server {
	include	mime.types;
	default_type application/octet-stream;

	listen 444 ssl;
	listen [::]:444 ssl;

	ssl_certificate /etc/letsencrypt/live/{{ lets_encrypt_domains[0] }}/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/{{ lets_encrypt_domains[0] }}/privkey.pem;

	server_name www.brentj.es brentj.es www.alexstrasza.kassala.de alexstrasza.kassala.de;

	# Add headers to serve security related headers
	add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
	add_header X-Content-Type-Options nosniff;
	add_header X-Frame-Options "SAMEORIGIN";
	add_header X-XSS-Protection "1; mode=block";
	add_header X-Robots-Tag none;

	# Path to the root of your installation
	root /usr/share/webapps/owncloud;
	# set max upload size
	client_max_body_size 10G;
	fastcgi_buffers 64 4K;

	# Disable gzip to avoid the removal of the ETag header
	gzip off;

	# Uncomment if your server is build with the ngx_pagespeed module
	# This module is currently not supported.
	#pagespeed off;

	rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
	rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
	rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;

	index index.php;
	error_page 403 /core/templates/403.php;
	error_page 404 /core/templates/404.php;

	location = /robots.txt {
		allow all;
		log_not_found off;
		access_log off;
	}

	location ~ ^/(?:\.htaccess|data|config|db_structure\.xml|README){
		deny all;
	}

	location / {
		# The following 2 rules are only needed with webfinger
		rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
		rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

		rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
		rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;

		rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;

		try_files $uri $uri/ /index.php;
	}

	location ~ \.php(?:$|/) {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		include fastcgi_params;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		fastcgi_param PATH_INFO $fastcgi_path_info;
		fastcgi_param HTTPS on;
		fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
		# Unix domain sockets are faster than TCP sockets
		fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
	}

	# Optional: set long EXPIRES header on static assets
	location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {
		expires 30d;
		# Optional: Don't log access to assets
		access_log off;
	}

}