# redirect http requests to https
server {
    listen 80;
    listen [::]:80;
    server_name SUB.praze.net;
    return 301 https://$host$request_uri;
}

server {
    root        /var/www/DIRECTORY;
    charset     utf-8;
    # may need to include this line if php is involved
    index       index.php;

    listen 443 ssl;
    server_name SUB.praze.net;
    ssl_certificate /etc/letsencrypt/live/SUB.praze.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/SUB.praze.net/privkey.pem;

    # certbot settings, may not be required
    ssl_session_cache shared:le_nginx_SSL:10m;
    ssl_session_timeout 1440m;
    ssl_session_tickets off;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers off;
    ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";

    location / {

        add_header Access-Control-Allow-Origin "https://tre.praze.net";
        # EITHER for eluding search engines
        add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
        # OR
        add_header X-Robots-Tag "nofollow, noarchive"
        # EITHER for not sending referrer links
        add_header Referrer-Policy "no-refer";
        # OR
        add_header Referrer-Policy "strict-origin-when-cross-origin";
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Rating "RTA-5042-1996-1400-1577-RTA" always; # “restricted to adults”

        # include these lines if it is a systemd service running on a port
        proxy_pass http://127.0.0.1:PORT;
	    proxy_set_header Host $host;
	    proxy_set_header Upgrade $http_upgrade;
	    proxy_set_header Connection "upgrade";
	    proxy_set_header X-Forwarded-For $remote_addr;
	    proxy_set_header X-Forwarded-Proto $scheme;
    }

    # include this block if php is involved
    location ~ [^/]\.php(/|$) {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass   unix:/var/run/php/php-fpm.sock;
        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_index  index.php;
        include        fastcgi.conf;

        # security headers may need to live here if so
    }

    location /favicon.ico {
        alias /var/www/DIRECTORY/favicon.png;
    }

    location /PROTECTED {
        auth_basic "Password required";
	auth_basic_user_file /etc/apache2/.htpasswd;
    }

    # include this line if uploading big files
    client_max_body_size 40M;

    error_page 404 /SUBDIR/404.html;
    # etc

    # example redirects (including “permanent” makes it a 301 rather than a 302)
    rewrite ^/OLD /NEW permanent;
    rewrite ^/OLD/(.*)$ /NEW/$1?;
}