user  nginx;
worker_processes  auto;

events {
    multi_accept       on;
    worker_connections 65535;
}

http {
    include /usr/local/nginx/conf.d/*.conf;
    include /usr/local/nginx/sites-enabled/*;
    include                mime.types;
    default_type           application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    charset                utf-8;
    sendfile               on;
    tcp_nopush             on;
    tcp_nodelay            on;
    server_tokens          off;
    keepalive_timeout      650;
    types_hash_max_size    2048;
    types_hash_bucket_size 64;
    client_max_body_size   1024M;
    server_names_hash_bucket_size 64;

    gzip_vary       on;
    gzip_proxied    any;
    gzip_comp_level 6;
    gzip_types      text/plain text/css text/xml text/javascript application/json application/javascript application/xml application/rss+xml application/atom+xml image/svg+xml;
    gzip  on;

    limit_req_zone $binary_remote_addr zone=one:100m rate=10r/s;

    ssl_session_timeout  5m;
    ssl_session_tickets  off;
    ssl_session_cache shared:SSL:128m;
    ssl_prefer_server_ciphers  on;
    ssl_ecdh_curve secp384r1;

    #ssl_protocols TLSv1.3;
    #ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305;

    #OCSP
    ssl_stapling           on;
    ssl_stapling_verify    on;
    resolver               8.8.8.8 8.8.4.4 valid=60s;
    resolver_timeout       2s;

    add_header X-Frame-Options           "SAMEORIGIN" always;
    add_header X-XSS-Protection          "1; mode=block" always;
    add_header X-Content-Type-Options    "nosniff" always;
    add_header Referrer-Policy           "no-referrer-when-downgrade" always;
    add_header Content-Security-Policy   "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; #HSTS

##################################################################################################
    server {
        listen 80;
        listen [::]:80;
        server_name xiedeacc.com;
        return 301 https://$host$request_uri;
    }

    server {
        listen 80;
        listen [::]:80;
        server_name youkechat.net;
        return 301 https://$host$request_uri;
    }

    server {
        listen 80 default_server;
        listen [::]:80 default_server;
        return 301 https://$host/$request_uri;
    }
##################################################################################################
    #HTTPS server
    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }

    server {
        listen       443 ssl http2;
        listen       [::]:443 ssl http2;
        server_name  ssserver.youkechat.net;
        ssl_certificate /usr/local/nginx/conf/ssl/youkechat.net.fullchain.cer;
        ssl_certificate_key /usr/local/nginx/conf/ssl/youkechat.net.key;

        location /sspath {
            proxy_redirect off;
            proxy_pass http://[::1]:1080;
            proxy_http_version 1.1;
            proxy_set_header Host $http_host;
            proxy_set_header X-Real_IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
        }
    }

    #server {
    #    listen       443 ssl http2;
    #    listen       [::]:443 ssl http2;
    #    server_name  forsimple.youkechat.net;
    #    ssl_certificate /usr/local/nginx/conf/ssl/youkechat.net.fullchain.cer;
    #    ssl_certificate_key /usr/local/nginx/conf/ssl/youkechat.net.key;

    #    location /forsimple {
    #        proxy_redirect off;
    #        proxy_pass http://127.0.0.1:1090;
    #        proxy_http_version 1.1;
    #        proxy_set_header Host $http_host;
    #        proxy_set_header X-Real_IP $remote_addr;
    #        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #        proxy_set_header Upgrade $http_upgrade;
    #        proxy_set_header Connection $connection_upgrade;
    #    }
    #}
##################################################################################################
    server {
        listen       443 ssl http2;
        listen       [::]:443 ssl http2;
        server_name  xiedeacc.com;
        ssl_certificate /usr/local/nginx/conf/ssl/xiedeacc.com.fullchain.cer;
        ssl_certificate_key /usr/local/nginx/conf/ssl/xiedeacc.com.key;

        location / {
            root /data/www;
            index index.html;
        }
    }

    server {
        listen       443 ssl http2;
        listen       [::]:443 ssl http2;
        server_name  ip.xiedeacc.com;
        ssl_certificate /usr/local/nginx/conf/ssl/xiedeacc.com.fullchain.cer;
        ssl_certificate_key /usr/local/nginx/conf/ssl/xiedeacc.com.key;
        location / {
            default_type text/plain;
            return 200 $remote_addr;
        }
    }

    upstream halo {
        server 127.0.0.1:8090;
    }

    server {
        listen       443 ssl http2;
        listen       [::]:443 ssl http2;
        server_name  blog.xiedeacc.com;
        ssl_certificate /usr/local/nginx/conf/ssl/xiedeacc.com.fullchain.cer;
        ssl_certificate_key /usr/local/nginx/conf/ssl/xiedeacc.com.key;
        add_header X-Frame-Options           "SAMEORIGIN" always;
        add_header X-XSS-Protection          "1; mode=block" always;
        add_header X-Content-Type-Options    "nosniff" always;
        add_header Referrer-Policy           "no-referrer-when-downgrade" always;
        #add_header Content-Security-Policy   "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

        location / {
            proxy_pass http://halo;
            proxy_http_version 1.1;
            proxy_set_header Connection $connection_upgrade;
            proxy_set_header Host $http_host;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Real_IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
        }

        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ {
            proxy_pass http://halo;
            expires 30d;
            access_log off;
        }
    }

    server {
        listen       443 ssl http2;
        listen       [::]:443 ssl http2;
        server_name  unlock-music.youkechat.net;
        ssl_trusted_certificate /usr/local/nginx/conf/ssl/ca.cert.pem;
        ssl_certificate /usr/local/nginx/conf/ssl/code.xiedeacc.com.cert.pem;
        ssl_certificate_key /usr/local/nginx/conf/ssl/code.xiedeacc.com.unencrypted.key.pem;

        location / {
            root /data/www/unlock-music/web/dist;
            index index.html;
        }
    }

    server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        server_name code.xiedeacc.com;
        ssl_trusted_certificate /usr/local/nginx/conf/ssl/ca.cert.pem;
        ssl_certificate /usr/local/nginx/conf/ssl/code.xiedeacc.com.cert.pem;
        ssl_certificate_key /usr/local/nginx/conf/ssl/code.xiedeacc.com.unencrypted.key.pem;

        location / {
            client_max_body_size 0;
            proxy_redirect http:// https://;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-Ssl on;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass http://127.0.0.1:10080;
        }
    }
}