#  Basic configuration
user nginx;
worker_processes  1;
error_log /dev/stderr info;
pid /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    # Standard HTTP configuration with slight hardening
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    access_log /dev/stdout;
    sendfile on;
    keepalive_timeout  65;
    server_tokens off;

    server {
      listen 80;
      listen 443 ssl;

      # TLS configuration hardened according to:
      # https://bettercrypto.org/static/applied-crypto-hardening.pdf
      ssl_protocols TLSv1.1 TLSv1.2;
      ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
      ssl_prefer_server_ciphers on;
      ssl_session_timeout 5m;
      ssl_session_cache shared:SSL:50m;
      ssl_certificate /tmp/snakeoil.pem;
      ssl_certificate_key /tmp/snakeoil.pem;

      add_header Strict-Transport-Security max-age=15768000;

      if ($scheme = http) {
        return 301 https://$host$request_uri;
      }

      location /.well-known/acme-challenge {
        proxy_pass http://admin:8081;
      }
    }
}