hfase01/nginx.conf

## nginx.conf
worker_processes 8;
pid /var/run/nginx.pid;
events {
  worker_connections  4096;
}
http {
	include       mime.types;
	default_type  application/octet-stream;
	sendfile on;
	keepalive_timeout  65;
	server_tokens off;
	gzip	      on;
	gzip_comp_level   6;
	gzip_vary on;
	gzip_proxied      any;
	gzip_buffers      32 8k;
	gzip_types	text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;
	gzip_disable      "MSIE [1-6]\.(?!.*SV1)";

#### Upstream
###
##
#
	upstream diaspora {
	server unix:/home/diaspora/diaspora-hfase/tmp/sockets/diaspora.socket max_fails=3  fail_timeout=30s;
	server unix:/home/hans/workspace/diaspora/tmp/sockets/diaspora.socket max_fails=3  fail_timeout=30s;
	}
##
#
	upstream gitlab {
	server unix:/home/gitlab/gitlab/tmp/sockets/gitlab.socket;
	}
##
#
	upstream w44 {
	server unix:/home/hans/workspace/travis-ci/tmp/sockets/travis.socket max_fails=3  fail_timeout=30s;
	server unix:/home/w44/diaspora-w44/tmp/sockets/diaspora.socket max_fails=3  fail_timeout=30s;
	server 0.0.0.0:3000 max_fails=3  fail_timeout=30s; ## script-server fail-back
	}
##
#
	upstream php {
	server unix:/tmp/php.sock;
	}
#### Diaspora
###
##
#
	server {
	listen   80;
	server_name www.hfase.com hfase.com;
	rewrite      ^(.*) https://hfase.com$1 permanent;
	}
	server {
	listen       443;
	server_name www.hfase.com hfase.com;
	root	 /home/diaspora/diaspora-hfase/public;
	ssl on;
	ssl_certificate      /home/hans/ssl-certs+keys/hfase-ssl.crt; ## You will need to supply these files!!!
	ssl_certificate_key  /home/hans/ssl-certs+keys/hfase-ssl.key; ## You will need to supply these files!!!
	# enable better ssl security if you like to mitigate BEAST and other exploits
	ssl_session_cache       shared:SSL:10m;
	ssl_session_timeout     5m;
	#ssl_protocols	   TLSv1;
	#ssl_ciphers	     ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM;
	#ssl_prefer_server_ciphers on;
	add_header	      Strict-Transport-Security max-age=500;
	#ssl_ecdh_curve	  secp521r1;
	if ($host = 'www.hfase.com' ) {
	rewrite  ^/(.*)$  https://hfase.com/$1  permanent;
	}
	location /uploads {
	rewrite ^/(.*)$ https://hfase.s3.amazonaws.com/$1 permanent;
	}
	location /assets {
	rewrite ^/(.*)$ https://hfase-assets.s3.amazonaws.com/$1 permanent;
	}
	location / {
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header Host $http_host;
		proxy_set_header X-Forwarded-Proto https;
		proxy_redirect off;
		client_max_body_size 4M;
		client_body_buffer_size 128K;
		if (-f $request_filename/index.html) {
		rewrite (.*) $1/index.html break;
		}
		if (-f $request_filename.html) {
		rewrite (.*) $1.html break;
		}
		if (!-f $request_filename) {
			proxy_pass http://diaspora;
			break;
			}
		}
		error_page 500 503 504 /500.html;
		location = /500.html {
		root /home/diaspora/diaspora-hfase/public;
		}
		error_page 404 /404.html;
		location = /404.html {
		root /home/diaspora/diaspora-hfase/public;
		}
		error_page 502 /down.html;
		location = /down.html {
		root /home/diaspora/diaspora-hfase/public;
		}
	}
#### Webmin
###
##
#
	server {
 	listen   80;
	server_name  admin.hfase.com;
	rewrite      ^(.*) https://admin.hfase.com$1 permanent;
	}
	server {
	listen   443;
	server_name  admin.hfase.com;
	ssl on;
	ssl_certificate      /home/hans/ssl-certs+keys/admin.hfase-ssl.crt;
	ssl_certificate_key  /home/hans/ssl-certs+keys/admin.hfase-ssl.key;
	ssl_session_cache       shared:SSL:10m;
	ssl_session_timeout     5m;
	#ssl_protocols	   TLSv1;
	#ssl_ciphers	     ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM;
	#ssl_prefer_server_ciphers on;
	add_header	      Strict-Transport-Security max-age=500;
	location / {
		proxy_pass https://127.0.0.1:10000/;
		# allow anyone in 192.168.1.0/24
		allow   192.168.1.0/24;
		# drop rest of the world
		deny    all;
		}
	}
#### Wordpress
###
##
#
	server {
 	listen   80;
	server_name  blog.hfase.com;
	root /var/www/WP;
	location / {
		index index.php index.html index.htm;
		try_files $uri $uri/ /index.php?q=$uri&$args;
		}
	# Pass the php scripts to fastcgi server specified in upstream declaration.
	location ~ \.php$ {
		    fastcgi_pass php;
		    # Necessary for php.
		    fastcgi_param SCRIPT_FILENAME  $document_root$fastcgi_script_name;
		    # Unmodified fastcgi_params from nginx distribution.
		    include fastcgi_params;
		}
		# Deny access to version control system directories.
		location ~ /\.svn|/\.git {
		    deny all;
		    internal;
		}
	}
#### Forum
###
##
#
	server {
	listen   80;
	server_name forum.hfase.com;
	root /var/www/icy_phoenix;
	location / {
		    # phpbb uses index.htm
		    index index.php index.html index.htm;
		}
	# Deny access to internal phpbb files.
	location ~ /(config\.php|common\.php|includes|cache|files|store|images/avatars/upload) {
		    deny all;
		    # deny was ignored before 0.8.40 for connections over IPv6.
		    # Use internal directive to prohibit access on older versions.
		    internal;
		}
	# Pass the php scripts to fastcgi server specified in upstream declaration.
	location ~ \.php$ {
		    fastcgi_pass php;
		    # Necessary for php.
		    fastcgi_param SCRIPT_FILENAME  $document_root$fastcgi_script_name;
		    # Unmodified fastcgi_params from nginx distribution.
		    include fastcgi_params;
		}
		# Deny access to version control system directories.
		location ~ /\.svn|/\.git {
		    deny all;
		    internal;
		}
	}
#### Piwik
###
##
#
	server {
	listen   80;
	server_name piwik.hfase.com;
	rewrite      ^(.*) https://piwik.hfase.com$1 permanent;
	}
	server {
	listen       443;
	server_name piwik.hfase.com;
	root	 /var/www/piwik;
	ssl on;
	ssl_certificate      /home/hans/ssl-certs+keys/piwik-ssl.crt; ## You will need to supply these files!!!
	ssl_certificate_key  /home/hans/ssl-certs+keys/piwik-ssl.key; ## You will need to supply these files!!!
	# enable better ssl security if you like to mitigate BEAST and other exploits
	ssl_session_cache       shared:SSL:10m;
	ssl_session_timeout     5m;
	#ssl_protocols	   TLSv1;
	#ssl_ciphers	     ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM;
	#ssl_prefer_server_ciphers on;
	add_header	      Strict-Transport-Security max-age=500;
	#ssl_ecdh_curve	  secp521r1;
	location / {
		index index.php index.html index.htm;
		try_files $uri $uri/ /index.php?q=$uri&$args;
		}
	# Deny access to internal phpbb files.
	location ~ /(config.ini\.php|global.ini\.php|includes|cache|files|store|images/avatars/upload) {
		    deny all;
		    # deny was ignored before 0.8.40 for connections over IPv6.
		    # Use internal directive to prohibit access on older versions.
		    internal;
		}
	# Pass the php scripts to fastcgi server specified in upstream declaration.
	location ~ \.php$ {
		    fastcgi_pass php;
		    # Necessary for php.
		    fastcgi_param SCRIPT_FILENAME  $document_root$fastcgi_script_name;
		    # Unmodified fastcgi_params from nginx distribution.
		    include fastcgi_params;
		}
		# Deny access to version control system directories.
		location ~ /\.svn|/\.git {
		    deny all;
		    internal;
		}
	}
#### w44
###
##
#
	server {
	listen   80;
	server_name w44.co;
	rewrite      ^(.*) https://w44.co$1 permanent;
	}
	server {
	listen       443;
	server_name w44.co;
	root	 /home/w44/diaspora-w44/public;
	ssl on;
	ssl_certificate      /home/hans/ssl-certs+keys/w44.crt; ## You will need to supply these files!!!
	ssl_certificate_key  /home/hans/ssl-certs+keys/w44.key; ## You will need to supply these files!!!
	# enable better ssl security if you like to mitigate BEAST and other exploits
	ssl_session_cache       shared:SSL:10m;
	ssl_session_timeout     5m;
	#ssl_protocols	   TLSv1;
	#ssl_ciphers	     ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM;
	#ssl_prefer_server_ciphers on;
	add_header	      Strict-Transport-Security max-age=500;
	#ssl_ecdh_curve	  secp521r1;
	if ($host = 'www.w44.co' ) {
	rewrite  ^/(.*)$  https://w44.co/$1  permanent;
	}
	location /uploads {
	rewrite ^/(.*)$ https://w44.s3.amazonaws.com/$1 permanent;
	}
	location /assets {
	rewrite ^/(.*)$ https://w44-assets.s3.amazonaws.com/$1 permanent;
	}
	location / {
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header Host $http_host;
		proxy_set_header X-Forwarded-Proto https;
		proxy_redirect off;
		client_max_body_size 4M;
		client_body_buffer_size 128K;
		if (-f $request_filename/index.html) {
		rewrite (.*) $1/index.html break;
		}
		if (-f $request_filename.html) {
		rewrite (.*) $1.html break;
		}
		if (!-f $request_filename) {
			proxy_pass http://w44;
			break;
			}
		}
		error_page 500 503 504 /500.html;
		location = /500.html {
		root /home/w44/diaspora-w44/public;
		}
		error_page 404 /404.html;
		location = /404.html {
		root /home/w44/diaspora-w44/public;
		}
		error_page 502 /down.html;
		location = /down.html {
		root /home/w44/diaspora-w44/public;
		}
	}
#### Gitlab
###
##
#
	server {
 		listen   80;
	server_name  git.hfase.com;
	rewrite      ^(.*) https://git.hfase.com$1 permanent;
	}
	server {
	listen       443;
	server_name  git.hfase.com;
	root	 /home/gitlab/gitlab/public;
	ssl on;
	ssl_certificate      /home/hans/ssl-certs+keys/git.hfase-ssl.crt;
	ssl_certificate_key  /home/hans/ssl-certs+keys/git.hfase-ssl.key;
	# enable better ssl security if you like to mitigate BEAST and other exploits
	ssl_session_cache       shared:SSL:10m;
	ssl_session_timeout     5m;
	#ssl_protocols	   TLSv1;
	#ssl_ciphers	     ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM;
	#ssl_prefer_server_ciphers on;
	add_header	      Strict-Transport-Security max-age=500;
	#ssl_ecdh_curve	  secp521r1;
	location /uploads/images {
	expires 1d;
	add_header Cache-Control public;
	}
	location /assets {
	expires 1d;
	add_header Cache-Control public;
	}
	location / {
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header Host $http_host;
		proxy_set_header X-Forwarded-Proto https;
		proxy_redirect off;
		client_max_body_size 4M;
		client_body_buffer_size 128K;
		if (-f $request_filename/index.html) {
		rewrite (.*) $1/index.html break;
		}
		if (-f $request_filename.html) {
		rewrite (.*) $1.html break;
		}
		if (!-f $request_filename) {
			proxy_pass http://gitlab;
			break;
			}
		}
		error_page 500 503 504 /500.html;
		location = /500.html {
		root /home/gitlab/gitlab/public;
		}
		error_page 404 /404.html;
		location = /404.html {
		root /home/gitlab/gitlab/public;
		}
		error_page 502 /down.html;
		location = /down.html {
		root /home/gitlab/gitlab/public;
		}
	}
#### Phpmyadmin
###
##
#
	server {
 	listen   80;
	server_name  sql.hfase.com;
	root /usr/share/phpmyadmin;
	location / {
		index index.php index.html index.htm;
		try_files $uri $uri/ /index.php?q=$uri&$args;
		# allow anyone in 192.168.1.0/24
	#	allow   192.168.1.0/24;
		# drop rest of the world
	#	deny    all;
		}
	# Deny access to internal phpbb files.
	location ~ /(wp-config\.php|wp-common\.php|includes|cache|files|store|images/avatars/upload) {
		    deny all;
		    # deny was ignored before 0.8.40 for connections over IPv6.
		    # Use internal directive to prohibit access on older versions.
		    internal;
		}
	# Pass the php scripts to fastcgi server specified in upstream declaration.
	location ~ \.php$ {
		    fastcgi_pass php;
		    # Necessary for php.
		    fastcgi_param SCRIPT_FILENAME  $document_root$fastcgi_script_name;
		    # Unmodified fastcgi_params from nginx distribution.
		    include fastcgi_params;
		}
		# Deny access to version control system directories.
		location ~ /\.svn|/\.git {
		    deny all;
		    internal;
		}
	}
#### Mirror
###
##
#
	server {
	listen 80;
	server_name mirror.hfase.com;
	root /var/www/mirror;
	location / {
		index index.html
		index.php
		/_h5ai/php/h5ai-index.php;
		autoindex on;
		}
	location ~ \.php$ {
		    fastcgi_pass php;
		    # Necessary for php.
		    fastcgi_param SCRIPT_FILENAME  $document_root$fastcgi_script_name;
		    # Unmodified fastcgi_params from nginx distribution.
		    include fastcgi_params;
		}
	}
#### END
###
##
#
}
	worker_processes 8;
	pid /var/run/nginx.pid;
	events {
	worker_connections 4096;
	}
	http {
	include mime.types;
	default_type application/octet-stream;
	sendfile on;
	keepalive_timeout 65;
	server_tokens off;
	gzip on;
	gzip_comp_level 6;
	gzip_vary on;
	gzip_proxied any;
	gzip_buffers 32 8k;
	gzip_types text/plain text/css application/x-javascript text/xml application/xml application/xml+rss text/javascript;
	gzip_disable "MSIE [1-6]\.(?!.*SV1)";

	#### Upstream
	###
	##
	#
	upstream diaspora {
	server unix:/home/diaspora/diaspora-hfase/tmp/sockets/diaspora.socket max_fails=3 fail_timeout=30s;
	server unix:/home/hans/workspace/diaspora/tmp/sockets/diaspora.socket max_fails=3 fail_timeout=30s;
	}
	##
	#
	upstream gitlab {
	server unix:/home/gitlab/gitlab/tmp/sockets/gitlab.socket;
	}
	##
	#
	upstream w44 {
	server unix:/home/hans/workspace/travis-ci/tmp/sockets/travis.socket max_fails=3 fail_timeout=30s;
	server unix:/home/w44/diaspora-w44/tmp/sockets/diaspora.socket max_fails=3 fail_timeout=30s;
	server 0.0.0.0:3000 max_fails=3 fail_timeout=30s; ## script-server fail-back
	}
	##
	#
	upstream php {
	server unix:/tmp/php.sock;
	}
	#### Diaspora
	###
	##
	#
	server {
	listen 80;
	server_name www.hfase.com hfase.com;
	rewrite ^(.*) https://hfase.com$1 permanent;
	}
	server {
	listen 443;
	server_name www.hfase.com hfase.com;
	root /home/diaspora/diaspora-hfase/public;
	ssl on;
	ssl_certificate /home/hans/ssl-certs+keys/hfase-ssl.crt; ## You will need to supply these files!!!
	ssl_certificate_key /home/hans/ssl-certs+keys/hfase-ssl.key; ## You will need to supply these files!!!
	# enable better ssl security if you like to mitigate BEAST and other exploits
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 5m;
	#ssl_protocols TLSv1;
	#ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM;
	#ssl_prefer_server_ciphers on;
	add_header Strict-Transport-Security max-age=500;
	#ssl_ecdh_curve secp521r1;
	if ($host = 'www.hfase.com' ) {
	rewrite ^/(.*)$ https://hfase.com/$1 permanent;
	}
	location /uploads {
	rewrite ^/(.*)$ https://hfase.s3.amazonaws.com/$1 permanent;
	}
	location /assets {
	rewrite ^/(.*)$ https://hfase-assets.s3.amazonaws.com/$1 permanent;
	}
	location / {
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Host $http_host;
	proxy_set_header X-Forwarded-Proto https;
	proxy_redirect off;
	client_max_body_size 4M;
	client_body_buffer_size 128K;
	if (-f $request_filename/index.html) {
	rewrite (.*) $1/index.html break;
	}
	if (-f $request_filename.html) {
	rewrite (.*) $1.html break;
	}
	if (!-f $request_filename) {
	proxy_pass http://diaspora;
	break;
	}
	}
	error_page 500 503 504 /500.html;
	location = /500.html {
	root /home/diaspora/diaspora-hfase/public;
	}
	error_page 404 /404.html;
	location = /404.html {
	root /home/diaspora/diaspora-hfase/public;
	}
	error_page 502 /down.html;
	location = /down.html {
	root /home/diaspora/diaspora-hfase/public;
	}
	}
	#### Webmin
	###
	##
	#
	server {
	listen 80;
	server_name admin.hfase.com;
	rewrite ^(.*) https://admin.hfase.com$1 permanent;
	}
	server {
	listen 443;
	server_name admin.hfase.com;
	ssl on;
	ssl_certificate /home/hans/ssl-certs+keys/admin.hfase-ssl.crt;
	ssl_certificate_key /home/hans/ssl-certs+keys/admin.hfase-ssl.key;
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 5m;
	#ssl_protocols TLSv1;
	#ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM;
	#ssl_prefer_server_ciphers on;
	add_header Strict-Transport-Security max-age=500;
	location / {
	proxy_pass https://127.0.0.1:10000/;
	# allow anyone in 192.168.1.0/24
	allow 192.168.1.0/24;
	# drop rest of the world
	deny all;
	}
	}
	#### Wordpress
	###
	##
	#
	server {
	listen 80;
	server_name blog.hfase.com;
	root /var/www/WP;
	location / {
	index index.php index.html index.htm;
	try_files $uri $uri/ /index.php?q=$uri&$args;
	}
	# Pass the php scripts to fastcgi server specified in upstream declaration.
	location ~ \.php$ {
	fastcgi_pass php;
	# Necessary for php.
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	# Unmodified fastcgi_params from nginx distribution.
	include fastcgi_params;
	}
	# Deny access to version control system directories.
	location ~ /\.svn\|/\.git {
	deny all;
	internal;
	}
	}
	#### Forum
	###
	##
	#
	server {
	listen 80;
	server_name forum.hfase.com;
	root /var/www/icy_phoenix;
	location / {
	# phpbb uses index.htm
	index index.php index.html index.htm;
	}
	# Deny access to internal phpbb files.
	location ~ /(config\.php\|common\.php\|includes\|cache\|files\|store\|images/avatars/upload) {
	deny all;
	# deny was ignored before 0.8.40 for connections over IPv6.
	# Use internal directive to prohibit access on older versions.
	internal;
	}
	# Pass the php scripts to fastcgi server specified in upstream declaration.
	location ~ \.php$ {
	fastcgi_pass php;
	# Necessary for php.
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	# Unmodified fastcgi_params from nginx distribution.
	include fastcgi_params;
	}
	# Deny access to version control system directories.
	location ~ /\.svn\|/\.git {
	deny all;
	internal;
	}
	}
	#### Piwik
	###
	##
	#
	server {
	listen 80;
	server_name piwik.hfase.com;
	rewrite ^(.*) https://piwik.hfase.com$1 permanent;
	}
	server {
	listen 443;
	server_name piwik.hfase.com;
	root /var/www/piwik;
	ssl on;
	ssl_certificate /home/hans/ssl-certs+keys/piwik-ssl.crt; ## You will need to supply these files!!!
	ssl_certificate_key /home/hans/ssl-certs+keys/piwik-ssl.key; ## You will need to supply these files!!!
	# enable better ssl security if you like to mitigate BEAST and other exploits
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 5m;
	#ssl_protocols TLSv1;
	#ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM;
	#ssl_prefer_server_ciphers on;
	add_header Strict-Transport-Security max-age=500;
	#ssl_ecdh_curve secp521r1;
	location / {
	index index.php index.html index.htm;
	try_files $uri $uri/ /index.php?q=$uri&$args;
	}
	# Deny access to internal phpbb files.
	location ~ /(config.ini\.php\|global.ini\.php\|includes\|cache\|files\|store\|images/avatars/upload) {
	deny all;
	# deny was ignored before 0.8.40 for connections over IPv6.
	# Use internal directive to prohibit access on older versions.
	internal;
	}
	# Pass the php scripts to fastcgi server specified in upstream declaration.
	location ~ \.php$ {
	fastcgi_pass php;
	# Necessary for php.
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	# Unmodified fastcgi_params from nginx distribution.
	include fastcgi_params;
	}
	# Deny access to version control system directories.
	location ~ /\.svn\|/\.git {
	deny all;
	internal;
	}
	}
	#### w44
	###
	##
	#
	server {
	listen 80;
	server_name w44.co;
	rewrite ^(.*) https://w44.co$1 permanent;
	}
	server {
	listen 443;
	server_name w44.co;
	root /home/w44/diaspora-w44/public;
	ssl on;
	ssl_certificate /home/hans/ssl-certs+keys/w44.crt; ## You will need to supply these files!!!
	ssl_certificate_key /home/hans/ssl-certs+keys/w44.key; ## You will need to supply these files!!!
	# enable better ssl security if you like to mitigate BEAST and other exploits
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 5m;
	#ssl_protocols TLSv1;
	#ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM;
	#ssl_prefer_server_ciphers on;
	add_header Strict-Transport-Security max-age=500;
	#ssl_ecdh_curve secp521r1;
	if ($host = 'www.w44.co' ) {
	rewrite ^/(.*)$ https://w44.co/$1 permanent;
	}
	location /uploads {
	rewrite ^/(.*)$ https://w44.s3.amazonaws.com/$1 permanent;
	}
	location /assets {
	rewrite ^/(.*)$ https://w44-assets.s3.amazonaws.com/$1 permanent;
	}
	location / {
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Host $http_host;
	proxy_set_header X-Forwarded-Proto https;
	proxy_redirect off;
	client_max_body_size 4M;
	client_body_buffer_size 128K;
	if (-f $request_filename/index.html) {
	rewrite (.*) $1/index.html break;
	}
	if (-f $request_filename.html) {
	rewrite (.*) $1.html break;
	}
	if (!-f $request_filename) {
	proxy_pass http://w44;
	break;
	}
	}
	error_page 500 503 504 /500.html;
	location = /500.html {
	root /home/w44/diaspora-w44/public;
	}
	error_page 404 /404.html;
	location = /404.html {
	root /home/w44/diaspora-w44/public;
	}
	error_page 502 /down.html;
	location = /down.html {
	root /home/w44/diaspora-w44/public;
	}
	}
	#### Gitlab
	###
	##
	#
	server {
	listen 80;
	server_name git.hfase.com;
	rewrite ^(.*) https://git.hfase.com$1 permanent;
	}
	server {
	listen 443;
	server_name git.hfase.com;
	root /home/gitlab/gitlab/public;
	ssl on;
	ssl_certificate /home/hans/ssl-certs+keys/git.hfase-ssl.crt;
	ssl_certificate_key /home/hans/ssl-certs+keys/git.hfase-ssl.key;
	# enable better ssl security if you like to mitigate BEAST and other exploits
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 5m;
	#ssl_protocols TLSv1;
	#ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM;
	#ssl_prefer_server_ciphers on;
	add_header Strict-Transport-Security max-age=500;
	#ssl_ecdh_curve secp521r1;
	location /uploads/images {
	expires 1d;
	add_header Cache-Control public;
	}
	location /assets {
	expires 1d;
	add_header Cache-Control public;
	}
	location / {
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Host $http_host;
	proxy_set_header X-Forwarded-Proto https;
	proxy_redirect off;
	client_max_body_size 4M;
	client_body_buffer_size 128K;
	if (-f $request_filename/index.html) {
	rewrite (.*) $1/index.html break;
	}
	if (-f $request_filename.html) {
	rewrite (.*) $1.html break;
	}
	if (!-f $request_filename) {
	proxy_pass http://gitlab;
	break;
	}
	}
	error_page 500 503 504 /500.html;
	location = /500.html {
	root /home/gitlab/gitlab/public;
	}
	error_page 404 /404.html;
	location = /404.html {
	root /home/gitlab/gitlab/public;
	}
	error_page 502 /down.html;
	location = /down.html {
	root /home/gitlab/gitlab/public;
	}
	}
	#### Phpmyadmin
	###
	##
	#
	server {
	listen 80;
	server_name sql.hfase.com;
	root /usr/share/phpmyadmin;
	location / {
	index index.php index.html index.htm;
	try_files $uri $uri/ /index.php?q=$uri&$args;
	# allow anyone in 192.168.1.0/24
	# allow 192.168.1.0/24;
	# drop rest of the world
	# deny all;
	}
	# Deny access to internal phpbb files.
	location ~ /(wp-config\.php\|wp-common\.php\|includes\|cache\|files\|store\|images/avatars/upload) {
	deny all;
	# deny was ignored before 0.8.40 for connections over IPv6.
	# Use internal directive to prohibit access on older versions.
	internal;
	}
	# Pass the php scripts to fastcgi server specified in upstream declaration.
	location ~ \.php$ {
	fastcgi_pass php;
	# Necessary for php.
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	# Unmodified fastcgi_params from nginx distribution.
	include fastcgi_params;
	}
	# Deny access to version control system directories.
	location ~ /\.svn\|/\.git {
	deny all;
	internal;
	}
	}
	#### Mirror
	###
	##
	#
	server {
	listen 80;
	server_name mirror.hfase.com;
	root /var/www/mirror;
	location / {
	index index.html
	index.php
	/_h5ai/php/h5ai-index.php;
	autoindex on;
	}
	location ~ \.php$ {
	fastcgi_pass php;
	# Necessary for php.
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	# Unmodified fastcgi_params from nginx distribution.
	include fastcgi_params;
	}
	}
	#### END
	###
	##
	#
	}