server {
        add_header Cache-Control "public";
        add_header X-Frame-Options "DENY";
        access_log /var/log/nginx/access.log; # main buffer=32k;
        #access_log /var/log/nginx/cache.log cache;
        error_log /var/log/nginx/error.log error;
        expires 1h;
        listen 443 ssl http2; #sndbuf=128k;
        limit_req zone=gulag burst=1000 nodelay;
        server_name repo.secmayl.com repo.manios.ca;
        resolver 192.168.0.1;

        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Frame-Options SAMEORIGIN;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        #proxy_cache webcache;
        #proxy_cache_key $scheme$host$request_uri;
        #proxy_cache_valid 200 301 302 304 120m;
        #xproxy_cache_valid any 1m;

        # ssl settings. use publicly trusted cert (let's encrypt) with public traffic
#       ssl on;
        ssl_certificate /root/.acme.sh/repo.secmayl.com/repo.secmayl.com.cer;
        ssl_certificate_key /root/.acme.sh/repo.secmayl.com/repo.secmayl.com.key;

        ssl_session_timeout 5m;
        ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+EDH;
        ssl_ecdh_curve secp384r1;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_dhparam /usr/home/chucklz/certs/dh-4096.pem;

        # Only allow GET, HEAD and POST request methods. Since this a proxy you may
        # want to be more restrictive with your request methods. The calls are going
        # to be passed to the back end server and nginx does not know what it
        # normally accepts, so everything gets passed. If we only need to accept GET
        # HEAD and POST then limit that here.
        if ($request_method !~ ^(GET|HEAD|POST)$ ) {
                return 403;
        }

        # user forum. This goes to a different server then the standard we cluster for example.
        #location /forum/ {
        #       proxy_pass http://192.168.1.201/forum/;
        #}

        ## Do not cache any requests using our cgi paths. The http_my_secret_header
        ## is not used and is just a place holder if you need this function.
        #location ~* (/cgi/||/authorized/|/restrict/) {
        #       expires epoch;
        #       proxy_no_cache 1;
        #       proxy_cache_bypass $http_my_secret_header;
        #       proxy_pass http://backend_web_servers;
        #}

        # acme challenge location
        location ^~ /.well-known/acme-challenge/ {
                root /usr/local/www/letsencrypt;
        }

        # hide dir on all requests
        location = /.well-known/acme-challenge/ {
                return 404;
        }

        # default htdocs
        location / {
                ## redirect host going to www to non-www hostname
                #if ($host ~* ^(www\.example\.com)$ ) {
                #       return 301 https://example.com$uri;
                #}
                #proxy_pass http://backend_web_servers;

                proxy_redirect off;
                proxy_set_header X-Forwarded-Host $http_host;
                proxy_pass https://$host$request_uri;
        }

        ## All other errors get the generic error page
        error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 495 496 497 500 501 502 503 504 505 506 507 /error_page.html;
        #location  /error_page_example_com.html {
        location /error_page.html {
                internal;
        }
}