server {
  listen 80;
  server_name ipfs.tic.cc;
  rewrite ^ https://$http_host$request_uri? permanent; # force redirect http to https
  server_tokens off; # Enables or disables emitting nginx version on error pages and in the "Server" response header field.
}

server {
  listen 443 ssl;
  server_name ipfs.tic.cc;
  ssl_certificate /faronear/ipfsweb/ssl-fullchain.cer;
  ssl_certificate_key /faronear/ipfsweb/ssl-ipfs.tic.cc.key;
  
  server_tokens off;

  ssl_session_timeout 5m;
  ssl_session_cache shared:SSL:5m;
  # secure settings (A+ at SSL Labs ssltest at time of writing)
  # see https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
  ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:HIGH:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
  ssl_prefer_server_ciphers on;
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

  location / {
    proxy_pass         http://127.0.0.1:8080;
    proxy_set_header   Host $host;
    proxy_set_header   X-Real-IP $remote_addr;
    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header   X-Forwarded-Host $server_name;
    proxy_set_header   X-Forwarded-Proto https;

    proxy_read_timeout  1200s;

    # used for view/edit office file via Office Online Server
    client_max_body_size 0;

    access_log      /faronear/ipfsweb/nginx-access.log;
    error_log       /faronear/ipfsweb/nginx-error.log;
  }

}