user  www-data;
worker_processes  auto;  ## Default: 1
error_log  /home/logs/error.log;
pid        /home/logs/nginx.pid;
worker_rlimit_nofile 18192;

events {
  worker_connections  1096;  ## Default: 1024
}

http {
	include    conf/mime.types;
	#include    /etc/nginx/proxy.conf;
	include    /etc/nginx/fastcgi.conf;
	index    index.html index.htm index.php;
		
    default_type application/octet-stream;
	log_format   main '$remote_addr - $remote_user [$time_local]  $status '
		'"$request" $body_bytes_sent "$http_referer" '
		'"$http_user_agent" "$http_x_forwarded_for"';
	
	access_log   /home/logs/access.log  main;
	sendfile     on;
	tcp_nopush   on;
	#server_names_hash_bucket_size 128; # this seems to be required for some vhosts

	fastcgi_buffers 8 16k;
	fastcgi_buffer_size 32k;
	fastcgi_connect_timeout 300;
	fastcgi_send_timeout 300;
	fastcgi_read_timeout 300;

    gzip on;
	gzip_disable "msie6";

	gzip_vary on;
	gzip_proxied any;
	gzip_comp_level 9;
	gzip_buffers 16 8k;
	
	gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
	
	client_body_buffer_size 10K;
	client_header_buffer_size 1k;
	client_max_body_size 2048M;
	large_client_header_buffers 2 1k;
	
	client_body_timeout 12;
	client_header_timeout 12;
	keepalive_timeout 25;
	send_timeout 10;
	
	server {
		server_tokens off;
		listen 217.79.184.47:80;
		server_name www.onetipp.com;
		return 301 https://www.onetipp.com$request_uri;
    }
	server {
		server_tokens off;
		listen 217.79.184.47:80;
		server_name www.onetipp.net;
		return 301 https://www.onetipp.net$request_uri;
    }
	
    server {
		server_tokens off;
		
		listen       443 ssl http2;
		server_name  www.onetipp.com;
		access_log   /home/logs/www.onetipp.com.access.log  main;
		root         /home/www/www.onetipp.com/;
			
		if ($uri ~* "/" ) {set $no_cache 1;}
		
		# Closing Slow Connections
		client_body_timeout 5s;
		client_header_timeout 5s;
			
		ssl_certificate /etc/letsencrypt/live/www.onetipp.com/fullchain.pem;
		ssl_certificate_key /etc/letsencrypt/live/www.onetipp.com/privkey.pem;
		
		ssl_prefer_server_ciphers on;
		ssl_session_cache    shared:SSL:10m;
		ssl_session_timeout  5m;
		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
		ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
		ssl_dhparam /etc/ssl/certs/dhparam.pem;
		
		ssl_stapling on;
		ssl_session_tickets off; 
		ssl_stapling_verify on;
		
		resolver 8.8.8.8;
		resolver_timeout 5s;
		
		location ~ \.php$ {
			include fastcgi.conf;
			#fastcgi_pass  127.0.0.1:9000;
			fastcgi_pass unix:/var/run/php5-fpm.sock;
		}
		location ~ / {
			auth_basic "Restricted";
			auth_basic_user_file /etc/nginx/.htpasswd;
		}
		add_header X-Frame-Options SAMEORIGIN;
		add_header X-Content-Type-Options nosniff;
		add_header X-XSS-Protection "1; mode=block";
		add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
	  }
	  
	  server {
		server_tokens off;
		
		listen       443 ssl http2;
		server_name  cloud.onetipp.com;
		access_log   /home/logs/cloud.onetipp.com.access.log  main;
		root         /home/www/cloud.onetipp.com/;
		
		# Closing Slow Connections
		client_body_timeout 5s;
		client_header_timeout 5s;
		
		#auth_basic "Restricted";
		#auth_basic_user_file /etc/nginx/.htpasswd;
	
		ssl_certificate /etc/letsencrypt/live/cloud.onetipp.com/fullchain.pem;
		ssl_certificate_key /etc/letsencrypt/live/cloud.onetipp.com/privkey.pem;
		
		ssl_prefer_server_ciphers on;
		ssl_session_cache    shared:SSL:10m;
		ssl_session_timeout  5m;
		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
		ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
		ssl_dhparam /etc/ssl/certs/dhparam.pem;
		
		ssl_stapling on;
		ssl_session_tickets off; 
		ssl_stapling_verify on;
		
		resolver 8.8.8.8;
		resolver_timeout 5s;
		
	#	location ~ \.php$ {
	#		include fastcgi.conf;
	#		#fastcgi_pass  127.0.0.1:9000;
	#		fastcgi_pass unix:/var/run/php5-fpm.sock;
	#	}
		
		add_header X-Frame-Options SAMEORIGIN;
		add_header X-Content-Type-Options nosniff;
		add_header X-XSS-Protection "1; mode=block";
		add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
	  
		rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
		rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
		rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;

		index index.php;
		error_page 403 /core/templates/403.php;
		error_page 404 /core/templates/404.php;
		 
		location = /robots.txt {
			allow all;
			log_not_found off;
			access_log off;
		}

		location ~ ^/(?:\.htaccess|data|config|db_structure\.xml|README){
			deny all;
		}

		location / {
			# The following 2 rules are only needed with webfinger
			rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
			rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

			rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
			rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;

			rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;

			try_files $uri $uri/ /index.php;
		}

		location ~ \.php(?:$|/) {
			include fastcgi.conf;
			fastcgi_pass unix:/var/run/php5-fpm.sock;
			fastcgi_split_path_info ^(.+\.php)(/.+)$;
			fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
			fastcgi_param PATH_INFO $fastcgi_path_info;
			fastcgi_param HTTPS on;
			fastcgi_intercept_errors on;
		}

		# Adding the cache control header for js and css files
		# Make sure it is BELOW the location ~ \.php(?:$|/) { block
		location ~* \.(?:css|js)$ {
			add_header Cache-Control "public, max-age=7200";
			# Add headers to serve security related headers
			add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
			add_header X-Content-Type-Options nosniff;
			add_header X-Frame-Options "SAMEORIGIN";
			add_header X-XSS-Protection "1; mode=block";
			add_header X-Robots-Tag none;
			# Optional: Don't log access to assets
			access_log off;
		}

		# Optional: Don't log access to other assets
		location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ {
			access_log off;
		}
	  }
	  
	  server {
		server_tokens off;
		
		listen       443 ssl http2;
		server_name  www.onetipp.net;
		access_log   /home/logs/www.onetipp.net.access.log  main;
		root         /home/www/www.onetipp.net/;
		
		# Closing Slow Connections
		client_body_timeout 5s;
		client_header_timeout 5s;
		
		ssl_certificate /etc/letsencrypt/live/onetipp.net/fullchain.pem;
		ssl_certificate_key /etc/letsencrypt/live/onetipp.net/privkey.pem;
		
		ssl_prefer_server_ciphers on;
		ssl_session_cache    shared:SSL:10m;
		ssl_session_timeout  5m;
		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
		ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
		ssl_dhparam /etc/ssl/certs/dhparam.pem;
		
		ssl_stapling on;
		ssl_session_tickets off; 
		ssl_stapling_verify on;
		
		resolver 8.8.8.8;
		resolver_timeout 5s;
		
		location ~ \.php$ {
			include fastcgi.conf;
			#fastcgi_pass  127.0.0.1:9000;
			fastcgi_pass unix:/var/run/php5-fpm.sock;
		}
		
		add_header X-Frame-Options SAMEORIGIN;
		add_header X-Content-Type-Options nosniff;
		add_header X-XSS-Protection "1; mode=block";
		add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
	  }
}