# http://nginx.org/en/docs/http/websocket.html
# http://nginx.org/en/docs/http/websocket.html
map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

# http server
server {
    listen       80;
    listen       [::]:80;

    server_name  www.c2a-systeme.fr;

    location / {
        # redirect everything to HTTPS
        return 301 https://$host$request_uri;
    }
}

# https server
server {
    server_name  www.c2a-systeme.fr;
    listen       443 http2;
    listen       [::]:443 http2;

    ssl                  on;
    # paths are relative to prefix and not to this file
    ssl_certificate      /etc/letsencrypt/live/www.c2a-systeme.fr/cert.pem;
    ssl_certificate_key  /etc/letsencrypt/live/www.c2a-systeme.fr/privkey.pem;
    ssl_session_timeout  5m;
    ssl_session_cache shared:SSL:50m;

    # https://bettercrypto.org/static/applied-crypto-hardening.pdf
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
    # https://cipherli.st/
    # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # don't use SSLv3 ref: POODLE

    # ciphers according to https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.3&openssl=1.0.2g&hsts=yes&profile=modern
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    add_header Strict-Transport-Security "max-age=15768000";

    root /var/www/html/c2a-web-platform;
    index index.html;

    location / {
        try_files $uri $uri/ /index.html =404;
    }
}