##
# Process settings
##

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

##
# Extra nginix dynamic modules injection
##

#load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;

##
# nginx Core Configurations
##

events {
  worker_connections 1024;
  multi_accept on;
}

http {

  ##
  # Basic Settings
  ##

  sendfile              on;
  tcp_nopush            on;
  tcp_nodelay           on;
  types_hash_max_size   16384;
  server_tokens         off;

  server_names_hash_bucket_size   128;
  server_name_in_redirect         off;

  include       /etc/nginx/mime.types;
  default_type  application/octet-stream;

  client_max_body_size  100m;

  ##
  # Cloudflare visitor IP restoration
  ##

  set_real_ip_from  103.21.244.0/22;
  set_real_ip_from  103.22.200.0/22;
  set_real_ip_from  103.31.4.0/22;
  set_real_ip_from  104.16.0.0/12;
  set_real_ip_from  108.162.192.0/18;
  set_real_ip_from  131.0.72.0/22;
  set_real_ip_from  141.101.64.0/18;
  set_real_ip_from  162.158.0.0/15;
  set_real_ip_from  172.64.0.0/13;
  set_real_ip_from  173.245.48.0/20;
  set_real_ip_from  188.114.96.0/20;
  set_real_ip_from  190.93.240.0/20;
  set_real_ip_from  197.234.240.0/22;
  set_real_ip_from  198.41.128.0/17;
  set_real_ip_from  2400:cb00::/32;
  set_real_ip_from  2606:4700::/32;
  set_real_ip_from  2803:f800::/32;
  set_real_ip_from  2405:b500::/32;
  set_real_ip_from  2405:8100::/32;
  set_real_ip_from  2c0f:f248::/32;
  set_real_ip_from  2a06:98c0::/29;

  real_ip_header    CF-Connecting-IP;

  ##
  # SSL Settings
  ##

  ssl_protocols                 TLSv1.3;
  ssl_session_tickets           off;
  ssl_dhparam                   /etc/nginx/dhparam.pem;

  # SSL Cipher suite configuration
  ssl_ciphers                   EECDH+AESGCM:EDH+AESGCM;
  ssl_ecdh_curve                secp384r1;
  ssl_prefer_server_ciphers     on;

  # OSCP Experimential configuration
  ssl_stapling                  on;
  ssl_stapling_verify           on;
  resolver                      1.1.1.1 1.0.0.1 valid=300s;
  resolver_timeout              5;

  # Cloudflare Authenticated Origin Pull
  ssl_trusted_certificate       /etc/nginx/origin_ca_ecc_root.pem;
  ssl_client_certificate        /etc/nginx/origin-pull-ca.pem;
  ssl_verify_client             on;

  # SSL session Experimential configuration
  ssl_session_cache             shared:SSL:10m;
  ssl_session_timeout           10m;
  keepalive_timeout             70;

  # Extra HTTP headers for security considerations
  add_header                    Content-Security-Policy             "default-src https:; script-src https: 'unsafe-inline' 'unsafe-eval' blob: 'unsafe-inline'; frame-src https: data:; style-src https: 'unsafe-inline'; img-src https: data: blob:; media-src https: data: blob:; font-src https: data:; connect-src https: wss:; child-src https: blob:; object-src 'none'";
  add_header                    Permissions-Policy                  "interest-cohort=()";
  add_header                    Referrer-Policy                     "no-referrer";
  add_header                    Strict-Transport-Security           "max-age=63072000; includeSubDomains; preload";
  add_header                    X-Content-Type-Options              "nosniff";
  add_header                    X-Frame-Options                     "SAMEORIGIN";
  add_header                    X-XSS-Protection                    "1; mode=block";

  ##
  # nginx-specific ModSecurity Connector
  ##

  modsecurity                   on;
  modsecurity_rules_file        /etc/nginx/modsec/main.conf;

  ##
  # Logging Settings
  ##

  access_log                    /var/log/nginx/access.log;
  error_log                     /var/log/nginx/error.log;

  ##
  # Gzip Settings
  ##

  gzip on;

  ##
  # Default catch-all host
  ##

  server{
    listen 80;
    listen [::]:80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name _;

    # SSL Certificate configuration
    ssl_certificate      /path/to/certificate.pem;
    ssl_certificate_key  /path/to/certificate.key;

    return 501;
  }

  ##
  # Example PHP website configuration
  ##

  # Default server rule for plain HTTP transport
  # This is to ensure HTTPS-only traffic
  server{
    listen 80;                  # Listen to IPv4 on all interface
    listen [::]:80;             # Listen to IPv6 on all interface
    server_name example.org;

    return 301 https://example.org$request_uri;
  }

  # Main configuration for HTTPS site
  server{
    listen 443 ssl http2;       # Listen to IPv4 with http2 extension on all interface
    listen [::]:443 ssl http2;  # Listen to IPv6 with http2 extension on all interface
    server_name example.org;    # FQDN for the site

    # SSL Certificate configuration
    ssl_certificate      /path/to/fullchain.pem;
    ssl_certificate_key  /path/to/privkey.pem;

    root /path/to/script;                         # Path to script directory
    index index.php index.html index.htm;         # Index filename

    include /etc/nginx/https-fpm.incl;            # HTTPS php-fpm include
  }

  ##
  # Virtual sites and additional configurations
  ##

  include /etc/nginx/conf.d/*.conf;
  include /etc/nginx/sites-enabled/*;
}