# https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
# PHP 7 starten: /etc/init.d/php7.0-fpm restart

##### Test for new SSL Certs
##### apt update
##### apt install python3 python3-venv libaugeas0
##### pip install -U pip
##### pip install -U certbot
##### certbot renew --standalone --agree-tos -v


user  www-data;
worker_processes 2;  ## Default: 1
error_log  /var/log/nginx/error.log;
pid        /var/log/nginx/nginx.pid;
#worker_rlimit_nofile 18192;
worker_rlimit_nofile 40000;

events {
	worker_connections 46096;
	multi_accept on;
	use epoll;
	#use kqueue;
}


http {
	include /etc/nginx/blocklist.conf;
	error_page 403 =404 /error.html;

	fastcgi_cache_path /dev/shm/ levels=1:2 keys_zone=phpcache:1500m inactive=10080m;
	fastcgi_cache_key "$scheme$request_method$host$request_uri";
	
	include 	/etc/nginx/mime.types;
	include 	/etc/nginx/fastcgi.conf;
	index 		index.html index.htm index.php;
	default_type text/html;

	log_format main '[$time_local] "$request" '
                '$status $body_bytes_sent "$http_referer" '
                '"$http_user_agent" "$http_x_forwarded_for"';    
				
	access_log   /var/log/nginx/access.main.log main;
	#server_names_hash_bucket_size 128; # this seems to be required for some vhosts

	read_ahead                512K; # kernel read head set to the output_buffers
	recursive_error_pages     on;
	sendfile                  on;# on for decent direct disk I/O
	sendfile_max_chunk 	  	  1m;
	server_tokens             off;# version number in error pages
	server_name_in_redirect   on; # if off, nginx will use the requested Host header
	source_charset            utf-8; # same value as "charset"
	tcp_nodelay               on;# Nagle buffering algorithm, used for keepalive only
	tcp_nopush                on;

	open_file_cache max=2000 inactive=20s;
	open_file_cache_valid 60s;
	open_file_cache_min_uses 5;
	open_file_cache_errors off;

	etag on;
	gzip on;
	gzip_vary on;
	gzip_http_version 1.1;
	#gzip_static on;
	gzip_min_length 100;
	gzip_proxied any;
	gzip_comp_level 9;
	gzip_buffers 16 8k;

	gzip_types text/plain text/css application/json application/javascript text/javascript application/x-javascript text/xml application/xml application/xml+rss application/x-font-woff font/ttf font/eot font/otf font/woff font/x-woff application/font-woff application/font-woff2 font/woff2 image/svg+xml;

	large_client_header_buffers 8 512k;
	client_max_body_size 250M;
	client_body_buffer_size 1m;
	client_body_timeout 15;
	client_header_timeout 15;
	keepalive_timeout 15;

	client_header_buffer_size 64k;
	client_body_in_file_only clean;
	send_timeout 300s;

	fastcgi_buffers 256 16k;
	fastcgi_buffer_size 230k;
	fastcgi_connect_timeout 3s;
	fastcgi_send_timeout 120s;
	fastcgi_read_timeout 120s;
	fastcgi_busy_buffers_size 512k;
	fastcgi_temp_file_write_size 256k;
	reset_timedout_connection on;
	server_names_hash_bucket_size 100;
	#add_header X-Cache $upstream_cache_status;
	add_header Content-Security-Policy "base-uri 'self'";

	##########
	#### Redirect all Port 80 requests to https with www
	server {
		listen      45.136.28.169:80;
		access_log  off;
		error_log   off;
		server_name www.artikelschreiber.com artikelschreiber.com;
		root /home/www/wwwartikelschreiber;
		return 301 https://www.artikelschreiber.com$request_uri;
	}
	server {
		listen      45.136.28.169:80;
		access_log  off;
		error_log   off;
		server_name www.artikelschreiben.com artikelschreiben.com;
		root /home/www/wwwartikelschreibencom;
		return 301 https://www.artikelschreiben.com$request_uri;
	}
	server {
		listen      45.136.28.169:80;
		access_log  off;
		error_log   off;
		server_name www.unaique.net unaique.net;
		root /home/www/wwwunaiquenet;
		return 301 https://www.unaique.net$request_uri;
	}
	
	server {
		listen 443 ssl;
		ssl_certificate /etc/letsencrypt/live/unaique.net-0002/fullchain.pem; # managed by Certbot
		ssl_certificate_key /etc/letsencrypt/live/unaique.net-0002/privkey.pem; # managed by Certbot
		ssl_trusted_certificate /etc/letsencrypt/live/artikelschreiber.com-0001/chain.pem;
		server_name artikelschreiber.com;
		root /home/www/wwwartikelschreiber;
		return 301 https://www.artikelschreiber.com$request_uri;
	}
	
	server {
		if ($host = artikelschreiber.com) {
			return 301 https://www.artikelschreiber.com$request_uri;
		} # managed by Certbot
		
		charset utf-8;
		 
		server_tokens off;
		listen 45.136.28.169:443 ssl http2;
		listen [::]:443 ssl http2;
	
		server_name www.artikelschreiber.com artikelschreiber.com *.artikelschreiber.com;
		root /home/www/wwwartikelschreiber;
		
		fastcgi_hide_header X-Powered-By;
		add_header Referrer-Policy "no-referrer" always;
		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
		add_header Content-Security-Policy "upgrade-insecure-requests" always;
		add_header X-Content-Type-Options "nosniff";
		add_header X-Frame-Options "SAMEORIGIN";
		add_header X-XSS-Protection "1; mode=block";
		add_header Content-Security-Policy "base-uri 'self';";
		add_header Permissions-Policy "interest-cohort=()";
		
		access_log  /var/log/nginx/artikelschreiber.access.log main;
		error_log   /var/log/nginx/artikelschreiber.error.log;
		expires 3000d;
		limit_rate 0;

		# Closing Slow Connections
		client_body_timeout 60s;
		client_header_timeout 60s;

		# https://www.nginx.com/blog/free-certificates-lets-encrypt-and-nginx/
		ssl_certificate /etc/letsencrypt/live/unaique.net-0002/fullchain.pem; # managed by Certbot
		ssl_certificate_key /etc/letsencrypt/live/unaique.net-0002/privkey.pem; # managed by Certbot
		ssl_trusted_certificate /etc/letsencrypt/live/artikelschreiber.com-0001/chain.pem;
		
		ssl_stapling on;
		ssl_stapling_verify on;
		ssl_session_tickets off;
		ssl_prefer_server_ciphers on;
		ssl_session_cache    shared:SSL:50m;
		ssl_session_timeout  5m;
		ssl_protocols TLSv1.2 TLSv1.3;
		ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;';
		ssl_dhparam /etc/ssl/certs/sec_dhparam.pem;
		ssl_ecdh_curve secp521r1:X448:secp384r1:secp256k1;
		
		resolver 8.8.8.8 8.8.4.4 valid=300s;
		resolver_timeout 5s;
				
	    location / {
			http2_push_preload on;
			index index.html index.htm index.php;
        }
		
		location ~ \.php$ {
			fastcgi_buffer_size 230k;
            fastcgi_buffers 512 32k;
            fastcgi_busy_buffers_size 512k;
            fastcgi_temp_file_write_size 23000k;

			include /etc/nginx/fastcgi.conf;
			fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
		}
		
		# All static files will be served directly.
		location ~* ^.+\.(?:css|cur|jpe?g|gif|htc|woff2|ico|png|html|xml|webp|otf|ttf|eot|woff|svg)$ {
			 access_log off;
			 expires max;
			 tcp_nodelay off;
			 open_file_cache max=3000 inactive=120s;
			 open_file_cache_valid 45s;
			 open_file_cache_min_uses 2;
			 open_file_cache_errors off;
		}

		location ~* .(jpg|jpeg|png|svg|woff|gif|ico|css|html|js)$ {
			access_log        on;
			log_not_found     on;
			expires max;
			add_header Cache-Control "public, max-age=315360000";
		}
		location ~* .(ogg|ogv|svg|svgz|eot|otf|woff|mp4|woff2|webp|ttf|css|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
			expires max;
			log_not_found off;
			access_log off;
			add_header Cache-Control "public, max-age=315360000";
		}
		
		#Block scripts from being run that shouldnt be running
		location ~* .(pl|cgi|py|sh|lua|bak|~|sql|json|yml)$ {
			return 404;
		}

		location ~ /\. {
			access_log on;
			log_not_found on;
		#	deny all;
		}
		
		error_page 404 /static/404.html;
		error_page 403 /static/404.html;
		
		location  /static/404.html {
			internal;
		}
}

}