# Thin serving Rails.
upstream app_server {
  server 127.0.0.1:3050 fail_timeout=0;
}

# SSL/TLS certificates - the key should be 4096 bit generated with: 'openssl genrsa -des3 -out server.key 4096'
ssl_certificate_key /var/app/deploy/www.thisisatest.com.key;
ssl_certificate /var/app/deploy/www.thisisatest.com.chained.crt;

# Ideally we'd have only TLSv1.2, but that compromises client support significantly
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

# SSL/TLS session caching/resumption
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 1d;

# Cipher list checks out well on the Qualys test
ssl_prefer_server_ciphers on;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;

# This should be a 4096 bit DH key generated with: 'openssl dhparams -out dhparams.pem 4096'
ssl_dhparam /var/app/deploy/dhparams.pem;

# SSL/TLS OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# This contains the root and intermediate certificates from the CA.
ssl_trusted_certificate /var/app/deploy/ca-certs.pem;
resolver 8.8.4.4 8.8.8.8;

# HTTP bare domain redirect.
server {
  server_name thisisatest.com;
  listen 80;
  return 301 https://www.$server_name$request_uri;
}
# HTTP www redirect.
server {
  server_name www.thisisatest.com;
  listen 80;
  return 301 https://$server_name$request_uri;
}
# HTTPS bare domain redirect.
server {
  server_name thisisatest.com;
  listen 443 ssl;
  return 301 $scheme://www.$server_name$request_uri;
  add_header Strict-Transport-Security 'max-age=31536000; includeSubdomains';
}

server {
  server_name www.thisisatest.com;

  listen 443 ssl default_server deferred;

  client_max_body_size 4G;
  keepalive_timeout 40;

  root /var/app/public;

  error_page 500 502 503 504 /500.html;

  # SSL/TLS Strict Transport Security (HSTS)
  add_header Strict-Transport-Security 'max-age=31536000; includeSubdomains';
  
  # SSL/TLS Public Key Pinning (HPKP)
  add_header Public-Key-Pins 'pin-sha256="lduqX5oR7l7lHvsyLuIVac5iqZmXOLnxWA3osdAhz64="; max-age=5184000; includeSubdomains';

  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;

  # Rails page caching setup (and other statics).
  location / {
    try_files /cache$uri.html $uri.html $uri @app;
  }

  # Serve from Rails.
  location @app {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect off;

    proxy_pass http://app_server;
  }
}