server {
	if ($host = passwords.theribbles.org) {
		return 301 https://$host$request_uri;
	} # managed by Certbot

	server_name passwords.theribbles.org;
	listen 80;
	listen [::]:80;
	return 404; # managed by Certbot
}

server {
	listen [::]:443 ssl; # managed by Certbot
	listen 443 ssl; # managed by Certbot

	server_name passwords.theribbles.org;

	# add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

	add_header Referrer-Policy same-origin;
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";

	# If you have the admin fileserver installed too behind this reverse proxy domain, add your fileserver URL e.g. https://fs01.example.com as connect-src too:
	# add_header Content-Security-Policy "default-src 'none';  manifest-src 'self'; connect-src 'self' https://static.psono.com https://api.pwnedpasswords.com https://storage.googleapis.com https://*.digitaloceanspaces.com https://*.s3.amazonaws.com; font-src 'self'; img-src 'self' data:; script-src 'self'; style-src 'self' 'unsafe-inline'; object-src 'self'";

	ssl_certificate /etc/letsencrypt/live/theribbles.org/fullchain.pem; # managed by Certbot
	ssl_certificate_key /etc/letsencrypt/live/theribbles.org/privkey.pem; # managed by Certbot
	include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
	ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

	client_max_body_size 256m;

	gzip on;
	gzip_disable "msie6";

	gzip_vary on;
	gzip_proxied any;
	gzip_comp_level 6;
	gzip_buffers 16 8k;
	gzip_http_version 1.1;
	gzip_min_length 256;
	gzip_types text/plain text/css application/json application/x-javascript application/javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;

	index index.html;
	try_files $uri /index.html;

	location / {
		add_header Pragma public;
		add_header Cache-Control "public";

		root /var/www/html/psono/webclient;
	}

	location /portal {
		add_header Pragma public;
		add_header Cache-Control "public";

		alias /var/www/html/psono/admin-webclient;
	}

	location /server {
		rewrite ^/server/(.*) /$1 break;
		proxy_set_header        Host $host;
		proxy_set_header        X-Real-IP $remote_addr;
		proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header        X-Forwarded-Proto $scheme;

		add_header Last-Modified $date_gmt;
		add_header Pragma "no-cache";
		add_header Cache-Control "private, max-age=0, no-cache, no-store";
		if_modified_since off;
		expires off;
		etag off;

		proxy_pass          http://127.0.0.1:10040;
	}

}