server {

    listen  80 default_server;
    listen  [::]:80 default_server;

    server_name _;

    expires off;
    etag off;
    if_modified_since off;

    gzip on;
    gzip_min_length 1000;
    gzip_proxied any;
    gzip_types *;
    gunzip on;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;

        return 301 https://$host$request_uri;
    }

    location /.well-known/acme-challenge/ {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    if ($request_method !~ ^(GET|HEAD|POST)$ )
    {
       return 405;
    }
}

server {

    listen  443 ssl default_server;
    listen  [::]:443 ssl default_server;

    server_name _;

    http2 on;

    ssl_certificate /etc/nginx/certs/mpp/fullchain.pem;
    ssl_certificate_key /etc/nginx/certs/mpp/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-CCM:ECDHE-ARIA256-GCM-SHA384:DHE-RSA-ARIA256-GCM-SHA384:ECDHE-ARIA128-GCM-SHA256:DHE-RSA-ARIA128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-CCM8:DHE-RSA-AES128-CCM';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:20m;
    ssl_session_timeout 180m;

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/nginx/certs/mpp/chain.pem;

    expires off;
    etag off;
    if_modified_since off;

    gzip on;
    gzip_min_length 1000;
    gzip_proxied any;
    gzip_types *;
    gunzip on;

    location / {
        proxy_pass http://127.0.0.1:5000/;
        proxy_set_header Host $http_host;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location /api/ {
        proxy_pass http://127.0.0.1:3000/api/;
        proxy_set_header Host $http_host;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    location /uploads/ {
        proxy_pass http://127.0.0.1:3000/uploads/;
        proxy_set_header Host $http_host;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

    if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE)$ )
    {
       return 405;
    }
}