client_max_body_size 20M;  # max upload size


### Gunicorn servers ###

upstream gunicorn {
    server 127.0.0.1:8000 fail_timeout=0;
    keepalive 16;
}

### Catch-all ###

server {
    listen 80 default_server;
    listen 443 ssl default_server;
    server_name _;
    include /etc/nginx/snippets/snakeoil.conf;
    return 444;
}

### Main websites ###

server {
    listen 443 ssl;
    server_name www.{{ domain_name }};
    charset utf-8;

    ssl_session_cache shared:le_nginx_SSL:1m;
    ssl_session_timeout 1440m;

    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;

    ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";

    {% if letsencrypt_email %}
    ssl_certificate /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/{{ domain_name }}/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem;
    {% else %}
    ssl_certificate /etc/nginx/ssl/server.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;
    ssl_trusted_certificate /etc/nginx/ssl/server.crt;
    {% endif %}

    add_header Strict-Transport-Security "max-age=60; includeSubDomains" always;

    rewrite "/static/\d+/(.*)" /static/$1 last;

    location /static/ {
        alias {{ static_root }}/;
        expires 30d;
        add_header Cache-Control "public, no-transform";
    }

    location /media/ {
        alias {{ media_root }}/;
        expires 30d;
        add_header Cache-Control "public, no-transform";
    }

    location /.well-known/acme-challenge {
        root /var/www/letsencrypt;
        try_files $uri $uri/ =404;
    }

    location / {
        proxy_pass http://gunicorn;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_redirect off;
        proxy_buffering off;
    }

    keepalive_disable msie6;
    keepalive_requests 100000;
    keepalive_timeout 60;
    tcp_nodelay on;

    gzip on;               # enable gzip
    gzip_http_version 1.1; # turn on gzip for http 1.1 and higher
    gzip_disable "msie6";  # IE 6 had issues with gzip
    gzip_comp_level 5;     # inc compresion level, and CPU usage
    gzip_min_length 100;   # minimal weight to gzip file
    gzip_proxied any;      # enable gzip for proxied requests (e.g. CDN)
    gzip_buffers 16 8k;    # compression buffers (if we exceed this value, disk will be used instead of RAM)
    gzip_vary on;          # add header Vary Accept-Encoding (more on that in Caching section)

    # define files which should be compressed
    gzip_types text/plain;
    gzip_types text/css;
    gzip_types application/javascript;
    gzip_types application/json;
    gzip_types application/vnd.ms-fontobject;
    gzip_types application/x-font-ttf;
    gzip_types font/opentype;
    gzip_types image/svg+xml;
    gzip_types image/x-icon;

    client_body_timeout   30;
    client_header_timeout 30;
    send_timeout          30;
}

### Redirections ###

server {
    listen 443 ssl;
    server_name {{ domain_name }};

    ssl_session_cache shared:le_nginx_SSL:1m;
    ssl_session_timeout 1440m;

    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;

    ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";

    {% if letsencrypt_email %}
    ssl_certificate /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/{{ domain_name }}/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem;
    {% else %}
    ssl_certificate /etc/nginx/ssl/server.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;
    ssl_trusted_certificate /etc/nginx/ssl/server.crt;
    {% endif %}

    location /.well-known/acme-challenge {
        root /var/www/letsencrypt;
        try_files $uri $uri/ =404;
    }

    location / {
        return 301 https://www.{{ domain_name }}$request_uri;
    }
}

server{
    listen 80;
    server_name {{ domain_name }} www.{{ domain_name }};

    location /.well-known/acme-challenge {
        root /var/www/letsencrypt;
        try_files $uri $uri/ =404;
    }

    location / {
        return 301 https://www.{{ domain_name }}$request_uri;
    }
}