zeratax/blog.dmnd.sh.conf

## blog.dmnd.sh.conf
# site-available/blog.dmnd.sh.conf

server {
	listen [::]:443 ssl;
	listen 443 ssl;
	server_name blog.dmnd.sh;

	include snippets/ssl-dmnd.sh.conf;
	include snippets/robots.conf;

	location / {
		proxy_set_header X-Forwarded-For $remote_addr;
		proxy_pass http://localhost:4000;
	}
}

## chat.dmnd.sh.conf
# sites-available/chat.dmnd.sh.conf

server {
	# Simple configuration for serving Riot
	server_name chat.dmnd.sh;
	listen 443 ssl;
	listen [::]:443 ssl;

	include snippets/ssl-dmnd.sh.conf;
	include snippets/robots.conf;

	root /var/www/riot/;

	location / {
		try_files $uri/index.html $uri $uri/=404;
		error_page 404 /404.html;
		error_page 500 502 503 504 /500.html;
	}

	location ~ ^/(static|register) {
		proxy_pass  http://localhost:5000;
	}

	location /token {
		proxy_pass  http://localhost:5000;
	}
}

## deny-all.conf
# sites-available/deny-all.conf

server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name _;

	return 444;
}

server {
	listen 443 default_server;
	listen [::]:443 default_server;
	server_name _;

	ssl_certificate /etc/letsencrypt/live/dmnd.sh/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/dmnd.sh/privkey.pem;

	return 444;
}

## dimension.dmnd.sh.conf
# sites-available/dimension.dmnd.sh.conf

server {
	listen [::]:443 ssl;
	listen 443 ssl;
	server_name dimension.dmnd.sh;

	include snippets/ssl-dmnd.sh.conf;
	include snippets/robots.conf;

	location / {
		#  f ($request_method = 'OPTIONS') {
		# 	add_header 'Access-Control-Max-Age' 1728000;
		# 	add_header 'Content-Type' 'text/plain charset=UTF-8';
		# 	add_header 'Content-Length' 0;
		# 	return 204;
		# }

		# allow all;
		# add_header 'Access-Control-Allow-Origin' '*';
		proxy_set_header X-Forwarded-For $remote_addr;
		proxy_pass http://localhost:8184;
	}
}

# some clients have port 8448 still cached and to help them we keep this
server {
	listen 8448 ssl;
	listen [::]:8448 ssl;
	server_name dmnd.sh;

	include snippets/ssl-dmnd.sh.conf;
	include snippets/robots.conf;


	location / {
		proxy_pass https://dmnd.sh:443;
		proxy_set_header X-Forwarded-For $remote_addr;
		# rewrite ^/?(.*) https://dmnd.sh/$1 permanent;
	}
}

## dmnd.sh.conf
# sites-available/dmnd.sh.conf

map $http_upgrade $connection_upgrade {
	default upgrade;
	'' close;
}

upstream maubot {
        server localhost:29316;
}

include snippets/matrix-workers-loadbalancing.conf;

server {
	listen [::]:443 ssl;
	listen 443 ssl;
	server_name dmnd.sh www.dmnd.sh status.dmnd.sh;

	include snippets/ssl-dmnd.sh.conf;
	include snippets/robots.conf;

	index index.htm index.html;

	if ($host != dmnd.sh) {
		return 307 https://dmnd.sh$request_uri;
	}

	#  homepage
	location / {
		root /home/travis/www/dist;

		rewrite ^/(.*)\.html(\?.*)?$ /$1$2 permanent;
		rewrite ^/(.*)/$ /$1 permanent;

		index index.html;

		try_files $uri/index.html $uri.html $uri/ $uri =404;
		error_page 404 /404.html;
  		error_page 500 502 503 504 /500.html;
	}

	location /register {
		types {}
    		default_type text/html;
		alias /home/travis/www/dist/register.html;

		# if ($request_method = GET) {
		# if ($request_uri ~* "^/register\.html(\?.*)?(#.*)?$") {
			rewrite ^(/.*)\.html(\?.*)?$ $1$2 permanent;
			rewrite ^/(.*)/$ /$1 permanent;
		# }

		# index register.html;
		# try_files register.html $uri.html $uri/ $uri =404;

		if ($request_method = POST ) {
			proxy_pass http://localhost:5000;
		}

		proxy_set_header   Host $host;
		proxy_set_header   X-Real-IP $remote_addr;
		proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header   X-Forwarded-Host $server_name;
	}

	location /files {
		autoindex on;
		autoindex_exact_size off;
		auth_basic "Restricted Content";
		auth_basic_user_file /etc/nginx/.htpasswd;
	}

	# matrix-registration
	location /token {
		proxy_pass http://localhost:5000;
		proxy_set_header X-Forwarded-For $remote_addr;
	}

	location ~ /test-token(.*)$ {
		rewrite ^ /token$1?$args break;
		proxy_pass http://localhost:5001;
		proxy_set_header X-Forwarded-For $remote_addr;
	}

	location ~ /test-register(.*)$  {
		rewrite ^ /register$1?$args break;
		proxy_pass http://localhost:5001;
		proxy_set_header X-Forwarded-For $remote_addr;
	}

	location /static {
		proxy_pass http://localhost:5001;
		proxy_set_header X-Forwarded-For $remote_addr;
	}

	# matrix
	location /_matrix {
		proxy_pass http://localhost:8008;
		proxy_set_header X-Forwarded-For $remote_addr;
	}

	include snippets/matrix-workers.conf;

	# matrix-appservices
	location /_matrix/appservice-slack {
		proxy_pass http://localhost:9899;
		proxy_set_header X-Forwarded-For $remote_addr;
	}

	location /_matrix/appservice-webhook {
		rewrite /_matrix/appservice-webhook/(.*) /$1 break;
		proxy_pass http://localhost:9000;
		proxy_set_header X-Forwarded-For $remote_addr;
	}

	location /_matrix/appservice-telegram {
		proxy_pass  http://localhost:8123;
		proxy_redirect  off;

		proxy_set_header  Host  $host;
		proxy_set_header  X-Real-IP $remote_addr;
		proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;

		client_max_body_size  1m;
		client_body_buffer_size 128k;

		proxy_connect_timeout 90;
		proxy_send_timeout  90;
		proxy_read_timeout  90;

		proxy_buffer_size 4k;
		proxy_buffers 4 32k;
		proxy_busy_buffers_size 64k;
		proxy_temp_file_write_size  64k;
	}

	location /_matrix/webhook-gitlab {
		proxy_pass http://localhost:29313;
		proxy_set_header X-Forwarded-For $remote_addr;
	}

	location /_matrix/maubot {
		proxy_redirect	off;

		proxy_pass http://maubot;
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection $connection_upgrade;

		proxy_set_header  Host  $host;
		proxy_set_header  X-Real-IP $remote_addr;
		proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
	}

	location = /stickers {
		return 301 /stickers/;
	}

	location /stickers/ {
		proxy_pass  http://localhost:8082/;

		proxy_set_header  Host  $host;
		proxy_set_header  X-Real-IP $remote_addr;
		proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
	}

	location /lag {
		proxy_pass  http://localhost:8080;
		proxy_redirect  off;

		proxy_set_header  Host  $host;
		proxy_set_header  X-Real-IP $remote_addr;
		proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
	}

	# sync stuff
	location /radicale/ { # The trailing / is important!
		proxy_pass  http://localhost:5232/; # The trailing / is important!
		proxy_set_header  X-Script-Name /radicale;
		proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_pass_header Authorization;
	}

	# games
	location = /minecraft/map {
		return 307 /minecraft/map/;
	}

	location = /minecraft/map/ {
		return 307 https://dmnd.sh/minecraft/map/index.html;
	}

	location /minecraft/map/ {
		rewrite /minecraft/map/(.*) /$1 break;
		proxy_pass  http://localhost:8777;
		proxy_set_header  X-Forwarded-For $remote_addr;
		proxy_set_header  Host  $host;
		proxy_cache map;
		proxy_cache_key "$host$uri";
		proxy_cache_valid 200 302  60m;
		proxy_cache_valid 404 10m;
		proxy_cache_use_stale error timeout invalid_header updating http_500 http_503 http_504;
		proxy_connect_timeout 10;
	}

	# redirect to services
	location ^~ /jitsi {
		rewrite ^/jitsi/?(.*) https://jitsi.dmnd.sh/$1 permanent;
	}

	location ^~ /etherpad {
		rewrite ^/etherpad/?(.*) https://docs.dmnd.sh/$1 permanent;
	}

	location ^~ /dimension {
		rewrite ^/dimension/?(.*) https://dimension.dmnd.sh/$1 permanent;
	}
}

# some clients have port 8448 still cached and to help them we keep this
server {
	listen 8448 ssl;
	listen [::]:8448 ssl;
	server_name dmnd.sh;

	include snippets/ssl-dmnd.sh.conf;
	include snippets/robots.conf;

	location ^~ / {
    		rewrite ^/?(.*) https://dmnd.sh/$1 permanent;
	}

	location /_matrix {
		proxy_pass http://localhost:8008;
		proxy_set_header X-Forwarded-For $remote_addr;
	}

	include snippets/matrix-workers.conf;
}


## docs.dmnd.sh.conf
# sites-available/docs.dmnd.sh.conf

map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}

upstream etherpad-lite {
	server 127.0.0.1:9001;
}

server {
	listen [::]:443 ssl;
	listen 443 ssl;
	server_name docs.dmnd.sh;

	include snippets/ssl-dmnd.sh.conf;
	include snippets/robots.conf;

	# Allow normal files to pass through
	location ~ ^/(locales/|locales.json|admin/|static/|pluginfw/|javascripts/|socket.io/|ep/|minified/|api/|ro/|error/|jserror/|favicon.ico|robots.txt) {
		proxy_buffering off;
		proxy_pass http://etherpad-lite;
	}

	# Redirect to force /p/* URLs to the friendly version
	location /p/ {
		rewrite ^/p/(.*) /$1 redirect;
	}

	# Match the home page
	location ~ ^/$ {
		proxy_buffering off;
		proxy_pass http://etherpad-lite;
	}

	# Handle pad URLs here
	location / {
		proxy_buffering off;
		proxy_set_header Host $host;
		proxy_pass http://etherpad-lite/p/;

		proxy_redirect / /p/;
		proxy_pass_header Server;

		# headers
		proxy_set_header X-Real-IP $remote_addr;  # http://wiki.nginx.org/HttpProxyModule
		proxy_set_header X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
		proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
		proxy_set_header Host $host;  # pass the host header
		proxy_http_version 1.1;  # recommended with keepalive connections
		# WebSocket proxying - from http://nginx.org/en/docs/http/websocket.html
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection $connection_upgrade;
	}
}

## jitsi.dmnd.sh.conf
# sites-available/jitsi.dmnd.sh.conf

server {
	listen [::]:443 ssl http2;
	listen 443 ssl http2;
	server_name jitsi.dmnd.sh;

	include snippets/ssl-dmnd.sh.conf;
	include snippets/robots.conf;

	root /usr/share/jitsi-meet;
	index index.html index.htm;
	error_page 404 /static/404.html;

	location /config.js {
		alias /etc/jitsi/meet/jitsi.dmnd.sh-config.js;
	}

	location ~ ^/(?!(http-bind|external_api\.|xmpp-websocket))([a-zA-Z0-9=_äÄöÖüÜß\?\-]+)$ {
		rewrite ^/(.*)$ / break;
	}

	location / {
		ssi on;
	}

	# Backward compatibility
	location ~ /external_api.* {
		root /usr/share/jitsi-meet/libs;
	}

	# BOSH
	location /http-bind {
		proxy_pass		http://localhost:5280/http-bind;
		proxy_set_header	X-Forwarded-For $remote_addr;
		proxy_set_header	Host $http_host;
	}

	# xmpp websockets
	location /xmpp-websocket {
		proxy_pass http://localhost:5280;
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
		proxy_set_header Host $host;
		tcp_nodelay on;
	}
}

## l10n.dmnd.sh.conf
# sites-available/l10n.dmnd.sh.conf

server {
	listen [::]:443 ssl;
	listen 443 ssl;
	server_name l10n.dmnd.sh;

	include snippets/ssl-dmnd.sh.conf;
	include snippets/robots.conf;

	# Not used
	root /var/www/html;

	location ~ ^/favicon.ico$ {
		# DATA_DIR/static/favicon.ico
		alias /opt/weblate/lib/python3.7/site-packages/data/static/favicon.ico;
		expires 30d;
	}

	location /static/ {
		# DATA_DIR/static/
		alias /opt/weblate/lib/python3.7/site-packages/data/static/;
		expires 30d;
	}

	location /media/ {
		# DATA_DIR/media/
		alias /opt/weblate/lib/python3.7/site-packages/data/media/;
		expires 30d;
	}

	location / {
		include uwsgi_params;
		# Needed for long running operations in admin interface
		uwsgi_read_timeout 3600;
		# Adjust based to uwsgi configuration:
		# uwsgi_pass unix:///run/uwsgi/app/weblate/socket;
		uwsgi_pass 127.0.0.1:8077;
	}
}


## matrix-workers-loadbalancing.conf
# snippets/matrix-workers-loadbalancing.conf

upstream synchrotron {
	server localhost:8002;
}

upstream federation_reader {
	server localhost:8003;
}

# must only be handled by a single instance.
upstream federation_reader_send {
	server localhost:8003;
}

# must only be handled by a single instance.
upstream media_repository {
	server localhost:8004;
}

upstream client_reader {
	server localhost:8005;
}

# must only be handled by a single instance.
upstream client_reader_register {
	server localhost:8005;
}

# all requests with the same path room must be routed to the same instance
upstream client_reader_messages {
	hash $request_uri consistent;
	server localhost:8005;
}

upstream user_dir {
	server localhost:8006;
}

upstream frontend_proxy {
	server localhost:8007;
}

upstream event_creator {
	server localhost:8009;
}

## pre-matrix-workers.conf
# snippets/pre-matrix-workers.conf

# nginx-conf -i pre-matrix-workers.conf -o matrix-workers.conf
# https://dev.yorhel.nl/nginx-confgen

macro m_reverseproxy $location {
	proxy_pass	http://$location;
	proxy_set_header X-Forwarded-For $remote_addr;
}

# synchrotron
location ^/_matrix/client/(v2_alpha|r0)/sync$ {
	m_reverseproxy synchrotron;
}
location ^/_matrix/client/(api/v1|v2_alpha|r0)/events$ {
	m_reverseproxy synchrotron;
}
location ^/_matrix/client/(api/v1|r0)/initialSync$ {
	m_reverseproxy synchrotron;
}
location ^/_matrix/client/(api/v1|r0)/rooms/[^/]+/initialSync$ {
	m_reverseproxy synchrotron;
}

# federation_reader
location ^/_matrix/federation/v1/(event|state|state_ids|backfill|get_missing_events|publicRooms|query|make_join|make_leave|send_join|send_leave|invite|query_auth|event|auth|exchange_third_party_invite|user/devices)/ {
	m_reverseproxy federation_reader;
}
location ^/_matrix/federation/v2/(send_join|send_leave|invite)/ {
	m_reverseproxy federation_reader;
}
location ^/_matrix/key/v2/query {
	m_reverseproxy federation_reader;
}
location ^/_matrix/federation/v1/get_groups_publicised$ {
	m_reverseproxy federation_reader;
}
location ^/_matrix/federation/v1/send/ { # must only be handled by a single instance.
	m_reverseproxy federation_reader_send;
}
location ^/_matrix/federation/v1/groups/ {
	m_reverseproxy federation_reader;
}

# media_repository
location /_matrix/media/ {
	client_max_body_size 1024M;
	m_reverseproxy media_repository;
}
location ^/_synapse/admin/v1/purge_media_cache$ {
	m_reverseproxy media_repository;
}
location ^/_synapse/admin/v1/(room|user)/.*/media.*$ {
	m_reverseproxy media_repository;
}
location ^/_synapse/admin/v1/(media|quarantine_media)/.*$ {
	m_reverseproxy media_repository;
}

# client_reader
location ^/_matrix/client/(api/v1|r0|unstable)/publicRooms$ {
	m_reverseproxy client_reader;
}
location ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/joined_members$ {
	m_reverseproxy client_reader;
}
location ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/context/.*$ {
	m_reverseproxy client_reader;
}
location ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/(members|state)$ {
	m_reverseproxy client_reader;
}
location ^/_matrix/client/(api/v1|r0|unstable)/login$ {
	m_reverseproxy client_reader;
}
location ^/_matrix/client/(api/v1|r0|unstable)/account/3pid$ {
	m_reverseproxy client_reader;
}
location ^/_matrix/client/(api/v1|r0|unstable)/keys/(query|changes)$ {
	m_reverseproxy client_reader;
}
location ^/_matrix/client/versions$ {
	m_reverseproxy client_reader;
}
location ^/_matrix/client/(api/v1|r0|unstable)/voip/turnServer$ {
	m_reverseproxy client_reader;
}
location ^/_matrix/client/(api/v1|r0|unstable)/(joined_groups|publicised_groups)$ {
	m_reverseproxy client_reader;
}
location ^/_matrix/client/(api/v1|r0|unstable)/publicised_groups/ {
	m_reverseproxy client_reader;
}
location ^/_matrix/client/(api/v1|r0|unstable)/(pushrules|groups)/.*$ {
	m_reverseproxy client_reader;
}
location ^/_matrix/client/(api/v1|r0|unstable)/groups/.*$ {
	m_reverseproxy client_reader;
}
location ^/_matrix/client/(api/v1|r0|unstable)/user/[^/]*/account_data/ {
	m_reverseproxy client_reader;
}
location ^/_matrix/client/(api/v1|r0|unstable)/user/[^/]*/rooms/[^/]*/account_data/ {
	m_reverseproxy client_reader;
}
location ^/_matrix/client/(r0|unstable)/register$ { # requests must be routed to the same instance
	m_reverseproxy client_reader_register;
}
location ^/_matrix/client/(r0|unstable)/auth/.*/fallback/web$ { # requests must be routed to the same instance
	m_reverseproxy client_reader_register;
}
# Pagination requests can also be handled, but all requests with the same path room must be routed to the same instance.
# Additionally, care must be taken to ensure that the purge history admin API is not used while pagination requests for the room are in flight
location ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/messages$ {
	m_reverseproxy client_reader_messages;
}

# user_dir
location ^/_matrix/client/(api/v1|r0|unstable)/user_directory/search$ {
	m_reverseproxy user_dir;
}

# frontend_proxy
location ^/_matrix/client/(api/v1|r0|unstable)/keys/upload {
	m_reverseproxy frontend_proxy;
}
# If use_presence is False in the homeserver config, it can also handle REST endpoints matching the following regular expressions:
# location ^/_matrix/client/(api/v1|r0|unstable)/presence/[^/]+/status {
# 	m_reverseproxy frontend_proxy;
# }

# event_creator
location ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/send {
	m_reverseproxy event_creator;
}
location ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/state/ {
	m_reverseproxy event_creator;
}
location ^/_matrix/client/(api/v1|r0|unstable)/rooms/.*/(join|invite|leave|ban|unban|kick)$ {
	m_reverseproxy event_creator;
}
location ^/_matrix/client/(api/v1|r0|unstable)/join/ {
	m_reverseproxy event_creator;
}
location ^/_matrix/client/(api/v1|r0|unstable)/profile/ {
	m_reverseproxy event_creator;
}

## robots.conf
# snippets/robots.conf

location ^~ /robots.txt {
	alias /usr/share/nginx/html/robots.txt;
}

## ssl-dmnd.sh.conf
# snippets/ssl-dmnd.sh.conf

include snippets/ssl-params.conf;
# include /etc/letsencrypt/options-ssl-nginx.conf;

ssl_certificate /etc/letsencrypt/live/dmnd.sh/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/dmnd.sh/privkey.pem;
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
ssl_trusted_certificate /etc/letsencrypt/live/dmnd.sh/chain.pem;

location ~ /.well-known {
	root /usr/share/nginx/html/;
	allow all;
	add_header 'Access-Control-Allow-Origin' '*';
	# location ^~ /.well-known/acme-challenge/ {
	#	root /usr/share/nginx/html/.well-known/acme-challenge/;
	# }
}


## ssl-params.conf
# snippets/ssl-params.conf

# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 67.207.67.3 67.207.67.2 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Content-Type-Options nosniff;

#ssl_dhparam /etc/ssl/certs/dhparam.pem;

## ssl-redirect.conf
# sites-available/ssl-redirect.conf

server {
	listen 80;
	listen [::]:80;
	server_name dmnd.sh www.dmnd.sh chat.dmnd.sh status.dmnd.sh docs.dmnd.sh jitsi.dmnd.sh dimension.dmnd.sh blog.dmnd.sh phantom.dmnd.sh l10n.dmnd.sh streaming.dmnd.sh syn.ci www.syn.ci ws.syn.ci;

	if ($host = dmnd.sh) {
		return 301 https://dmnd.sh$request_uri;
	} # managed by Certbot

	if ($host = www.dmnd.sh) {
		return 301 https://dmnd.sh$request_uri;
	} # managed by Certbot

	if ($host = jitsi.dmnd.sh) {
		return 301 https://jitsi.dmnd.sh$request_uri;
	} # managed by Certbot

	if ($host = docs.dmnd.sh) {
		return 301 https://docs.dmnd.sh$request_uri;
	} # managed by Certbot

	if ($host = status.dmnd.sh) {
		return 301 https://status.dmnd.sh$request_uri;
	} # managed by Certbot

	if ($host = chat.dmnd.sh) {
		return 301 https://chat.dmnd.sh$request_uri;
	} # managed by Certbot

	if ($host = dimension.dmnd.sh) {
		return 301 https://dimension.dmnd.sh$request_uri;
	} # managed by Certbot

	if ($host = blog.dmnd.sh) {
		return 301 https://blog.dmnd.sh$request_uri;
	} # managed by Certbot

	if ($host = phantom.dmnd.sh) {
		return 301 https://phantom.dmnd.sh$request_uri;
	} # managed by Certbot

	if ($host = l10n.dmnd.sh) {
		return 301 https://l10n.dmnd.sh$request_uri;
	} # managed by Certbot

	if ($host = streaming.dmnd.sh) {
		return 301 https://streaming.dmnd.sh$request_uri;
	} # managed by Certbot

	if ($host = syn.ci) {
		return 301 https://syn.ci$request_uri;
	} # managed by Certbot

	if ($host = www.syn.ci) {
		return 301 https://syn.ci$request_uri;
	} # managed by Certbot

	if ($host = ws.syn.ci) {
		return 301 https://ws.syn.ci$request_uri;
	} # managed by Certbot


	return 403;
}

## streaming.dmnd.sh.conf
map $http_upgrade $connection_upgrade {
	default upgrade;
	'' close;
}

upstream streaming {
        server localhost:8823;
}

server {
	listen [::]:443 ssl;
	listen 443 ssl;
	server_name streaming.dmnd.sh;

	include snippets/ssl-dmnd.sh.conf;
	include snippets/robots.conf;

	root /var/www/streaming/;

	location / {
		index player.html;
		# try_files $uri/player.html $uri.html $uri/ $uri =404;

	}

	location ~ /(admin|api|live|static)/* {
		proxy_pass  http://streaming;
		proxy_http_version  1.1;
		proxy_set_header  Upgrade $http_upgrade;
		proxy_set_header  Connection  $connection_upgrade;
		proxy_set_header  Host  $host;
		proxy_set_header  X-Forwarded-For $remote_addr;
	}
}


## syn.ci.conf
# sites-available/syn.ci.conf

server {
	listen [::]:443 ssl;
	listen 443 ssl;
	server_name www.syn.ci syn.ci;

	include snippets/ssl-dmnd.sh.conf;

	location / {
		proxy_redirect  off;
		proxy_set_header  Host  $host;
		proxy_set_header  X-Forwarded-For $remote_addr;
		proxy_pass  http://localhost:8096;
	}

	location /images {
		rewrite ^/images/(.*)$ /esm-bundled/images/$1 last;
	}
}


## ws.syn.ci.conf
# sites-available/ws.syn.ci.conf


map $http_upgrade $connection_upgrade {
	default upgrade;
	'' close;
}

upstream synci-backend {
	server 127.0.0.1:9090;
}

server {
	listen [::]:443 ssl;
	listen 443 ssl;
	server_name ws.syn.ci;

	include snippets/ssl-dmnd.sh.conf;

	location / {
		proxy_pass https://synci-backend;
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection $connection_upgrade;
	}
}
	# site-available/blog.dmnd.sh.conf

	server {
	listen [::]:443 ssl;
	listen 443 ssl;
	server_name blog.dmnd.sh;

	include snippets/ssl-dmnd.sh.conf;
	include snippets/robots.conf;

	location / {
	proxy_set_header X-Forwarded-For $remote_addr;
	proxy_pass http://localhost:4000;
	}
	}
	# sites-available/chat.dmnd.sh.conf

	server {
	# Simple configuration for serving Riot
	server_name chat.dmnd.sh;
	listen 443 ssl;
	listen [::]:443 ssl;

	include snippets/ssl-dmnd.sh.conf;
	include snippets/robots.conf;

	root /var/www/riot/;

	location / {
	try_files $uri/index.html $uri $uri/=404;
	error_page 404 /404.html;
	error_page 500 502 503 504 /500.html;
	}

	location ~ ^/(static\|register) {
	proxy_pass http://localhost:5000;
	}

	location /token {
	proxy_pass http://localhost:5000;
	}
	}
	# sites-available/deny-all.conf

	server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name _;

	return 444;
	}

	server {
	listen 443 default_server;
	listen [::]:443 default_server;
	server_name _;

	ssl_certificate /etc/letsencrypt/live/dmnd.sh/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/dmnd.sh/privkey.pem;

	return 444;
	}
	# sites-available/dimension.dmnd.sh.conf

	server {
	listen [::]:443 ssl;
	listen 443 ssl;
	server_name dimension.dmnd.sh;

	include snippets/ssl-dmnd.sh.conf;
	include snippets/robots.conf;

	location / {
	# f ($request_method = 'OPTIONS') {
	# add_header 'Access-Control-Max-Age' 1728000;
	# add_header 'Content-Type' 'text/plain charset=UTF-8';
	# add_header 'Content-Length' 0;
	# return 204;
	# }

	# allow all;
	# add_header 'Access-Control-Allow-Origin' '*';
	proxy_set_header X-Forwarded-For $remote_addr;
	proxy_pass http://localhost:8184;
	}
	}

	# some clients have port 8448 still cached and to help them we keep this
	server {
	listen 8448 ssl;
	listen [::]:8448 ssl;
	server_name dmnd.sh;

	include snippets/ssl-dmnd.sh.conf;
	include snippets/robots.conf;


	location / {
	proxy_pass https://dmnd.sh:443;
	proxy_set_header X-Forwarded-For $remote_addr;
	# rewrite ^/?(.*) https://dmnd.sh/$1 permanent;
	}
	}
	# sites-available/dmnd.sh.conf

	map $http_upgrade $connection_upgrade {
	default upgrade;
	'' close;
	}

	upstream maubot {
	server localhost:29316;
	}

	include snippets/matrix-workers-loadbalancing.conf;

	server {
	listen [::]:443 ssl;
	listen 443 ssl;
	server_name dmnd.sh www.dmnd.sh status.dmnd.sh;

	include snippets/ssl-dmnd.sh.conf;
	include snippets/robots.conf;

	index index.htm index.html;

	if ($host != dmnd.sh) {
	return 307 https://dmnd.sh$request_uri;
	}

	# homepage
	location / {
	root /home/travis/www/dist;

	rewrite ^/(.)\.html(\?.)?$ /$1$2 permanent;
	rewrite ^/(.*)/$ /$1 permanent;

	index index.html;

	try_files $uri/index.html $uri.html $uri/ $uri =404;
	error_page 404 /404.html;
	error_page 500 502 503 504 /500.html;
	}

	location /register {
	types {}
	default_type text/html;
	alias /home/travis/www/dist/register.html;

	# if ($request_method = GET) {
	# if ($request_uri ~* "^/register\.html(\?.)?(#.)?$") {
	rewrite ^(/.)\.html(\?.)?$ $1$2 permanent;
	rewrite ^/(.*)/$ /$1 permanent;
	# }

	# index register.html;
	# try_files register.html $uri.html $uri/ $uri =404;

	if ($request_method = POST ) {
	proxy_pass http://localhost:5000;
	}

	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Host $server_name;
	}

	location /files {
	autoindex on;
	autoindex_exact_size off;
	auth_basic "Restricted Content";
	auth_basic_user_file /etc/nginx/.htpasswd;
	}

	# matrix-registration
	location /token {
	proxy_pass http://localhost:5000;
	proxy_set_header X-Forwarded-For $remote_addr;
	}

	location ~ /test-token(.*)$ {
	rewrite ^ /token$1?$args break;
	proxy_pass http://localhost:5001;
	proxy_set_header X-Forwarded-For $remote_addr;
	}

	location ~ /test-register(.*)$ {
	rewrite ^ /register$1?$args break;
	proxy_pass http://localhost:5001;
	proxy_set_header X-Forwarded-For $remote_addr;
	}

	location /static {
	proxy_pass http://localhost:5001;
	proxy_set_header X-Forwarded-For $remote_addr;
	}

	# matrix
	location /_matrix {
	proxy_pass http://localhost:8008;
	proxy_set_header X-Forwarded-For $remote_addr;
	}

	include snippets/matrix-workers.conf;

	# matrix-appservices
	location /_matrix/appservice-slack {
	proxy_pass http://localhost:9899;
	proxy_set_header X-Forwarded-For $remote_addr;
	}

	location /_matrix/appservice-webhook {
	rewrite /_matrix/appservice-webhook/(.*) /$1 break;
	proxy_pass http://localhost:9000;
	proxy_set_header X-Forwarded-For $remote_addr;
	}

	location /_matrix/appservice-telegram {
	proxy_pass http://localhost:8123;
	proxy_redirect off;

	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

	client_max_body_size 1m;
	client_body_buffer_size 128k;

	proxy_connect_timeout 90;
	proxy_send_timeout 90;
	proxy_read_timeout 90;

	proxy_buffer_size 4k;
	proxy_buffers 4 32k;
	proxy_busy_buffers_size 64k;
	proxy_temp_file_write_size 64k;
	}

	location /_matrix/webhook-gitlab {
	proxy_pass http://localhost:29313;
	proxy_set_header X-Forwarded-For $remote_addr;
	}

	location /_matrix/maubot {
	proxy_redirect off;

	proxy_pass http://maubot;
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection $connection_upgrade;

	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}

	location = /stickers {
	return 301 /stickers/;
	}

	location /stickers/ {
	proxy_pass http://localhost:8082/;

	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}

	location /lag {
	proxy_pass http://localhost:8080;
	proxy_redirect off;

	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}

	# sync stuff
	location /radicale/ { # The trailing / is important!
	proxy_pass http://localhost:5232/; # The trailing / is important!
	proxy_set_header X-Script-Name /radicale;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_pass_header Authorization;
	}

	# games
	location = /minecraft/map {
	return 307 /minecraft/map/;
	}

	location = /minecraft/map/ {
	return 307 https://dmnd.sh/minecraft/map/index.html;
	}

	location /minecraft/map/ {
	rewrite /minecraft/map/(.*) /$1 break;
	proxy_pass http://localhost:8777;
	proxy_set_header X-Forwarded-For $remote_addr;
	proxy_set_header Host $host;
	proxy_cache map;
	proxy_cache_key "$host$uri";
	proxy_cache_valid 200 302 60m;
	proxy_cache_valid 404 10m;
	proxy_cache_use_stale error timeout invalid_header updating http_500 http_503 http_504;
	proxy_connect_timeout 10;
	}

	# redirect to services
	location ^~ /jitsi {
	rewrite ^/jitsi/?(.*) https://jitsi.dmnd.sh/$1 permanent;
	}

	location ^~ /etherpad {
	rewrite ^/etherpad/?(.*) https://docs.dmnd.sh/$1 permanent;
	}

	location ^~ /dimension {
	rewrite ^/dimension/?(.*) https://dimension.dmnd.sh/$1 permanent;
	}
	}

	# some clients have port 8448 still cached and to help them we keep this
	server {
	listen 8448 ssl;
	listen [::]:8448 ssl;
	server_name dmnd.sh;

	include snippets/ssl-dmnd.sh.conf;
	include snippets/robots.conf;

	location ^~ / {
	rewrite ^/?(.*) https://dmnd.sh/$1 permanent;
	}

	location /_matrix {
	proxy_pass http://localhost:8008;
	proxy_set_header X-Forwarded-For $remote_addr;
	}

	include snippets/matrix-workers.conf;
	}
	# sites-available/docs.dmnd.sh.conf

	map $http_upgrade $connection_upgrade {
	default upgrade;
	'' close;
	}

	upstream etherpad-lite {
	server 127.0.0.1:9001;
	}

	server {
	listen [::]:443 ssl;
	listen 443 ssl;
	server_name docs.dmnd.sh;

	include snippets/ssl-dmnd.sh.conf;
	include snippets/robots.conf;

	# Allow normal files to pass through
	location ~ ^/(locales/\|locales.json\|admin/\|static/\|pluginfw/\|javascripts/\|socket.io/\|ep/\|minified/\|api/\|ro/\|error/\|jserror/\|favicon.ico\|robots.txt) {
	proxy_buffering off;
	proxy_pass http://etherpad-lite;
	}

	# Redirect to force /p/* URLs to the friendly version
	location /p/ {
	rewrite ^/p/(.*) /$1 redirect;
	}

	# Match the home page
	location ~ ^/$ {
	proxy_buffering off;
	proxy_pass http://etherpad-lite;
	}

	# Handle pad URLs here
	location / {
	proxy_buffering off;
	proxy_set_header Host $host;
	proxy_pass http://etherpad-lite/p/;

	proxy_redirect / /p/;
	proxy_pass_header Server;

	# headers
	proxy_set_header X-Real-IP $remote_addr; # http://wiki.nginx.org/HttpProxyModule
	proxy_set_header X-Forwarded-For $remote_addr; # EP logs to show the actual remote IP
	proxy_set_header X-Forwarded-Proto $scheme; # for EP to set secure cookie flag when https is used
	proxy_set_header Host $host; # pass the host header
	proxy_http_version 1.1; # recommended with keepalive connections
	# WebSocket proxying - from http://nginx.org/en/docs/http/websocket.html
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection $connection_upgrade;
	}
	}
	# sites-available/jitsi.dmnd.sh.conf

	server {
	listen [::]:443 ssl http2;
	listen 443 ssl http2;
	server_name jitsi.dmnd.sh;

	include snippets/ssl-dmnd.sh.conf;
	include snippets/robots.conf;

	root /usr/share/jitsi-meet;
	index index.html index.htm;
	error_page 404 /static/404.html;

	location /config.js {
	alias /etc/jitsi/meet/jitsi.dmnd.sh-config.js;
	}

	location ~ ^/(?!(http-bind\|external_api\.\|xmpp-websocket))([a-zA-Z0-9=_äÄöÖüÜß\?\-]+)$ {
	rewrite ^/(.*)$ / break;
	}

	location / {
	ssi on;
	}

	# Backward compatibility
	location ~ /external_api.* {
	root /usr/share/jitsi-meet/libs;
	}

	# BOSH
	location /http-bind {
	proxy_pass http://localhost:5280/http-bind;
	proxy_set_header X-Forwarded-For $remote_addr;
	proxy_set_header Host $http_host;
	}

	# xmpp websockets
	location /xmpp-websocket {
	proxy_pass http://localhost:5280;
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	proxy_set_header Host $host;
	tcp_nodelay on;
	}
	}
	# sites-available/l10n.dmnd.sh.conf

	server {
	listen [::]:443 ssl;
	listen 443 ssl;
	server_name l10n.dmnd.sh;

	include snippets/ssl-dmnd.sh.conf;
	include snippets/robots.conf;

	# Not used
	root /var/www/html;

	location ~ ^/favicon.ico$ {
	# DATA_DIR/static/favicon.ico
	alias /opt/weblate/lib/python3.7/site-packages/data/static/favicon.ico;
	expires 30d;
	}

	location /static/ {
	# DATA_DIR/static/
	alias /opt/weblate/lib/python3.7/site-packages/data/static/;
	expires 30d;
	}

	location /media/ {
	# DATA_DIR/media/
	alias /opt/weblate/lib/python3.7/site-packages/data/media/;
	expires 30d;
	}

	location / {
	include uwsgi_params;
	# Needed for long running operations in admin interface
	uwsgi_read_timeout 3600;
	# Adjust based to uwsgi configuration:
	# uwsgi_pass unix:///run/uwsgi/app/weblate/socket;
	uwsgi_pass 127.0.0.1:8077;
	}
	}
	# snippets/matrix-workers-loadbalancing.conf

	upstream synchrotron {
	server localhost:8002;
	}

	upstream federation_reader {
	server localhost:8003;
	}

	# must only be handled by a single instance.
	upstream federation_reader_send {
	server localhost:8003;
	}

	# must only be handled by a single instance.
	upstream media_repository {
	server localhost:8004;
	}

	upstream client_reader {
	server localhost:8005;
	}

	# must only be handled by a single instance.
	upstream client_reader_register {
	server localhost:8005;
	}

	# all requests with the same path room must be routed to the same instance
	upstream client_reader_messages {
	hash $request_uri consistent;
	server localhost:8005;
	}

	upstream user_dir {
	server localhost:8006;
	}

	upstream frontend_proxy {
	server localhost:8007;
	}

	upstream event_creator {
	server localhost:8009;
	}
	# snippets/pre-matrix-workers.conf

	# nginx-conf -i pre-matrix-workers.conf -o matrix-workers.conf
	# https://dev.yorhel.nl/nginx-confgen

	macro m_reverseproxy $location {
	proxy_pass http://$location;
	proxy_set_header X-Forwarded-For $remote_addr;
	}

	# synchrotron
	location ^/_matrix/client/(v2_alpha\|r0)/sync$ {
	m_reverseproxy synchrotron;
	}
	location ^/_matrix/client/(api/v1\|v2_alpha\|r0)/events$ {
	m_reverseproxy synchrotron;
	}
	location ^/_matrix/client/(api/v1\|r0)/initialSync$ {
	m_reverseproxy synchrotron;
	}
	location ^/_matrix/client/(api/v1\|r0)/rooms/[^/]+/initialSync$ {
	m_reverseproxy synchrotron;
	}

	# federation_reader
	location ^/_matrix/federation/v1/(event\|state\|state_ids\|backfill\|get_missing_events\|publicRooms\|query\|make_join\|make_leave\|send_join\|send_leave\|invite\|query_auth\|event\|auth\|exchange_third_party_invite\|user/devices)/ {
	m_reverseproxy federation_reader;
	}
	location ^/_matrix/federation/v2/(send_join\|send_leave\|invite)/ {
	m_reverseproxy federation_reader;
	}
	location ^/_matrix/key/v2/query {
	m_reverseproxy federation_reader;
	}
	location ^/_matrix/federation/v1/get_groups_publicised$ {
	m_reverseproxy federation_reader;
	}
	location ^/_matrix/federation/v1/send/ { # must only be handled by a single instance.
	m_reverseproxy federation_reader_send;
	}
	location ^/_matrix/federation/v1/groups/ {
	m_reverseproxy federation_reader;
	}

	# media_repository
	location /_matrix/media/ {
	client_max_body_size 1024M;
	m_reverseproxy media_repository;
	}
	location ^/_synapse/admin/v1/purge_media_cache$ {
	m_reverseproxy media_repository;
	}
	location ^/_synapse/admin/v1/(room\|user)/./media.$ {
	m_reverseproxy media_repository;
	}
	location ^/_synapse/admin/v1/(media\|quarantine_media)/.*$ {
	m_reverseproxy media_repository;
	}

	# client_reader
	location ^/_matrix/client/(api/v1\|r0\|unstable)/publicRooms$ {
	m_reverseproxy client_reader;
	}
	location ^/_matrix/client/(api/v1\|r0\|unstable)/rooms/.*/joined_members$ {
	m_reverseproxy client_reader;
	}
	location ^/_matrix/client/(api/v1\|r0\|unstable)/rooms/./context/.$ {
	m_reverseproxy client_reader;
	}
	location ^/_matrix/client/(api/v1\|r0\|unstable)/rooms/.*/(members\|state)$ {
	m_reverseproxy client_reader;
	}
	location ^/_matrix/client/(api/v1\|r0\|unstable)/login$ {
	m_reverseproxy client_reader;
	}
	location ^/_matrix/client/(api/v1\|r0\|unstable)/account/3pid$ {
	m_reverseproxy client_reader;
	}
	location ^/_matrix/client/(api/v1\|r0\|unstable)/keys/(query\|changes)$ {
	m_reverseproxy client_reader;
	}
	location ^/_matrix/client/versions$ {
	m_reverseproxy client_reader;
	}
	location ^/_matrix/client/(api/v1\|r0\|unstable)/voip/turnServer$ {
	m_reverseproxy client_reader;
	}
	location ^/_matrix/client/(api/v1\|r0\|unstable)/(joined_groups\|publicised_groups)$ {
	m_reverseproxy client_reader;
	}
	location ^/_matrix/client/(api/v1\|r0\|unstable)/publicised_groups/ {
	m_reverseproxy client_reader;
	}
	location ^/_matrix/client/(api/v1\|r0\|unstable)/(pushrules\|groups)/.*$ {
	m_reverseproxy client_reader;
	}
	location ^/_matrix/client/(api/v1\|r0\|unstable)/groups/.*$ {
	m_reverseproxy client_reader;
	}
	location ^/_matrix/client/(api/v1\|r0\|unstable)/user/[^/]*/account_data/ {
	m_reverseproxy client_reader;
	}
	location ^/_matrix/client/(api/v1\|r0\|unstable)/user/[^/]/rooms/[^/]/account_data/ {
	m_reverseproxy client_reader;
	}
	location ^/_matrix/client/(r0\|unstable)/register$ { # requests must be routed to the same instance
	m_reverseproxy client_reader_register;
	}
	location ^/_matrix/client/(r0\|unstable)/auth/.*/fallback/web$ { # requests must be routed to the same instance
	m_reverseproxy client_reader_register;
	}
	# Pagination requests can also be handled, but all requests with the same path room must be routed to the same instance.
	# Additionally, care must be taken to ensure that the purge history admin API is not used while pagination requests for the room are in flight
	location ^/_matrix/client/(api/v1\|r0\|unstable)/rooms/.*/messages$ {
	m_reverseproxy client_reader_messages;
	}

	# user_dir
	location ^/_matrix/client/(api/v1\|r0\|unstable)/user_directory/search$ {
	m_reverseproxy user_dir;
	}

	# frontend_proxy
	location ^/_matrix/client/(api/v1\|r0\|unstable)/keys/upload {
	m_reverseproxy frontend_proxy;
	}
	# If use_presence is False in the homeserver config, it can also handle REST endpoints matching the following regular expressions:
	# location ^/_matrix/client/(api/v1\|r0\|unstable)/presence/[^/]+/status {
	# m_reverseproxy frontend_proxy;
	# }

	# event_creator
	location ^/_matrix/client/(api/v1\|r0\|unstable)/rooms/.*/send {
	m_reverseproxy event_creator;
	}
	location ^/_matrix/client/(api/v1\|r0\|unstable)/rooms/.*/state/ {
	m_reverseproxy event_creator;
	}
	location ^/_matrix/client/(api/v1\|r0\|unstable)/rooms/.*/(join\|invite\|leave\|ban\|unban\|kick)$ {
	m_reverseproxy event_creator;
	}
	location ^/_matrix/client/(api/v1\|r0\|unstable)/join/ {
	m_reverseproxy event_creator;
	}
	location ^/_matrix/client/(api/v1\|r0\|unstable)/profile/ {
	m_reverseproxy event_creator;
	}