server {
   include /etc/letsencrypt/options-ssl-nginx.conf;
   ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
 
+  http2 on;
+  http3 on;
+  add_header Alt-Svc 'h3=":443"; ma=86400' always;
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+  ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
+
   return 301 https://nutra.tk$request_uri;
 }
 
@@ -172,6 +183,8 @@ server {
   http2 on;
   http3 on;
   add_header Alt-Svc 'h3=":443"; ma=86400' always;
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+  ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
   server_name matrix.nutra.tk chat.nutra.tk;
 
   location / {
@@ -190,6 +203,13 @@ server {
 server {
   listen 8448 ssl default_server;
   listen [::]:8448 ssl default_server;
+  listen 8448 quic default_server;
+  listen [::]:8448 quic default_server;
+  http2 on;
+  http3 on;
+  add_header Alt-Svc 'h3=":8448"; ma=86400' always;
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+  ssl_trusted_certificate /etc/ssl/private/ca-certs.pem;
   server_name nutra.tk;
 
   location / {
-- 
2.52.0