# Robust maxun nginx config file
# DO NOT uncomment commented lines unless YOU know what they mean and YOU know what YOU are doing!
### HTTP server block ###
server {
    server_name maxun.my.domain;
    root /usr/share/nginx/html;
    listen 80;
    server_tokens off;
    return 301 https://$server_name$request_uri;
}
### HTTPS server block ###
server {
### Default config ###
    server_name maxun.my.domain;
    root /usr/share/nginx/html;
    access_log /var/log/nginx/maxun_access.log;
    error_log /var/log/nginx/maxun_error.log info;
    listen 443 ssl;
    http2 on;
    server_tokens off;
### SSL config ###
    ssl_certificate /etc/letsencrypt/live/my.domain/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/my.domain/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/my.domain/chain.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    #ssl_ecdh_curve X25519MLKEM768:X25519:prime256v1:secp384r1;
    ssl_ecdh_curve X25519:prime256v1:secp384r1;
    ssl_prefer_server_ciphers off;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
    ssl_stapling off;
    ssl_stapling_verify off;
    ssl_session_cache shared:MozSSL:10m;
    ssl_session_tickets off;
    ssl_session_timeout 1d;
    ssl_dhparam dh.pem;
    #ssl_conf_command Options KTLS;
### Performance tuning config ###
    client_max_body_size 512M;
    client_body_timeout 300s;
    client_body_buffer_size 256k;
    #pagespeed off;
### Compression ###
 ## gzip ##
    gzip            on;
    gzip_vary       on;
    gzip_comp_level 5;
    gzip_min_length 256;
    gzip_disable    msie6;
    gzip_proxied    expired no-cache no-store private no_last_modified no_etag auth;
    gzip_buffers    16 8k;
    gzip_types      application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
 ## brotli: enable only if you have compiled nginx with brotli support!!! ##
    #brotli            on;
    #brotli_static     on;
    #brotli_comp_level 6;
    #brotli_types      application/atom+xml application/javascript application/json application/rss+xml
    #                  application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype
    #                  application/x-font-ttf application/x-javascript application/xhtml+xml application/xml
    #                  font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon
    #                  image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;
### Default headers ###
    add_header Referrer-Policy                   "no-referrer"       always;
    add_header X-Content-Type-Options            "nosniff"           always;
    add_header X-Frame-Options                   "SAMEORIGIN"        always;
    add_header X-Permitted-Cross-Domain-Policies "none"              always;
    add_header X-Robots-Tag                      "noindex, nofollow" always;
    add_header X-XSS-Protection                  "1; mode=block"     always;
    add_header Permissions-Policy                "geolocation=(self), midi=(self), sync-xhr=(self), microphone=(self), camera=(self), magnetometer=(self), gyroscope=(self), fullscreen=(self), payment=(self), interest-cohort=()";
### Proxy rules ###
    # Backend web traffic and websockets
    location  ~ ^/(auth|storage|record|workflow|robot|proxy|api-docs|api|webhook|socket.io)(/|$) {
        proxy_pass http://localhost:8080; #Change the port number to match .env file BACKEND_PORT variable
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
    # Frontend web traffic
    location / {
        proxy_pass         http://localhost:5173; #Change the port number to match .env file FRONTEND_PORT variable
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection 'upgrade';
        proxy_set_header   Host $host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $scheme;
    }
}