# NGINX configuration for a virtualhost proxied to a Docker service.
# Uses https://github.com/acmesh-official/acme.sh to manage SSL certificates.

# Flags the  non 2xx or non 3xx (probably error) responses.
map $status $errorlog_$PAR_PROXYPORT { ~^[23]  0; default 1; }

# Virtualhost's configuration follows.
server {
    listen 80;
#   listen 443 ssl;

    server_name_in_redirect on;
    server_name $PAR_SERVERNAME;

    set $server_admin $PAR_WEBMASTER;

    # access log and error log.
    # Any requests getting a non 2xx or non 3xx response will go to the error log as well.
    access_log $PAR_SERVICE/logs/web/access.log combined;
    access_log $PAR_SERVICE/logs/web/error.log combined if=$errorlog_$PAR_PROXYPORT;

    # Let's Encrypt (acme.sh) support.
    location /.well-known/ {
        proxy_pass http://$PAR_ACMEHOST:$PAR_ACMEPORT;
        error_page 500 502 503 504 @proxy_error;
    }

    # Forced redirect to https.
#   if ($scheme = http) {
#       return 301 https://$host$request_uri;
#   }

    # Webapp's configuration.
    charset utf-8;
    location /$PAR_LOCATION {
        proxy_pass http://$PAR_PROXYHOST:$PAR_PROXYPORT/$PAR_LOCATION;
        error_page 500 502 503 504 @proxy_error;

        client_max_body_size 1G;
        keepalive_timeout 30;
        proxy_read_timeout  300;

        proxy_request_buffering on;
	proxy_buffers 2048 16k;
	proxy_buffer_size 16k;

        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        #websockets
        proxy_http_version  1.1;
        proxy_set_header    Upgrade     $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
    location @proxy_error {
        default_type text/html;
        return 500
	       "<span style='font-size: x-large'>Sorry something went wrong. Try again a bit later.<br>
                You may report this at <a href='mailto:$server_admin'>$server_admin</a>.</span>";
    }
    # No static service, but we may provide the OPTIONS for a potential DAV client.
#   location / {
#       default_type text/html;
##      dav_ext_methods OPTIONS;
#       if ($request_method != OPTIONS) {
#           return 404 "<span style='font-size: x-large'>Sorry try <a href='$scheme://$server_name/$PAR_LOCATION'>$scheme://$server_name/$PAR_LOCATION</a> instead.</span>";
##          return 302 $scheme://$server_name/$PAR_LOCATION;
#   }

    ##################################################################################
    # The SSL part
    # https://ssl-config.mozilla.org/
    # https://community.letsencrypt.org/t/howto-a-with-all-100-s-on-ssl-labs-test-using-nginx-mainline-stable/55033

#   ssl_certificate     $PAR_SERVICE/configs/acme/$PAR_SERVERNAME/fullchain.cer;
#   ssl_certificate_key $PAR_SERVICE/configs/acme/$PAR_SERVERNAME/$PAR_SERVERNAME.key;

    # Settings to achieve 'A' grade on https://www.ssllabs.com/ssltest/
    ssl_session_timeout 1440m;
    ssl_session_tickets off;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers off;
    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA";

    ssl_stapling on;
    ssl_stapling_verify on;

    # Read before activating: https://blog.g3rt.nl/nginx-add_header-pitfall.html
#   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
#   add_header X-Frame-Options SAMEORIGIN;
#   add_header X-Content-Type-Options nosniff;

}

# That's all.