Better with HTTPS.

Please generate certificates with Let's encrypt and remplace certs paths in the nginx configuration file.

deploy/nginx.conf

@@ -4,9 +4,29 @@ upstream funkwhale-api {
 }
 
 server {
-    listen      80;
+  listen 80;
+  listen [::]:80;
+  server_name demo.funkwhale.audio;
+  # useful for Let's Encrypt
+  location /.well-known/acme-challenge/ { allow all; }
+  location / { return 301 https://$host$request_uri; }
+}
+
+server {
+    listen      443 ssl http2;
+    listen [::]:443 ssl http2;
     server_name demo.funkwhale.audio;
 
+    # TLS
+    ssl_protocols TLSv1.2;
+    ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_certificate     /etc/letsencrypt/live/example.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
+    # HSTS
+    add_header Strict-Transport-Security "max-age=31536000";
+
     root /srv/funkwhale/front/dist;
 
     location / {