user  nginx;
worker_processes  1;

#error_log  /var/log/nginx/error.log warn;
error_log /var/log/nginx/error-local.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections   2000;
}

http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    client_max_body_size 900M;

    gzip on;
    gzip_min_length  1100;
    gzip_buffers     4 8k;
    gzip_types       text/plain;


	# caching
	proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=zone1:10m max_size=1G;
	proxy_temp_path /tmp/nginx-proxy 1 2;
    proxy_cache_key "$scheme$request_method$host$request_uri";
	proxy_ignore_headers Expires Cache-Control;
	proxy_cache_use_stale error timeout invalid_header http_502;
	proxy_cache_bypass $cookie_session;
	proxy_no_cache $cookie_session;	
	proxy_headers_hash_max_size 1024;
	proxy_headers_hash_bucket_size 128;

	log_format cached '$remote_addr '
                    '"$request" $status $body_bytes_sent '
                    '"$http_referer" "$http_user_agent" $upstream_cache_status';


	# Useragent ACL
    map $http_user_agent $useragent_acl {
      default deny;
      ~(Chrome|Nextcloud-iOS|Nextcloud-android|mirall|Nokia|Mozilla/5\.0|git) allow;
    }

	upstream php-handler {
    	server 192.168.86.4:9000;
    	#server unix:/var/run/php/php7.2-fpm.sock;
	}

    server {
    	listen 80 default_server;
		root /var/www/null;
		# Useragent ACL
#		if ($useragent_acl = deny) {
#    		return 403;
#		}
		if ($http_x_forwarded_proto != "https") {
			return 301 https://$host$request_uri;
		}
    }

    server {
		listen 443 ssl http2 default_server;
		#root /var/www/null;
		root /var/www;
        ssl_protocols TLSv1.2 TLSv1.3;
		ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384';
		ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
		ssl_prefer_server_ciphers on;
		ssl_session_timeout  10m;
		ssl_session_cache shared:SSL:10m;
		ssl_session_tickets off;
		add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
		add_header X-Frame-Options SAMEORIGIN;
		add_header X-Content-Type-Options nosniff;
		add_header X-XSS-Protection "1; mode=block";
    	add_header X-Robots-Tag none;
    	add_header X-Download-Options noopen;
    	add_header X-Permitted-Cross-Domain-Policies none;
    	add_header Referrer-Policy no-referrer;


		ssl_certificate /etc/letsencrypt/live/xpk.headdesk.me/fullchain.pem;
		ssl_certificate_key /etc/letsencrypt/live/xpk.headdesk.me/privkey.pem;
	
		# filter out PROPFIND in access log
		set $logme 1;

		if ($request_method = PROPFIND) {
     		set $logme 0;
		}

		access_log /var/log/nginx/access.log cached if=$logme;

		# Useragent ACL
	    if ($useragent_acl = deny) {
	    	return 403;
		}

		#location / {
	#		proxy_pass http://192.168.86.10:8080/;
#			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#			proxy_set_header X-Real-IP $remote_addr;
#			proxy_set_header HTTP_X_FORWARDED_PROTO https;
#			proxy_set_header Host $host;
#			proxy_cache_bypass $http_pragma    $http_authorization;
#		}

		fastcgi_hide_header X-Powered-By;
		location = /.well-known/carddav {
      		return 301 $scheme://$host:$server_port/nextcloud/remote.php/dav;
    	}
    	location = /.well-known/caldav {
      		return 301 $scheme://$host:$server_port/nextcloud/remote.php/dav;
    	}
		location /nextcloud/ {
        	rewrite ^ /nextcloud/index.php;
    	}	
	    location ~ ^\/nextcloud\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
	        deny all;
    	}
    	location ~ ^\/nextcloud\/(?:\.|autotest|occ|issue|indie|db_|console) {
        	deny all;
    	}
		location ~ ^\/nextcloud\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
       	 fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
       	 set $path_info $fastcgi_path_info;
       	 try_files $fastcgi_script_name =404;
       	 include fastcgi_params;
       	 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
       	 fastcgi_param PATH_INFO $path_info;
       	 fastcgi_param HTTPS on;
       	 # Avoid sending the security headers twice
       	 fastcgi_param modHeadersAvailable true;
       	 # Enable pretty urls
       	 fastcgi_param front_controller_active true;
       	 fastcgi_pass php-handler;
       	 fastcgi_intercept_errors on;
       	 fastcgi_request_buffering off;
    	}

    	location ~ ^\/nextcloud\/(?:updater|oc[ms]-provider)(?:$|\/) {
       	 try_files $uri/ =404;
       	 index index.php;
    	}

		location ~ ^\/nextcloud.*\.(?:css|js|woff2?|svg|gif|map)$ {
        	try_files $uri /nextcloud/index.php$request_uri;
        	add_header Cache-Control "public, max-age=15778463";
        	add_header X-Content-Type-Options nosniff;
        	add_header X-XSS-Protection "1; mode=block";
        	add_header X-Robots-Tag none;
        	add_header X-Download-Options noopen;
        	add_header X-Permitted-Cross-Domain-Policies none;
        	add_header Referrer-Policy no-referrer;
		}
		location ~ ^\/nextcloud.*\.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
        	try_files $uri /nextcloud/index.php$request_uri;
		}

		location /git/ {
			proxy_pass http://192.168.86.53:3000/;
            proxy_set_header X-Forwarded-For $remote_addr;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header HTTP_X_FORWARDED_PROTO https;
            proxy_set_header Host $host;
			# caching
			proxy_cache zone1;
		    proxy_cache_valid 200 302 5m;
		    proxy_cache_valid any 10m;
		}

		location /pad/ {
			proxy_pass http://192.168.86.5:9001/;
            proxy_set_header X-Forwarded-For $remote_addr;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header HTTP_X_FORWARDED_PROTO https;
            proxy_set_header Host $host;
		}
    }
}