# Base configuration from Mozilla SSL Configuration Generator
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.10.1&openssl=1.0.1e&hsts=yes&profile=intermediate

server {
    # Password protection.  Placed at the top of the file to make it easier to remove.
    # Comment out the following 5 lines of code to remove password protection.
    # (Remember to run `sudo service nginx reload` after saving)
    satisfy any;
    deny all;

    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/htpasswd;
    # End password protection

    # SSL configuration
    server_name {{ domain_names }};
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /etc/letsencrypt/live/{{ fallback_domain_name }}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/{{ fallback_domain_name }}/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    ssl_dhparam /etc/ssl/dhparam.pem;

    # intermediate configuration. tweak to your needs.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    # OCSP Stapling ---
    # fetch OCSP records from URL in ssl_certificate and cache them
    ssl_stapling on;
    ssl_stapling_verify on;

    ## verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/letsencrypt/live/{{ fallback_domain_name }}/chain.pem;

    resolver 8.8.8.8;

    # Project configuration
    charset utf-8;
    server_tokens off;

    fastcgi_buffers 16 16k;
    fastcgi_buffer_size 32k;

    proxy_buffer_size 128k;
    proxy_buffers 4 256k;
    proxy_busy_buffers_size 256k;

    client_max_body_size 15M;

    # Make TCP send multiple buffers as individual packets.
    tcp_nodelay on;

    # Send half empty (or half full) packets.
    tcp_nopush on;

    location /static/ {
        alias   /var/www/{{ project }}_static/;
        expires 30d;
        add_header Pragma public;
        add_header Cache-Control "public";
        gzip_static on;
        gzip_vary on;
    }

    location /media/ {
        alias   /var/www/{{ project }}_media/;
        expires 30d;
        add_header Pragma public;
        add_header Cache-Control "public";
    }

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header Authorization "";
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_redirect off;

        # Try to serve static files from nginx, no point in making an
        # *application* server like Unicorn/Rainbows! serve static files.
        if (!-f $request_filename) {
            proxy_pass http://wsgi_server;
            break;
        }
    }
}

server {
    listen 80;
    listen [::]:80;
    server_name {{ domain_names }};
    return 301 https://$host$request_uri;
}
