# For websockets
map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
}

# Configure upstream
upstream movienight {
        server localhost:8089;
}

# Secure redirect
server {
    server_name    example.com;
    listen         ipv4:80;
    listen         [ipv6]:80;
    return         301 https://$host$request_uri;

    # Uncomment this if you need to use the 'webroot' method with certbot. Make sure
    # that you also create the .well-known/acme-challenge directory structure in pleroma/priv/static and
    # that is is accessible by the webserver. You may need to load this file with the ssl
    # server block commented out, run certbot to get the certificate, and then uncomment it.
    #
    # location ~ /\.well-known/acme-challenge {
    #     root <path to install>/pleroma/priv/static/;
    # }
}

# movienight
server {
    server_name example.com;

    # Enable QUIC and HTTP/3.
    #listen ipv4:port quic reuseport;
    #listen [ipv6]:port quic reuseport;

    listen ipv4:443;
    listen [ipv6]:443 ssl http2;

    # TLS
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    #ssl_dhparam /etc/nginx/dhparam.pem; # generate with openssl dhparam -out /etc/nginx/dhparam.pem 4096
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_session_tickets off;
    ssl_session_timeout 10m;
    ssl_ecdh_curve X25519:prime256v1:secp384r1:secp521r1;
    ssl_ciphers "EECDH+CHACHA20:EECDH+AESGCM";


    # HTST
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

    # Cert
    ssl_trusted_certificate   /etc/nginx/certs/example.com/cert_ecc.pem;
    ssl_certificate           /etc/nginx/certs/example.com/cert_ecc.pem;
    ssl_certificate_key       /etc/nginx/certs/exaample.com/key_ecc.pem;

    # Allow unlimited upload
    client_max_body_size 0;

    # Headers
        # Add Alt-Svc header to negotiate HTTP/3.
        #add_header alt-svc 'h3-27=":port"; ma=86400';

    location / {
        proxy_pass http://movienight;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port  $server_port;
        add_header referrer-policy same-origin;
        add_header x-content-type-options nosniff;
        add_header x-download-options noopen;
        add_header x-frame-options self;
        add_header x-permitted-cross-domain-policies none;
        add_header x-xss-protection "1; mode=block;";

    }
}