# http://nginx.org/en/docs/http/websocket.html
# http://nginx.org/en/docs/http/websocket.html
map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

# http server
server {
    listen       80;
    listen       [::]:80;

    server_name  gitlab.c2a-systeme.fr;

    location / {
        # redirect everything to HTTPS
        return 301 https://$host$request_uri;
    }
}

# https server
server {
    server_name  gitlab.c2a-systeme.fr;
    listen       443 http2;
    listen       [::]:443 http2;

    ssl                  on;
    # paths are relative to prefix and not to this file
    ssl_certificate      /home/c2a/conf/nginx/certs/gitlab.c2a-systeme.fr.cert;
    ssl_certificate_key  /home/c2a/conf/nginx/certs/gitlab.c2a-systeme.fr.key;
    ssl_session_timeout  5m;
    ssl_session_cache shared:SSL:50m;

    # https://bettercrypto.org/static/applied-crypto-hardening.pdf
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
    # https://cipherli.st/
    # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE

    # ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    # ssl_dhparam /home/yellowtent/boxdata/dhparams.pem;
    # add_header Strict-Transport-Security "max-age=15768000";

    # https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options
    add_header X-Frame-Options "SAMEORIGIN";
    proxy_hide_header X-Frame-Options;

    # https://github.com/twitter/secureheaders
    # https://www.owasp.org/index.php/OWASP_Secure_Headers_Project#tab=Compatibility_Matrix
    # https://wiki.mozilla.org/Security/Guidelines/Web_Security
    add_header X-XSS-Protection "1; mode=block";
    proxy_hide_header X-XSS-Protection;
    add_header X-Download-Options "noopen";
    proxy_hide_header X-Download-Options;
    add_header X-Content-Type-Options "nosniff";
    proxy_hide_header X-Content-Type-Options;
    add_header X-Permitted-Cross-Domain-Policies "none";
    proxy_hide_header X-Permitted-Cross-Domain-Policies;
    add_header Referrer-Policy "no-referrer-when-downgrade";
    proxy_hide_header Referrer-Policy;

    proxy_http_version 1.1;
    proxy_intercept_errors on;
    proxy_read_timeout       3500;
    proxy_connect_timeout    3250;

    proxy_set_header   Host               $host;
    proxy_set_header   X-Forwarded-For    $remote_addr;
    proxy_set_header   X-Forwarded-Host   $host;
    proxy_set_header   X-Forwarded-Port   $server_port;
    proxy_set_header   X-Forwarded-Proto  https;
    proxy_set_header   X-Forwarded-Ssl    on;

    # upgrade is a hop-by-hop header (http://nginx.org/en/docs/http/websocket.html)
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;

    location / {
        # increase the proxy buffer sizes to not run into buffer issues (http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffers)
        proxy_buffer_size       128k;
        proxy_buffers           4 256k;
        proxy_busy_buffers_size 256k;

        # No buffering to temp files, it fails for large downloads
        proxy_max_temp_file_size 0;

        # Disable check to allow unlimited body sizes. this allows apps to accept whatever size they want
        client_max_body_size 0;

        # Custom robots.txt
        # location = /robots.txt {
        #     return 200 "";
        # }

        proxy_pass http://127.0.0.1:8001;
    }

}