# - <full-qualified-hostname>

server {
     listen   80;
     listen [::]:80;
     server_name  <full-qualified-hostname>;
     return 301 https://$server_name$request_uri;
}

server {

      listen 443 ssl http2;
      listen [::]:443 ssl http2;

      server_name  <full-qualified-hostname>;

      ssl_certificate /var/lib/dehydrated/certs/<full-qualified-hostname>/fullchain.pem;
      ssl_certificate_key /var/lib/dehydrated/certs/<full-qualified-hostname>/privkey.pem;
      #ssl_trusted_certificate /var/lib/dehydrated/certs/<full-qualified-hostname>/fullchain.pem;

    # - Needed for (automated) updating certificate
    # -
      include snippets/letsencrypt-acme-challenge.conf;


    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    #
    # To generate a dhparam.pem file, run in a terminal
    #    openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
    #
      ssl_dhparam /etc/nginx/ssl/dhparam.pem;

    # Eable session resumption to improve https performance
      ssl_session_cache shared:SSL:50m;
      ssl_session_timeout 10m;
      ssl_session_tickets off;

      #ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # omit SSLv3 because of POODLE
      # omit SSLv3 because of POODLE
      # omit  TLSv1 TLSv1.1
      ssl_protocols TLSv1.2;

    # ECDHE better than DHE (faster)  ECDHE & DHE GCM better than CBC (attacks on AES)
    # Everything better than SHA1 (deprecated)
    #
      ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA';
      ssl_prefer_server_ciphers on;

      add_header Strict-Transport-Security "max-age=31536000" always;
      add_header X-XSS-Protection "1; mode=block";
      add_header X-Content-Type-Options nosniff;
      #add_header X-Frame-Options "SAMEORIGIN";

      access_log  /var/log/nginx/bigbluebutton.access.log;

	 # Handle RTMPT (RTMP Tunneling).  Forwards requests
	 # to Red5 on port 5080
      location ~ (/open/|/close/|/idle/|/send/|/fcs/) {
          proxy_pass         http://127.0.0.1:5080;
          proxy_redirect     off;
          proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;

          client_max_body_size       10m;
          client_body_buffer_size    128k;

          proxy_connect_timeout      90;
          proxy_send_timeout         90;
          proxy_read_timeout         90;

          proxy_buffering            off;
          keepalive_requests         1000000000;
      }

	 # Handle desktop sharing tunneling.  Forwards
	 # requests to Red5 on port 5080.
       location /deskshare {
           proxy_pass         http://127.0.0.1:5080;
           proxy_redirect     default;
           proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
           client_max_body_size       10m;
           client_body_buffer_size    128k;
           proxy_connect_timeout      90;
           proxy_send_timeout         90;
           proxy_read_timeout         90;
           proxy_buffer_size          4k;
           proxy_buffers              4 32k;
           proxy_busy_buffers_size    64k;
           proxy_temp_file_write_size 64k;
           include    fastcgi_params;
       }

	# BigBlueButton landing page.
        location / {
          root   /var/www/bigbluebutton-default;
          index  index.html index.htm;
	  expires 1m;
        }

	# Include specific rules for record and playback
        include /etc/bigbluebutton/nginx/*.nginx;

        #error_page  404  /404.html;

        # Redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
                root   /var/www/nginx-default;
        }

   # BigBlueButton landing page.
        location = / {
          return 307 /b;
        }

}

