Run this: openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 (takes two or three minutes on a 1GB DO droplet)

HTTP

/etc/nginx/sites-enabled/fodor.conf - Redirect all traffic to HTTPS

server {
    listen 80;
    server_name fodor.xyz;
    rewrite     ^   https://$server_name$request_uri? permanent;
}

HTTPS

/etc/nginx/sites-enabled/fodor.xyz-ssl.conf

server {
    listen 443;
    server_name fodor.xyz;
    root /var/www/fodor.xyz/public/;
    index index.php;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/fodor.xyz/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/fodor.xyz/privkey.pem;
    ssl_prefer_server_ciphers On;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;

    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";


# So LetsEncrypt can auto renew
        location ~ /.well-known {
                allow all;
        }
}