# Nginx configuration for HTTPS only

server_tokens off;
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options nosniff;

upstream dev_tomcat_1 {
    server tomcat;
}

# HTTP
server {
    listen 80 default_server;
    listen [::]:80 default_server;
		gzip on;
		gzip_static on;
		gzip_vary on;
		gzip_http_version 1.1;
		gzip_min_length 700;
		gzip_comp_level 6;
    server_name ${NGINX_HOST};
    error_log  /var/log/nginx/error.log;
    access_log /var/log/nginx/access.log;
    root /var/www/html/public;
		index index.php index.html index.htm index.jsp;

    # Redirect all requests to HTTPS on :443
    location / {
        rewrite ^ https://$host$request_uri? permanent;
    }

    ####### Proxies #######
    # PHP proxy
    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass php:9000;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
    }

    # Tomcat proxy
    location ~ \.(do|jspa|obr|jsp) {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://tomcat:8082;
    }

    ####### Protections and efficiencies #######
    # Deny access to files beginning with .ht, such as .htaccess and .htpasswd
    location ~ /\.ht {
    		deny all;
    }

    # Instructs visitor browser to cache files for 1 month
    location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
        expires 1M;
    }

    # Deny access to version control system directories.
    location ~ /\.svn|/\.git {
        deny all;
        internal;
    }

    # Certbot for HTTPS cert renewal
    location ^~ /.well-known {
        allow all;
        root  /data/letsencrypt/;
    }

    ####### PHPBB Forum #######
    # PHPBB forum
		location /board {
				index index.php index.html index.htm;
        try_files $uri $uri/ @rewriteapp;
    }

    # PHPBB installer rewrite
    location /install/ {
        try_files $uri $uri/ @rewrite_installapp;
		}

    location @rewriteapp {
    		rewrite ^(.*)$ /app.php/$1 last;
    }

    # Deny access to internal phpbb files.
    location ~ /board(config\.php|common\.php|files|images/avatars/upload|includes|(?<!ext/)phpbb|store|vendor) {
    		deny all;
        internal;
		}

    location @rewrite_installapp {
        rewrite ^(.*)$ /board/install/app.php/$1 last;
    }
}

# HTTPS
server {
    listen      443           ssl http2;
    listen [::]:443           ssl http2;
    server_name               ${NGINX_HOST};
    add_header                Strict-Transport-Security "max-age=31536000" always;
    ssl_session_cache         shared:SSL:20m;
    ssl_session_timeout       10m;
    ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers               "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;";
    ssl_stapling              on;
    ssl_stapling_verify       on;
    resolver                  8.8.8.8 1.1.1.1;
    ssl_certificate           /etc/letsencrypt/live/openrsc.com/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/openrsc.com/privkey.pem;
    ssl_trusted_certificate   /etc/letsencrypt/live/openrsc.com/chain.pem;
    index index.php index.html index.jsp;
    error_log  /var/log/nginx/error.log;
    access_log /var/log/nginx/access.log;
    root /var/www/html/public;

    ####### Proxies #######
    # PHP proxy
    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass php:9000;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
    }

    # Tomcat proxy
    location ~ \.(do|jspa|obr|jsp) {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://tomcat:8082;
    }

    ####### Protections and efficiencies #######
    # Deny access to files beginning with .ht, such as .htaccess and .htpasswd
    location ~ /\.ht {
    		deny all;
    }

    # Block accidental directory listing
    location / {
        try_files $uri $uri/ =404;
     }

    # Instructs visitor browser to cache files for 1 month
    location ~* \.(jpg|jpeg|png|gif|ico|css|js)$ {
        expires 1M;
    }

    # Deny access to version control system directories.
    location ~ /\.svn|/\.git {
        deny all;
        internal;
    }

    # Certbot for HTTPS cert renewal
    location ^~ /.well-known {
        allow all;
        root  /data/letsencrypt/;
    }

    ####### PHPBB Forum #######
    # PHPBB forum
		location /board {
				index index.php index.html index.htm;
        try_files $uri $uri/ @rewriteapp;
    }

    # PHPBB installer rewrite
    location /install/ {
        try_files $uri $uri/ @rewrite_installapp;
		}

    location @rewriteapp {
    		rewrite ^(.*)$ /app.php/$1 last;
    }

    # Deny access to internal phpbb files.
    location ~ /board(config\.php|common\.php|files|images/avatars/upload|includes|(?<!ext/)phpbb|store|vendor) {
    		deny all;
        internal;
		}

    location @rewrite_installapp {
        rewrite ^(.*)$ /board/install/app.php/$1 last;
    }

}