# XXX info contains seemingly-unescaped binary user input from bad requests.
#error_log /var/log/nginx/error.log info;
error_log /var/log/nginx/error.log notice;
#error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
user www-data;
worker_processes auto;

events {
    # The default is 512. Ubuntu uses 768. nginx.org uses 1024. Shrug.
    worker_connections 1024;
}

http {

    # XXX Proper .svgz support. This requires:
    # * Setting Content-Type, which 'types' will happily do
    # * Setting Content-Encoding: gzip. ???
    # * Not double-gzipping it. ???

    # XXX 403 .htaccess, .htpasswd, .php, .php4 and .php5, just to be safe.

    # XXX us-ascii for .asc files
    charset utf-8;
    charset_types
        application/atom+xml
        application/ecmascript
        application/javascript
        application/rdf+xml
        application/rss+xml
        application/xhtml+xml
        application/xml
        image/svg+xml
        text/css
        text/plain
        ;
    #default_type application/octet-stream;
    gzip on;
    # gzip_comp_level 6;
    gzip_proxied any;
    gzip_types
        application/atom+xml
        application/ecmascript
        application/javascript
        application/json
        application/pdf
        application/rdf+xml
        application/rss+xml
        application/x-tar
        application/xhtml+xml
        application/xml
        application/xrds+xml
        image/svg+xml
        image/vnd.microsoft.icon
        text/css
        text/plain
        ;
    gzip_vary on;
    #keepalive_timeout 65;
    # I'm not currently doing any SSL proxying, so these are simple and
    # conservative defaults.
    proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    # Same as "The above, with non-PFS suites added because CloudFront sucks",
    # with aRSA preferred over ECDSA for the obvious performance reasons. (aRSA
    # is faster for clients, and ECDSA is faster for servers.)
    proxy_ssl_ciphers EECDH+aRSA+AES128:EECDH+AES128:EECDH+aRSA+AES:EECDH+AES:EDH+aRSA+AES128:EDH+aRSA+AES:EDH+aRSA+CAMELLIA128:EDH+aRSA+SEED:EDH+aRSA+CAMELLIA:RSA+AES128:RSA+AES:RSA+CAMELLIA128:RSA+SEED:RSA+CAMELLIA;
    sendfile on;
    # server_names_hash_bucket_size 64;
    #
    # Qualys 2013-08-21 <https://mn0.us/-oMa> plus modifications listed below.
    #
    # See also proxy_ssl_* above.
    #
    # XXX Holy line wrapping, Batman.
    #
    # XXX OpenSSL lists SEED as "MEDIUM", not "HIGH" like all the others. Why?
    #
    # Qualys with RC4.
    #ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
    # Qualys without RC4.
    #ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
    # By me. Same ciphers as above, but with 128-bit ciphers preferred over
    # 256-bit and BEAST ignored (e.g. choosing AES-128-CBC over AES-256-GCM).
    # However, AES-256 is preferred over Camellia-128 and SEED, since it seems
    # to be faster, even without AES-NI.
    #ssl_ciphers EECDH+ECDSA+AES128:EECDH+AES128:EECDH+ECDSA+AES:EECDH+AES:EDH+aRSA+AES128:EDH+aRSA+AES:EDH+aRSA+CAMELLIA128:EDH+aRSA+SEED:EDH+aRSA+CAMELLIA;
    # The above, with non-PFS suites added because CloudFront sucks. :(
    # 2013-11-29: Using it out of curiosity. I don't need CloudFront ATM.
    ssl_ciphers EECDH+ECDSA+AES128:EECDH+AES128:EECDH+ECDSA+AES:EECDH+AES:EDH+aRSA+AES128:EDH+aRSA+AES:EDH+aRSA+CAMELLIA128:EDH+aRSA+SEED:EDH+aRSA+CAMELLIA:RSA+AES128:RSA+AES:RSA+CAMELLIA128:RSA+SEED:RSA+CAMELLIA;
    # The above, with non-ECC preferred for NSA paranoia and fun. (ECC is still
    # preferred over non-PFS, though.)
    #ssl_ciphers EDH+aRSA+AES128:EDH+aRSA+AES:EDH+aRSA+CAMELLIA128:EDH+aRSA+SEED:EDH+aRSA+CAMELLIA:EECDH+aRSA+AES128:EECDH+aRSA+AES:EECDH+AES128:EECDH+AES:RSA+AES128:RSA+AES:RSA+CAMELLIA128:RSA+SEED:RSA+CAMELLIA;
    # I added 2048-bit DH parameters. The default of 1024-bit is becoming
    # insecure (as with RSA), but 2048-bit parameters have some client
    # compatibility issues. Qualys and I are making the opposite trade-off.
    ssl_dhparam dhparam.pem;
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:1:1m;
    #ssl_stapling on;
    tcp_nopush on;
    types {
        application/atom+xml atom;
        application/ecmascript es;
        application/javascript js;
        application/json json;
        application/octet-stream bin egg iso lrz;
        application/ogg ogx;
        application/pdf pdf;
        application/pgp-signature sig;
        application/rdf+xml rdf;
        application/rss+xml rss;
        application/x-7z-compressed 7z;
        application/x-bittorrent torrent;
        application/x-bzip2 bz2 tbz2;
        application/x-gzip gz tgz;
        application/x-lzma lzma;
        application/x-tar tar;
        application/x-xpinstall xpi;
        application/x-xz xz;
        application/xhtml+xml xhtml;
        application/xml xml;
        application/xrds+xml xrds;
        application/zip zip;
        audio/mpeg mp3;
        audio/ogg oga ogg opus spx;
        audio/x-flac flac;
        image/gif gif;
        image/jpeg jpeg jpg;
        image/png png;
        # XXX .svgz disabled. See above.
        #image/svg+xml svg svgz;
        image/svg+xml svg;
        image/vnd.microsoft.icon ico;
        text/css css;
        text/html htm html;
        text/plain asc conf diff log patch phps pys txt;
        video/ogg ogv;
        video/quicktime mov;
        video/webm webm;
    }
    #types_hash_max_size 2048;

    # Replace blank variables with -
    #
    # map $foo $foo_h {
    #     default $foo;
    #     "" -;
    # }
    map $host $host_h { default $host; "" -; }
    map $https $https_h { default $https; "" -; }
    # realip eats the port.
    map $remote_port $remote_port_h { default $remote_port; "" -; }
    map $spdy $spdy_h { default $spdy; "" -; }
    log_format 11
        '$remote_addr $remote_port_h "$http_host" $server_addr $server_port '
        '"$server_name" $connection $connection_requests $https_h '
        '$ssl_protocol $spdy_h "$remote_user" [$time_iso8601] "$request" '
        '$status $bytes_sent $body_bytes_sent $gzip_ratio "$http_referer" '
        '"$http_user_agent" "$http_x_forwarded_for" "$ssl_cipher"';
    # $ssl_session_id is fixed in 1.5.9. Before, it had the whole *session*!
    # Update: On the other hand, in 1.5.9, it can crash the worker!
    log_format 13
        '$remote_addr $remote_port_h "$http_host" $server_addr $server_port '
        '"$server_name" $connection $connection_requests $https_h '
        '$ssl_protocol $spdy_h "$remote_user" [$time_iso8601] "$request" '
        '$status $bytes_sent $body_bytes_sent $gzip_ratio "$http_referer" '
        '"$http_user_agent" "$http_x_forwarded_for" "$ssl_cipher" '
        '"$ssl_session_id"';
    log_format tmp '$ssl_session_id';
    log_format lighttpd
        '$remote_addr $host_h $remote_user [$time_local] "$request" $status '
        '$body_bytes_sent "$http_referer" "$http_user_agent"';
    access_log /var/log/nginx/access.log lighttpd;
    access_log /var/log/nginx/access11.log 11;
    access_log /var/log/nginx/access13.log 13;
    access_log /var/log/nginx/accesstmp.log tmp;

    #include conf.d/*.conf;
    #include resolv.conf;
    include sites-enabled/*;

}