#user  nobody;
worker_processes  1;

# Error log levels: debug | info | notice | warn | error | crit | alert | emerg
error_log  logs/error.log	warn;

pid        logs/nginx.pid;

events {
    worker_connections  1024;
}

http {
	# rewrite information is written to error_log file
	#rewrite_log on;
	
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;
	access_log	logs/access.log;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    #keepalive_timeout  65;
	keepalive_timeout  3;

    gzip on;
	#gzip_http_version 1.1;
	gzip_vary on;
	gzip_comp_level 6;
	gzip_proxied any;
	gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript text/x-js image/x-icon image/bmp image/svg+xml;
	gzip_buffers 16 8k;
	gzip_disable "MSIE [1-6]\.(?!.*SV1)";

	#php max upload limit cannot be larger than this       
	client_max_body_size 100m;
	
	# Upstream to abstract backend connection(s) for PHP.
	upstream php {
		#this should match value of "listen" directive in php-fpm pool
		#server unix:/tmp/php-fpm.sock;
		server 127.0.0.1:9000;
	}

	include sites-enabled/*;
	
	server_names_hash_bucket_size 64;
	
	server {
		listen 10.0.0.20:80;
		server_name acme.com *.acme.com;
		location / {
			if (-f html/maintenance.html) {
				return 503;
			}
			
			# Headers to forward to Domino server
			proxy_set_header        Host               $host;
			proxy_set_header        X-Forwarded-For    $proxy_add_x_forwarded_for;
			proxy_set_header        $WSRA              $remote_addr;
			proxy_set_header        $WSRH              $remote_addr;
			proxy_set_header        $WSSN              $host;
			proxy_set_header        $WSIS              True;
			
			# Forward traffic to port 80 on the target server or redirect traffic to https
			proxy_pass	  http://www.acme.com:80;
			#return 301 https://www.acme.com$request_uri;
		}
		
		# Error pages.
		error_page 503 /maintenance.html;
		location = /maintenance.html {
			root html/;
		}
	}
	
	server {
		listen 10.0.0.20:443 ssl http2;
		server_name acme.com *.acme.com;
		
		# gzip should not be used with ssl
		#gzip on;
		
		location / {
			if (-f html/maintenance.html) {
				return 503;
			}
		
            proxy_read_timeout 240;
			# Traffic is passed to server on port 80
			proxy_pass	  http://www.acme.com:80;
            proxy_redirect off;
            proxy_buffering off;
			#proxy_read_timeout  180;
 
			# $WSAT: The Auth Type that is being used to make this request.
			# $WSCC: The Client Certificate used for this request. If the value is not base64 encoded for us by the Web server, then the plug-in will base64 encode it before sending it across to the application server.
			# Restriction: If you enable this, it is assumed you know what you’re doing, and how to protect direct access to the port at which the embedded http is listening.
			# Note: If you set the LogLevel to TRACE in the plugin XML config file, it is possible to see what headers are actually added for a given request. Appendix C. Domino 6 HTTP plug-in hints and tips 659
			# $WSCS: The cipher suite that the Web server negotiated with the client. This is not necessarily the cipher suite that the plug-in will use to send the request across to the application server.
			# $WSIS: This header will be set to either True or False depending on whether or not the request is secure (came in over SSL/TLS).
			# $WSSC: The scheme being used for the request. This header will normally be set to either http or https.
			# $WSPR: The HTTP protocol level being used for this request. The plug-in currently has support for up to HTTP/1.1 requests.
			# $WSRA: The remote IP address of the machine the client is running on.
			# $WSRH: The remote host name of the machine the client is running on. If the hostname can't be resolved, this header should be set to the IP address.
			# $WSRU: The remote user specified for the given request.
			# $WSSN: The server name used for this request. This should be the value that was specified in the HOST header of the incoming request.
			# $WSSP: The server port that the request was received on. This will be the port value that is used in route determination.
			# $WSSI: The SSL Session ID being used for this request. If the value is not base64 encoded for us by the Web server, the plug-in will base64 encode it before sending it across to the application server.
 
			# Headers to forward to Domino server
			proxy_set_header        Host               $host;
			proxy_set_header        X-Forwarded-For    $proxy_add_x_forwarded_for;
			proxy_set_header        $WSRA              $remote_addr;
			proxy_set_header        $WSRH              $remote_addr;
			proxy_set_header        $WSSN              $host;
			proxy_set_header        $WSIS              True;			
        }
		
		# Following setting obsolete - SSL is specified in the 'Listen' line above
		#ssl on;
		
		# specify path to signer root / bundled certificates
		ssl_certificate /nginx/conf/ssl-certs-bundle.crt;
		
		# specify path to the file containing the domain name private key
		ssl_certificate_key /nginx/conf/acme.key;
		
		#ssl_session_cache shared:SSL:10m;
		ssl_session_timeout 10m;
		ssl_prefer_server_ciphers on;
		
		#enables all versions of TLS, but not SSLv2 or 3 which are weak and now deprecated.
		ssl_protocols TLSv1.2;
		
		# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
		ssl_dhparam /nginx/conf/dhparam.pem;

		#Disables all weak ciphers
		ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

		add_header X-Frame-Options SAMEORIGIN;
		
		# Error pages.
		error_page 503 /maintenance.html;
		location = /maintenance.html {
			root html/;
		}
	}	

    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}


    # HTTPS server
    #
    #server {
    #    listen       443 ssl;
    #    server_name  localhost;

    #    ssl_certificate      cert.pem;
    #    ssl_certificate_key  cert.key;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}

}