This was a super easy upgrade. Atul Kumar Pandey had a straightforward article on this.

The old config:

1
# HTTP Server block - responsible for upgrading all http:// traffic to https://www.taxborn.com
2
server {
3
    listen 80;
4
    listen [::]:80;
5
    server_name taxborn.com www.taxborn.com;
6

7
    location / {
8
        return 301 https://www.taxborn.com$request_uri;
9
    }
10
}
11

12
# HTTPS Server block - responsible for handling the SSL certificate
13
server {
14
    listen 443 ssl;
15
    listen [::]:443 ssl;
16
    server_name taxborn.com www.taxborn.com;
17

18
    # enable http2
19
    http2 on;
20

21
    ssl_certificate /etc/letsencrypt/live/taxborn.com/fullchain.pem;
22
    ssl_certificate_key /etc/letsencrypt/live/taxborn.com/privkey.pem;
23
    ssl_session_timeout 1d;
24
    ssl_session_cache shared:MozSSL:10m; # about 40k sessions
25

26
    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
27
    ssl_dhparam /etc/nginx/dhparam;
28

29
    # HSTS and Preload
30
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
31
    add_header Content-Security-Policy "frame-ancestors 'none'" always;
32
    add_header X-Frame-Options "DENY" always;
33
    add_header X-Content-Type-Options "nosniff" always;
34

35
    # OCSP stapling
36
    ssl_stapling on;
37
    ssl_stapling_verify on;
38

39
    # intermediate *configuration*
40
    ssl_protocols TLSv1.2 TLSv1.3;
41
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
42
    ssl_prefer_server_ciphers off;
43

44
    # OPTIONAL: I like to enforce the www subdomain
45
    if ($host = taxborn.com) {
46
        return 301 https://www.taxborn.com$request_uri;
47
    }
48

49
    # Reverse proxy for our node application being hosted locally on port 4321
50
    location / {
51
        proxy_pass http://localhost:4321;
52
        proxy_http_version 1.1; # TODO: how does HTTP/2 perform?
53
        proxy_set_header Upgrade $http_upgrade;
54
        proxy_set_header Connection 'upgrade';
55
        proxy_set_header Host $host;
56
        proxy_cache_bypass $http_upgrade;
57
    }
58

59
    # Optional: Add logging
60
    access_log /var/log/nginx/taxborn_access.log;
61
}

The NEW Config

This mostly is just adding a few more port 443 listeners for quic, toggle the http3 directive on, and add a couple headers.

1
# HTTP Server block - responsible for upgrading all http:// traffic to https://www.taxborn.com
2
server {
3
    listen 80;
4
    listen [::]:80;
5
    server_name taxborn.com www.taxborn.com;
6

7
    location / {
8
        return 301 https://www.taxborn.com$request_uri;
9
    }
10
}
11

12
# HTTPS Server block - responsible for handling the SSL certificate
13
server {
14
    listen 443 ssl;
15
    listen [::]:443 ssl;
16
    listen 443 quic reuseport;
17
    listen [::]:443 quic reuseport;
18

19
    server_name taxborn.com www.taxborn.com;
20

21
    # enable http2
22
    http2 on;
23

24
    # http3
25
    http3 on;
26
    quic_retry on;
27
    # Add http/3 headers. Move these headers where others are located.
28
    add_header Alt-Svc 'h3=":$server_port"; ma=86400';
29
    add_header x-quic 'h3';
30
    ssl_early_data on; # 0-RTT
31

32
    ssl_certificate /etc/letsencrypt/live/taxborn.com/fullchain.pem;
33
    ssl_certificate_key /etc/letsencrypt/live/taxborn.com/privkey.pem;
34
    ssl_session_timeout 1d;
35
    ssl_session_cache shared:MozSSL:10m; # about 40k sessions
36

37
    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam
38
    ssl_dhparam /etc/nginx/dhparam;
39

40
    # HSTS and Preload
41
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
42
    add_header Content-Security-Policy "frame-ancestors 'none'" always;
43
    add_header X-Frame-Options "DENY" always;
44
    add_header X-Content-Type-Options "nosniff" always;
45

46
    # OCSP stapling
47
    ssl_stapling on;
48
    ssl_stapling_verify on;
49

50
    # intermediate configuration
51
    ssl_protocols TLSv1.2 TLSv1.3;
52
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:E
53
    CDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
54
    ssl_prefer_server_ciphers off;
55

56
    # OPTIONAL: I like to enforce the www subdomain
57
    if ($host = taxborn.com) {
58
        return 301 https://www.taxborn.com$request_uri;
59
    }
60

61
    location / {
62
        proxy_pass http://localhost:4321;
63
        proxy_http_version 1.1; # TODO: how does HTTP/2 perform?
64
        proxy_set_header Upgrade $http_upgrade;
65
        proxy_set_header Connection 'upgrade';
66
        proxy_set_header Host $host;
67
        proxy_cache_bypass $http_upgrade;
68
    }
69

70
    # Optional: Add logging
71
    access_log /var/log/nginx/taxborn_access.log;
72
    error_log /var/log/nginx/taxborn_error.log;
73
}