# This is an example nginx config used to serve your Sandstorm server over
# SSL.  In fact, this is the actual config used by alpha.sandstorm.io as of
# this writing.
#
# Definitions like these should go in the "http" block of your nginx config.
# Replace "sandstorm.io" with your domain, and "alpha" with your host.

server {
  # Redirect http -> https.
  listen 80;
  server_name alpha.sandstorm.io;
  return 301 https://$host$request_uri$is_args$args;
}

# For WebSocket forwarding, we want to forward the `Connection` header.
# This "map" declaration helps with that.
map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}

# Configuration for Sandstorm shell.
server {
  listen 443;
  server_name alpha.sandstorm.io alpha-*.sandstorm.io;

  ssl on;
  ssl_certificate /etc/keys/sandstorm.crt;
  ssl_certificate_key /etc/keys/sandstorm.key;

  ssl_session_timeout 5m;

  # Configure SSL with forward secrecy and other goodies.
  # Ciphersuite taken from https://wiki.mozilla.org/Security/Server_Side_TLS
  # "Intermediate compatibility" as of 2015-06-04
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
  ssl_prefer_server_ciphers on;

  # HSTS prevents attackers from tricking you into connecting via HTTP in the
  # future, but if you actually intend to access the server via non-SSL in the
  # future then you should probably delete this line.
  add_header Strict-Transport-Security max-age=31536000;

  location / {
    proxy_pass http://127.0.0.1:6080;

    # Forward the Host header, which is used to route requests for
    # static content published from Sandstorm apps.
    proxy_set_header Host $http_host;

    # Forward WebSocket.
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
  }

  # Allow large spk uploads from the /install form and allow grains to receive large uploads.
  client_max_body_size 256M;
}