user www;
worker_processes 3;

load_module "modules/ngx_http_hmac_secure_link_module.so";

worker_rlimit_nofile 1024;
events {
    worker_connections 800;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    server {
        listen       80;
        listen       [::]:80;
        server_name  example.com;

        location /.well-known/acme-challenge/ {
            alias /acme/;
        }

        location / {
            return https://$HTTP_HOST$REQUEST_URI;
        }
    }

    server {
        listen       80;
        listen       [::]:80;
        server_name  static1.example.com;

        location /.well-known/acme-challenge/ {
            alias /acme/;
        }

        location / {
            return https://$HTTP_HOST$REQUEST_URI;
        }
    }

    server {
        listen       443 ssl;
        listen       [::]:443 ssl;
        server_name  example.com;
        root         /e621ng/public-packs;
        index        index.html;

        client_max_body_size    512m;

        ssl_certificate      /etc/ssl/example.com.fullchain.pem;
        ssl_certificate_key  /etc/ssl/private/example.com.key;

        ssl_ciphers  HIGH+kEECDH:!aNULL;
        ssl_prefer_server_ciphers   on;

        location /tags/autocomplete.json {
            proxy_pass http://127.0.0.1:8118/;
            proxy_redirect off;
        }

        location @app_server {
            proxy_pass http://127.0.0.1:9000;
            proxy_redirect off;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host:$server_port;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Port $server_port;
            proxy_set_header X-Forwarded-Proto $scheme;
        }

        location / {
            try_files $uri @app_server;
        }
 
        error_page 404 /404.html;
        error_page 500 502 503 504 /500.html;
    }

    upstream app_server {
        server 127.0.0.1:9000;
    }

    server {
        listen       443 ssl;
        listen       [::]:443 ssl;
        server_name  static1.example.com;
        root         /e621ng/public;

        ssl_certificate      /etc/ssl/static1.example.com.fullchain.pem;
        ssl_certificate_key  /etc/ssl/private/static1.example.com.key;

        ssl_ciphers  HIGH+kEECDH:!aNULL;
        ssl_prefer_server_ciphers   on;

        location /data {
            expires max;
            break;
        }

        location /data/deleted/ {
            add_header Cache-Control "private";
            secure_link_hmac $arg_auth,$arg_expires;
            secure_link_hmac_secret "DANBOORU_PROTECTED_FILE_SECRET GOES HERE";
            secure_link_hmac_message "$secure_link_hmac_expires|$uri|$arg_uid";
            secure_link_hmac_algorithm md5;

            if ($secure_link_hmac = "") {
                return 403;
            }
            if ($secure_link_hmac = "0") {
                return 403;
            }
        }

        location /data/replacements/ {
            add_header Cache-Control "private";
            secure_link_hmac $arg_auth,$arg_expires;
            secure_link_hmac_secret "DANBOORU_REPLACEMENT_FILE_SECRET GOES HERE";
            secure_link_hmac_message "$secure_link_hmac_expires|$uri|$arg_uid";
            secure_link_hmac_algorithm md5;

            if ($secure_link_hmac = "") {
                return 403;
            }
            if ($secure_link_hmac = "0") {
                return 403;
            }
        }
    }
}