worker_processes  2; # Set this equal to the number of CPU cores
events { 
    worker_connections 768; 
}
http {
    server_names_hash_bucket_size 64;
    types_hash_max_size 2048;
    server_tokens off;
    include mime.types;
    default_type application/octet-stream;
    add_header X-Frame-Options SAMEORIGIN; # May prevent StumbleUpon from working
    add_header X-Content-Type-Options nosniff;
    sendfile on;
    keepalive_timeout  10;
    gzip on;
    gzip_comp_level 6;
    gzip_disable "msie6";
    gzip_min_length 150;
    gzip_proxied any;
    gzip_types text/plain text/xml text/css application/json application/javascript;
    gzip_vary on;
    proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=one:8m max_size=1000M inactive=60m;
    proxy_temp_path /var/tmp;
    client_max_body_size 20m;
    client_body_buffer_size 128k;
    
    upstream ghost_upstream {
        server 127.0.0.1:2368;
        keepalive 64;
    }
    
    server {
        listen 80;
        listen 443 default_server ssl spdy;
        server_name YOUR.DOMAIN.NAME;
        
        ssl_certificate /opt/nginx/conf/ssl-unified.crt;
        ssl_certificate_key /opt/nginx/conf/YOUR.DOMAIN.NAME.pem;
        ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers RC4:HIGH:!MEDIUM:!aNULL:!MD5:!DH:!EDH;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;

        if ($request_method !~ ^(GET|HEAD|POST)$ ) { return 444; }
        if ($host != $server_name) {
            return 301 $scheme://$server_name$request_uri;
        }

    location ~* \.(db|hbs|conf)$  { deny all; }
    location ~ /\.ht { deny all; }
    location ~ /\. { deny all; }
    location ~ ~$  { deny all; }

    location ~ ^/(sitemap\.xml|robots\.txt|favicon\.ico)$ {
        root /var/www/YOUR.DOMAIN.NAME/public;
        access_log off;
        log_not_found off;
    }

    # Static files served directly by Nginx
    location ~ ^/assets/(img|js|css|fonts)/  {
        root /var/www/YOUR.DOMAIN.NAME/content/themes/casper;
        ModSecurityEnabled on;
        ModSecurityConfig modsecurity.conf;
        expires 30d;
        access_log off;
    }
    
    location ~ ^/(img/|css/|lib/|vendor/|fonts/) {
        root /var/www/YOUR.DOMAIN.NAME/core/client/assets;
        ModSecurityEnabled on;
        ModSecurityConfig modsecurity.conf;
        expires 30d;
        access_log off;
    }    

    location ~ ^/(content/images/) {
        root /var/www/YOUR.DOMAIN.NAME;
        ModSecurityEnabled on;
        ModSecurityConfig modsecurity.conf;
        expires 30d;
        access_log off;
    } 

    location ~ ^/(shared/|built/) {
        root /var/www/YOUR.DOMAIN.NAME/core;
        ModSecurityEnabled on;
        ModSecurityConfig modsecurity.conf;
        expires 30d;
        access_log off;
    }
    
    location ~ ^/public/ {
        root /var/www/YOUR.DOMAIN.NAME/core/built;
        ModSecurityEnabled on;
        ModSecurityConfig modsecurity.conf;        
        expires 30d;
        access_log off;
    }    

    location / {
    
        ModSecurityEnabled on;
        ModSecurityConfig modsecurity.conf;
        
        proxy_pass http://ghost_upstream;
        proxy_redirect off;
        proxy_read_timeout 180s;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_set_header Connection "";
        proxy_pass_header X-CSRF-TOKEN;
        proxy_http_version 1.1;
        proxy_cache one;
        proxy_cache_key "$scheme$host$request_uri";
        proxy_hide_header X-Powered-By;
    }

    location = /50x.html { root html; }
    #error_page   404 /404.html;
    error_page   500 502 503 504  /50x.html;
  }
}