## Example config for http redirects
server {
	listen 80;
	listen [::]:80 default;
	server_name example.com;

	return 301 https://$server_name$request_uri;
}

## Example config for server secured with https
server {
	listen 0.0.0.0:443 ssl http2;
	listen [::]:443 ssl http2;
	server_name example.com;

	access_log /var/log/nginx/example.com/access.log combined if=$log_ip;
	error_log  /var/log/nginx/example.com/error.log;

	root /usr/share/webapps/filebin/public_html/;

	add_header X-Frame-Options DENY;

	location / {
		try_files $uri $uri/ @ee;
	}
	location @ee {
		rewrite ^(.*) /index.php?$1 last;
	}

	# Needs:
	# $config['download_driver'] = 'nginx';
	# $config['download_nginx_location'] = '/u';
	location ^~ /u/ {
		internal;
		gzip off;
		sendfile on;
		sendfile_max_chunk 100m;
		tcp_nopush on;
		tcp_nodelay on;
		keepalive_timeout 120;
		proxy_max_temp_file_size 0;
		chunked_transfer_encoding off;
		alias /usr/share/webapps/filebin/data/uploads/;
	}

	location ~ \.php$ {
		fastcgi_pass unix:/run/php-fpm/fb.sock;
		fastcgi_index index.php;
		include fastcgi.conf;
	}

	add_header Feature-Policy "geolocation 'none'; midi 'none'; notifications 'none'; push 'none'; sync-xhr 'none'; microphone 'none'; camera 'none'; magnetometer 'none'; gyroscope 'none'; speaker 'none'; vibrate 'none'; fullscreen 'none'; payment 'none'";

	add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'none'; font-src 'self'; object-src 'none'; media-src 'self'; worker-src 'none'; frame-src 'none'; form-action 'self'; frame-ancestors 'none'; base-uri 'self';";

	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
	add_header Referrer-Policy "no-referrer, strict-origin-when-cross-origin";
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";

	ssl_protocols TLSv1.2 TLSv1.3;

	# EECDH+AESGCM is a weaker cipher, but we need it for Android 5.0 / 6.0 support.
	ssl_ciphers "EECDH+AESGCM+SHA384:EECDH+AESGCM";
	#ssl_ciphers "EECDH+AESGCM+SHA384";

	ssl_prefer_server_ciphers on;
	ssl_ecdh_curve secp384r1;
	ssl_session_cache shared:SSL:10m;
	ssl_session_tickets off;
	ssl_stapling on;
	ssl_stapling_verify on;

	resolver 127.0.0.1 valid=300s;
	resolver_timeout 5s;

	# openssl dhparam -out /etc/ssl/dhparam.pem 4096
	ssl_dhparam /etc/ssl/dhparam.pem;

	# See https://wiki.archlinux.org/index.php/Certbot
	ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

	# Optional, needs to be generated
	#ssl_stapling_file /etc/letsencrypt/ocspresponse/fb.hash.works.der;
}

# vi:syntax=nginx