# - o30.oopen.de

server {
    listen 80;
    listen [::]:80;
    server_name o30.oopen.de;

    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name o30.oopen.de;

    # Include location directive for Let's Encrypt ACME Challenge
    #
    # Needed for (automated) updating certificate
    #
    include snippets/letsencrypt-acme-challenge.conf;

    # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    #
    # To generate a dhparam.pem file, run in a terminal
    #    openssl dhparam -dsaparam -out /etc/nginx/ssl/dhparam.pem 2048
    #
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;

    # Eable session resumption to improve https performance
    ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 10m;
    ssl_session_tickets off;

    #ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # omit SSLv3 because of POODLE
    # omit SSLv3 because of POODLE
    # omit  TLSv1 TLSv1.1
    ssl_protocols TLSv1.2 TLSv1.3;

    # ECDHE better than DHE (faster)  ECDHE & DHE GCM better than CBC (attacks on AES)
    # Everything better than SHA1 (deprecated)
    #
    ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA';
    ssl_prefer_server_ciphers on;

    #ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    #ssl_prefer_server_ciphers on;
    #ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED";

    add_header Strict-Transport-Security "max-age=31536000";

    ssl_certificate /var/lib/dehydrated/certs/o30.oopen.de/fullchain.pem;
    ssl_certificate_key /var/lib/dehydrated/certs/o30.oopen.de/privkey.pem;
    ssl_trusted_certificate /var/lib/dehydrated/certs/o30.oopen.de/chain.pem;

    root /var/www/o30.oopen.de;

    # ssi on with javascript for multidomain variables in config.js
    ssi on;
    ssi_types application/x-javascript application/javascript;

    index index.html index.htm;
    error_page 404 /static/404.html;

    autoindex on;

   location ~ (\.sh)$ {
      add_header Content-Type text/html;
      gzip off;
      root /var/www/$server_name;
      autoindex on;
      fastcgi_pass unix:/var/run/fcgiwrap.socket;
      include /etc/nginx/fastcgi_params;
      fastcgi_param DOCUMENT_ROOT /var/www/$server_name;
      fastcgi_param SCRIPT_FILENAME /var/www/$server_name$fastcgi_script_name;
   }
}