# --- <SERVER-NAME>

# ---
# see: https://docs.nextcloud.com/server/latest/admin_manual/installation/nginx.html
# ---

server {
   listen 80;
   listen [::]:80;
   server_name <SERVER-NAME>;

   # Enforce HTTPS
   return 308 https://$server_name$request_uri;
}

server {

   listen 443      ssl;
   listen [::]:443 ssl;
   http2 on;

   server_name <SERVER-NAME>;

   # Include location directive for Let's Encrypt ACME Challenge
   #
   # Needed for (automated) updating certificate
   #
   include snippets/letsencrypt-acme-challenge.conf;

   # Use Mozilla's guidelines for SSL/TLS settings
   # https://mozilla.github.io/server-side-tls/ssl-config-generator/
   ssl_certificate     /var/lib/dehydrated/certs/<SERVER-NAME>/fullchain.pem;
   ssl_certificate_key /var/lib/dehydrated/certs/<SERVER-NAME>/privkey.pem;

   # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
   #
   # To generate a dhparam.pem file, run in a terminal
   #    openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 2048
   #
   ssl_dhparam /etc/nginx/ssl/dhparam.pem;

   # Eable session resumption to improve https performance
   ssl_session_cache shared:MozSSL:50m;
   ssl_session_timeout 1d;
   ssl_session_tickets off;

   #ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # omit SSLv3 because of POODLE
   # omit SSLv3 because of POODLE
   # omit  TLSv1 TLSv1.1
   ssl_protocols TLSv1.2 TLSv1.3;


   # ECDHE better than DHE (faster)  ECDHE & DHE GCM better than CBC (attacks on AES)
   # Everything better than SHA1 (deprecated)
   #
   # see also:
   #     https://ssl-config.mozilla.org/
   #
   ssl_ecdh_curve X25519MLKEM768:X25519:prime256v1:secp384r1;
   ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;

   # HSTS (ngx_http_headers_module is required) (63072000 seconds)
   add_header Strict-Transport-Security "max-age=63072000" always;

   add_header  X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";

   location / {

      # Make sure client_max_body_size is large enough, otherwise there would 
      # be "413 Request Entity Too Large" error when uploading large files.
      client_max_body_size 512M;

      proxy_pass http://localhost:3000;

      proxy_set_header Connection $http_connection;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
   }

}