user  nginx;
worker_processes  2;
daemon off;
load_module "modules/ngx_http_dav_ext_module.so";

error_log /var/log/nginx/error-local.log warn;
pid        /var/run/nginx.pid;

events {
    worker_connections   2000;
}

http {
  server_tokens off;
  include       /etc/nginx/mime.types;
  default_type  application/octet-stream;
  sendfile        on;
  keepalive_timeout  65;
  client_max_body_size 200M;

  gzip on;
  gzip_min_length  1100;
  gzip_buffers     4 8k;
  gzip_types       text/plain;

	# caching
	proxy_cache_path /tmp/nginx-cache levels=1:2 keys_zone=zone1:10m max_size=1G;
	proxy_temp_path /tmp/nginx-proxy 1 2;
	proxy_cache_key "$scheme$request_method$host$request_uri";
	proxy_ignore_headers Expires Cache-Control;
	proxy_cache_use_stale error timeout invalid_header http_502;
	proxy_cache_bypass $cookie_session;
	proxy_no_cache $cookie_session;
	proxy_headers_hash_max_size 1024;
	proxy_headers_hash_bucket_size 128;

	log_format cached '$remote_addr '
		'"$request" $status $body_bytes_sent '
		'"$http_referer" "$http_user_agent" $upstream_cache_status';


	# Useragent ACL: works but ubuntu online accounts does not provide any useragent
  #map $http_user_agent $useragent_acl {
  #  	default deny;
  # 	~(Desktop|Chrome|Nextcloud-iOS|Nextcloud-android|mirall|Mozilla/5\.0|git|ansible-httpget|Go-http-client) allow;
  #}

	#        _                 _                     _ _
	#  _ __ | |__  _ __       | |__   __ _ _ __   __| | | ___ _ __
	# | '_ \| '_ \| '_ \ _____| '_ \ / _` | '_ \ / _` | |/ _ \ '__|
	# | |_) | | | | |_) |_____| | | | (_| | | | | (_| | |  __/ |
	# | .__/|_| |_| .__/      |_| |_|\__,_|_| |_|\__,_|_|\___|_|
	# |_|         |_|
	#

	upstream php-handler {
    	server 192.168.86.210:9000;
    	#server unix:/var/run/php/php7.2-fpm.sock;
	}

  server {
  	listen 80 default_server;
		# root /var/www/null;
		root /var/www/letsencrypt;

		# for letsencrypt / acme-tiny
		location /.well-known {
			try_files $uri $uri/ =404;
		}

        	location /.well-known/acme-challenge/ {
               		alias /var/www/letsencrypt/;
        	}

		location / {
        		return 301 https://$host$request_uri;
    		}
		# Useragent ACL
    #		if ($useragent_acl = deny) {
    #    		return 403;
    #		}

	# letsencrypt validation
	#location /.well-known/acme-challenge/ {
      	#	alias /var/www/letsencrypt/;
	#}

	#if ($http_x_forwarded_proto != "https") {
#		return 301 https://$host$request_uri;
#	}
  }

  server {
		listen 443 ssl http2 default_server;
		root /var/www;
		# still need TLS1.2 for Lixil Jenkins git pull
		ssl_protocols TLSv1.2 TLSv1.3;
		ssl_ecdh_curve secp521r1:secp384r1:prime256v1;
		ssl_ciphers TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256;
		ssl_prefer_server_ciphers on;
		ssl_session_timeout  10m;
		ssl_session_cache shared:SSL:10m;
		ssl_session_tickets off;
		add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
		add_header X-Frame-Options SAMEORIGIN;
		add_header X-Content-Type-Options nosniff;
		add_header X-XSS-Protection "1; mode=block";
		add_header X-Robots-Tag "noindex, nofollow";
		add_header X-Download-Options noopen;
		add_header X-Permitted-Cross-Domain-Policies none;
		add_header Referrer-Policy no-referrer;

		ssl_certificate /home/ssl/xpk.headdesk.me.crt;
		ssl_certificate_key /home/ssl/xpk.headdesk.me.key;

		# filter out PROPFIND in access log
		set $logme 1;

		if ($request_method = PROPFIND) {
     		set $logme 0;
		}

		access_log /var/log/nginx/access.log cached if=$logme;

		# Useragent ACL
		# if ($useragent_acl = deny) {
	    #		return 403;
		#}

		#location / {
  	#		proxy_pass http://192.168.86.10:8080/;
    #			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #			proxy_set_header X-Real-IP $remote_addr;
    #			proxy_set_header HTTP_X_FORWARDED_PROTO https;
    #			proxy_set_header Host $host;
    #			proxy_cache_bypass $http_pragma    $http_authorization;
    #		}

	        # letsencrypt validation
        	location /.well-known/acme-challenge/ {
                	alias /var/www/letsencrypt/;
        	}
		fastcgi_hide_header X-Powered-By;
		location = /.well-known/carddav {
		    return 301 $scheme://$host:$server_port/nextcloud/remote.php/dav;
  		}
  		location = /.well-known/caldav {
    			return 301 $scheme://$host:$server_port/nextcloud/remote.php/dav;
  		}

    		location /nextcloud/ {
     			rewrite ^ /nextcloud/index.php;
  		}
   		location ~ ^\/nextcloud\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
       			deny all;
  		}
  		location ~ ^\/nextcloud\/(?:\.|autotest|occ|issue|indie|db_|console) {
     			deny all;
  		}
		location ~ ^\/nextcloud\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
			fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
			set $path_info $fastcgi_path_info;
			try_files $fastcgi_script_name =404;
			include fastcgi_params;
			fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
			fastcgi_param PATH_INFO $path_info;
			fastcgi_param HTTPS on;
			# Avoid sending the security headers twice
			fastcgi_param modHeadersAvailable true;
			# Enable pretty urls
			fastcgi_param front_controller_active true;
			fastcgi_pass php-handler;
			fastcgi_intercept_errors on;
			fastcgi_request_buffering off;
		}

		location ~ ^\/nextcloud\/(?:updater|oc[ms]-provider)(?:$|\/) {
			try_files $uri/ =404;
			index index.php;
		}

		location ~ ^\/nextcloud.*\.(?:css|js|woff2?|svg|gif|map)$ {
		    	try_files $uri /nextcloud/index.php$request_uri;
		    	add_header Cache-Control "public, max-age=15778463";
		    	add_header X-Content-Type-Options nosniff;
		    	add_header X-XSS-Protection "1; mode=block";
		    	add_header X-Robots-Tag "noindex, nofollow";
		    	add_header X-Download-Options noopen;
		    	add_header X-Permitted-Cross-Domain-Policies none;
		    	add_header Referrer-Policy no-referrer;
		}
		location ~ ^\/nextcloud.*\.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
  		  	try_files $uri /nextcloud/index.php$request_uri;
		}

		location /git/ {
			proxy_pass http://192.168.86.53:3000/;
			proxy_set_header X-Forwarded-For $remote_addr;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_set_header HTTP_X_FORWARDED_PROTO https;
			proxy_set_header Host $host;
			proxy_http_version 1.1;
			# caching: do not enable, causes cross account caching!
			# proxy_cache zone1;
			# proxy_cache_valid 200 302 5m;
			# proxy_cache_valid any 10m;
		}

		location /pad/ {
			proxy_pass http://192.168.86.51:9001/;
			proxy_set_header X-Forwarded-For $remote_addr;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_set_header HTTP_X_FORWARDED_PROTO https;
			proxy_set_header Host $host;
			proxy_http_version 1.1;
			proxy_cookie_path / "/pad; HTTPOnly; Secure";
			proxy_cookie_flags express secure httponly;
		}

		location /jenkins/ {
			proxy_pass http://192.168.86.55:8080/jenkins/;
			proxy_redirect     default;
			proxy_set_header X-Forwarded-For $remote_addr;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_set_header HTTP_X_FORWARDED_PROTO https;
			proxy_set_header Host $host;
			proxy_http_version 1.1;
		}

		location /mon/ {
			proxy_pass http://192.168.86.57/;
			proxy_buffering off;
			proxy_redirect     default;
			proxy_set_header X-Forwarded-For $remote_addr;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_set_header HTTP_X_FORWARDED_PROTO https;
			proxy_set_header Host $host;
			proxy_http_version 1.1;
            		proxy_cookie_path / "/mon; HTTPOnly; Secure";
            		proxy_cookie_flags express secure httponly;
		}

		location /enpass/ {
			root /var/www;
			auth_basic enpass;
			auth_basic_user_file /var/www/enpass/.htpass;
	    		dav_methods     PUT DELETE MKCOL COPY MOVE;
  			dav_ext_methods PROPFIND OPTIONS;
    			dav_access      user:rw group:rw all:r;
			create_full_put_path  on;
			autoindex on;
		}
  }
}