#@@@ nginx virtual server configuration

### make link
# $ ln -s /etc/nginx/sites-available/DOMAIN_NAME.TLD /etc/nginx/sites-enabled/
# $ nginx -t
# $ systemctl restart nginx

### letsencrypt
# $ cd /PATH_NAME/www
# $ mkdir _.letsencrypt
# $ certbot-auto certonly -a webroot --webroot-path=/PATH_NAME/www/_.letsencrypt/ --expand -d DOMAIN_NAME.TLD,www.DOMAIN_NAME.TLD
# $ systemctl restart nginx

### Expires map
# if you have mote than one domain, place this block in a separate file 
# https://www.digitalocean.com/community/tutorials/how-to-implement-browser-caching-with-nginx-s-header-module-on-ubuntu-16-04

map $sent_http_content_type $expires {
    default                    off;
    text/html                  epoch;
    text/css                   max;
    application/javascript     max;
	text/javascript   		   max;
    ~image/                    max;
}

#@@@ DOMAIN_NAME.TLD : 80

server {

	listen 80;

	server_name		DOMAIN_NAME.TLD 
					www.DOMAIN_NAME.TLD;
	
	return 301 https://$host$request_uri;
}

#@@@ DOMAIN_NAME.TLD : 443

### load balancing

upstream _DOMAIN_NAME_server {

	ip_hash;

	server		127.0.0.1:11400;
	server		127.0.0.1:11401;
}

### 

server {

	listen 443 ssl;

	server_name		DOMAIN_NAME.TLD
					www.DOMAIN_NAME.TLD;

	### SSL

	ssl_dhparam                  /etc/ssl/certs/dhparam.pem;
	ssl_certificate              /etc/letsencrypt/live/DOMAIN_NAME.TLD/fullchain.pem;
	ssl_certificate_key          /etc/letsencrypt/live/DOMAIN_NAME.TLD/privkey.pem;

	ssl_prefer_server_ciphers    on;
	ssl_session_timeout          10M;
	ssl_session_cache            shared:SSL:50m;
	ssl_session_tickets          off;
	ssl_stapling                 on;
	ssl_stapling_verify          on;

	ssl_protocols                TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers                  'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

	### cache contoroll

	expires $expires;

	### /

	location / {

        proxy_pass          http://_DOMAIN_NAME_server;

		proxy_http_version  1.1;

		### Prevent WebSocket Error "Lost connection to server each 60 seconds"
		# https://groups.google.com/forum/#!topic/peerjs/A8L0eYaC-2s

		proxy_read_timeout  86400s;
		proxy_send_timeout  86400s;

		### Prevent Error "Unexpected response code: 400" during WebSocket handshake
		# https://github.com/socketio/socket.io/issues/1942#issuecomment-82352072

		proxy_set_header    Upgrade               $http_upgrade;
		proxy_set_header    Connection            "upgrade";

		###

		proxy_set_header    Host                  $host;
		proxy_set_header    X-Forwarded-Proto     $scheme;
		proxy_set_header    X-Forwarded-Port      $server_port;

		proxy_set_header    X-Real-IP             $remote_addr;
		proxy_set_header    X-Forwarded-For       $proxy_add_x_forwarded_for;

		proxy_set_header    X-Request-Start       $msec;

		access_log          off;

	}

    ### letsencrypt
	# https://community.letsencrypt.org/t/how-to-nginx-configuration-to-enable-acme-challenge-support-on-all-http-virtual-hosts/5622

	### Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx)

	location ^~ /.well-known/acme-challenge/ {

		default_type "text/plain";

		root         /PATH_NAME/www/_.letsencrypt;
	}

	### Hide /acme-challenge subdirectory and return 404 on all requests.

	location = /.well-known/acme-challenge/ {
		return 404;
	}

}