#DO NOT CHANGE THIS FILE
#Use as template and copy to /etc/nginx/vhosts.d/servername.conf

#Reverse Proxy
#See /etc/nginx/conf.d/default.conf for proxy servers
server {
    listen                                 REPLACE_ONION_PORT;
    server_name                            REPLACE_ONION_SITE;
    keepalive_timeout                      75 75;
    access_log                             /data/logs/nginx/access.REPLACE_ONION_SITE.log;
    error_log                              /data/logs/nginx/error.REPLACE_ONION_SITE.log info;
    client_max_body_size                   0;
    send_timeout                           3600;
    add_header X-Frame-Options             "SAMEORIGIN" always;
    add_header X-XSS-Protection            "1; mode=block" always;
    add_header X-Content-Type-Options      "nosniff" always;
    add_header Referrer-Policy             "no-referrer-when-downgrade" always;
    add_header Strict-Transport-Security   "max-age=31536000; includeSubDomains" always;
    add_header Content-Security-Policy     "script-src 'self' 'unsafe-inline' 'unsafe-eval' *; frame-src 'self' *; object-src 'self'" always;
    root                                   REPLACE_ONION_WWW_DIR;
    index                                  index.php index.html index.cgi index.pl index.aspx index.txt index.json index.unknown.php index.default.php;

    location / {
        root                               REPLACE_ONION_WWW_DIR;
    }
    location ^~ /favicon.ico {                                                                                                                        
        alias                              REPLACE_SERVER_WWW_DIR/favicon.ico;                                                                   
        allow                              all;                                                                                              
        access_log                         off;                                                                                                        
        log_not_found                      off;                                                                                                        
    }                                                                                                                                              
    location ^~ /robots.txt {                                                                                                                         
        default_type                       "text/plain";
        alias                              REPLACE_SERVER_WWW_DIR/robots.txt;                                                                    
        allow                              all;                                                                                              
        access_log                         off;                                                                                              
        log_not_found                      off;                                                                                              
    }                                                                                                                                    
    location ^~ /.well-known {
        default_type                       "text/plain";
        alias                              REPLACE_SERVER_WWW_DIR/.well-known;
        allow                              all;                                                                                              
        access_log                         off;                                                                                                        
        log_not_found                      on;                                                                                                        
    }
    location ^~ /.well-known/security.txt {                                                                                                                         
        default_type                       "text/plain";
        alias                              REPLACE_SERVER_WWW_DIR/security.txt;                                                                    
        allow                              all;                                                                                              
        access_log                         off;                                                                                              
        log_not_found                      off;                                                                                              
    }                                                                                                                                    
    location ^~ /health {
        default_type                       "text/plain";
        allow                              all;
        access_log                         off;
        return                             200 'ok';
    }
    location ^~ /health/txt {
        default_type                       "text/plain";
        allow                              all;
        access_log                         off;
        return                             200 'ok';
    }        
    location ^~ /health/json {
        default_type                       "application/json";
        allow                              all;
        access_log                         off;
        return                             200 '{"status":"OK"}';
    }
}
