# http://nginx.org/en/docs/http/websocket.html
map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

# http server
server {
    listen       80;
    listen       [::]:80;

    server_name  dev.reports.c2a-systeme.fr;

    location / {
        # redirect everything to HTTPS
        return 301 https://$host$request_uri;
    }
}

# https server
server {
    server_name  dev.reports.c2a-systeme.fr;
    listen       443 http2;
    listen       [::]:443 http2;

    ssl                  on;
    ssl_certificate      /etc/letsencrypt/live/dev.reports.c2a-systeme.fr/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/dev.reports.c2a-systeme.fr/privkey.pem;
    ssl_session_timeout  10m;
    ssl_session_cache shared:SSL:50m;

    # Enable server-side protection against BEAST attacks
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE
    ssl_prefer_server_ciphers on;
    ssl_ciphers "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384";
        
    # RFC-7919 recommended: https://wiki.mozilla.org/Security/Server_Side_TLS#ffdhe4096
    ssl_dhparam /etc/ssl/ffdhe4096.pem;
    ssl_ecdh_curve secp521r1:secp384r1;

    # Enable OCSP stapling 
    # ref. http://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/dev.reports.c2a-systeme.fr/fullchain.pem;
    resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001] valid=300s; # Cloudflare
    resolver_timeout 5s;

    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/.htpasswd;

    root /var/www/html/c2a-web-app-dev;
    index index.html;

    # Required for LE certificate enrollment using certbot
    location '/.well-known/acme-challenge' {
        default_type "text/plain";
        root /var/www/html;
    }

    location / {
        try_files $uri $uri/ /index.html =404;
    }
}