# This is the nginx config file for guix-hpc.bordeaux.inria.fr.

user nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log error;
pid        /var/run/nginx.pid;

pcre_jit   on;

events {
    worker_connections  1024;
}

http {
    include /etc/nginx/mime.types;
    default_type  application/octet-stream;

    # We need to specify all these or nginx picks its own directory to
    # store them, which doesn't work because the store is read-only.
    client_body_temp_path /var/run/nginx/body;
    proxy_temp_path       /var/run/nginx/proxy;
    fastcgi_temp_path     /var/run/nginx/fastcgi;
    uwsgi_temp_path       /var/run/nginx/uwsgi;
    scgi_temp_path        /var/run/nginx/scgi;

    access_log	/var/log/nginx/access.log;

    sendfile        on;

    # Maximum chunk size to send.  Partly this is a workaround
    # for <http://bugs.gnu.org/19939>, but also the nginx docs
    # mention that "Without the limit, one fast connection may
    # seize the worker process entirely."
    # <http://nginx.org/en/docs/http/ngx_http_core_module#sendfile_max_chunk>
    sendfile_max_chunk 1m;

    keepalive_timeout  65;

    server {
	listen       80;
	server_name  guix-hpc.bordeaux.inria.fr;
	access_log   /var/log/nginx/http.access.log;
	# location /private/draft {
	#   proxy_pass http://localhost:8080;
	#   proxy_redirect default;
	# }
	# location /static {	# fonts
	#   proxy_pass http://localhost:8080;
	#   proxy_redirect default;
	# }

	location / {
	  root /home/ludo/src/guix-hpc-web/site;
	}

	# For use by Certbot.
	location /.well-known {
	   root /var/www;
	}
    }
    server {
	listen       443 ssl;
	server_name  guix-hpc.bordeaux.inria.fr;

        ssl_certificate     /etc/letsencrypt/live/guix-hpc.bordeaux.inria.fr/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/guix-hpc.bordeaux.inria.fr/privkey.pem;

        # Make sure SSL is disabled.
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;

        # Disable weak cipher suites.
        ssl_ciphers         HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;

        # Use our own DH parameters created with:
        #    openssl dhparam -out dhparams.pem 2048
        # as suggested at <https://weakdh.org/sysadmin.html>.
        ssl_dhparam         /etc/dhparams.pem;

	access_log   /var/log/nginx/http.access.log;

	location / {
	  root /home/ludo/src/guix-hpc-web/site;
	}

	# For use by Certbot.
	location /.well-known {
	   root /var/www;
	}
    }
    # server {
    # 	listen       8080;
    # 	server_name  guix-hpc.bordeaux.inria.fr;
    # 	access_log   /var/log/nginx/http.access.log;
    # 	rewrite ^/private/draft/(.*) /$1;
    # 	location / {
    # 	  root /home/ludo/src/guix-hpc-web/site;
    # 	}
    # }
}