server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	server_name cloud.tyil.nl;

	error_log  /var/log/nginx/cloud-error.log;
	access_log /var/log/nginx/cloud-access.log;

	ssl_certificate /etc/letsencrypt/live/cloud.tyil.nl/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/cloud.tyil.nl/privkey.pem;

	include /etc/nginx/snippets.d/ssl.conf;
	include /etc/nginx/snippets.d/certbot.conf;

	# Set timeouts
	fastcgi_read_timeout 300;
	proxy_read_timeout 300;

	# Set upload size
	client_max_body_size 200M;
	fastcgi_buffers 64 4K;

	# Add (security) headers
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";
	add_header X-Robots-Tag none;
	add_header X-Download-Options noopen;
	add_header X-Permitted-Cross-Domain-Policies none;
	add_header Referrer-Policy "no-referrer";
	add_header X-Frame-Options "SAMEORIGIN";
	add_header Strict-Transport-Security "max-age=63072000" always;

	# Remove headers
	fastcgi_hide_header X-Powered-By;

	# Enable gzip
	gzip off;
	gzip_vary on;
	gzip_comp_level 4;
	gzip_min_length 256;
	gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
	gzip_types
		application/atom+xml
		application/javascript
		application/json
		application/ld+json
		application/manifest+json
		application/rss+xml
		application/vnd.geo+json
		application/vnd.ms-fontobject
		application/x-font-ttf
		application/x-web-app-manifest+json
		application/xhtml+xml
		application/xml
		font/opentype
		image/bmp
		image/svg+xml
		image/x-icon
		text/cache-manifest
		text/css
		text/plain
		text/vcard
		text/vnd.rim.location.xloc
		text/vtt
		text/x-component
		text/x-cross-domain-policy
		;

	root /var/www/nl.tyil.cloud;

	location / {
		rewrite ^ /index.php?$request_uri;
	}

	location = /robots.txt {
		allow all;
		log_not_found off;
		access_log off;
	}

	location ^~ /.well-known {
		rewrite ^/\.well-known/host-meta.json /public.php?service=host-meta.json last;
		rewrite ^/\.well-known/host-meta      /public.php?service=host-meta      last;
		rewrite ^/\.well-known/webfinger      /public.php?service=webfinger      last;
		rewrite ^/\.well-known/nodeinfo       /public.php?service=nodeinfo       last;

		location = /.well-known/carddav   { return 301 /remote.php/dav/; }
		location = /.well-known/caldav    { return 301 /remote.php/dav/; }

		#location ^~ /.well-known          { return 301 /index.php$uri; }

		try_files $uri $uri/ =404;
	}

	location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
		deny all;
	}

	location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
		deny all;
	}

	location ~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+)\.php(?:$|/) {
		fastcgi_split_path_info ^(.+?\.php)(/.*)$;
		include snippets.d/fcgi.conf;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		fastcgi_param PATH_INFO $fastcgi_path_info;
		fastcgi_param HTTPS on;
		fastcgi_param modHeadersAvailable true;
		fastcgi_param front_controller_active true;
		fastcgi_pass 127.0.0.1:9000;
		fastcgi_intercept_errors on;
		fastcgi_request_buffering off;
	}

	location ~ ^/(?:updater|ocs-provider)(?:$|/) {
		try_files $uri/ =404;
		index index.php;
	}

	location ~ \.(?:css|js|woff|svg|gif)$ {
		try_files $uri /index.php$request_uri;
		add_header Cache-Control "public, max-age=15778463";
		add_header X-Content-Type-Options nosniff;
		add_header X-XSS-Protection "1; mode=block";
		add_header X-Robots-Tag none;
		add_header X-Download-Options noopen;
		add_header X-Permitted-Cross-Domain-Policies none; 
		access_log off;
	}

	location ~ \.(?:png|html|ttf|ico|jpg|jpeg)$ {
		try_files $uri /index.php$request_uri;
		access_log off;
	}
}