# Used this config to get a React FE (https)
# to speak with a Clojure BE (port 8001) over wss

# redirect all http requests to https
# and also listen on IPv6 addresses
server {
  listen 80;
  listen [::]:80;
  server_name domain.com www.domain.com _;

  return 301 https://domain.com$request_uri;
}

# redirect all http requests to https
# and also listen on IPv6 addresses
server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name www.domain.com _;

  return 301 https://domain.com$request_uri;
}

# the main server directive for ssl connections
server {
  listen 443 ssl http2 default_server;
  listen [::]:443 ssl http2 default_server;
  server_name domain.com;
  root /var/www/html;

  # SSL Stuff
  ssl on;

  # paths to certificate and key provided by Let's Encrypt
  ssl_certificate /etc/.../fullchain.pem;
  ssl_certificate_key /etc/.../privkey.pem;

  # SSL settings that currently offer good results in the SSL check
  # and have a reasonable backwards-compatibility, taken from
  # - https://cipherli.st/
  # - https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
  ssl_ecdh_curve secp384r1;
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off;
  ssl_stapling on;
  ssl_stapling_verify on;
  ssl_dhparam /etc/.../dhparam.pem;
  resolver 8.8.8.8 8.8.4.4 valid=600s;
  resolver_timeout 5s;

  # security enhancements
  add_header Strict-Transport-Security "includeSubdomains";
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;

  location /socket {
    proxy_pass http://localhost:8001;
    proxy_redirect off;
  
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Proto $scheme;
  
    proxy_http_version 1.1;
    proxy_set_header Upgrade websocket;
    proxy_set_header Connection upgrade;
    proxy_read_timeout 86400;
  }
}