server {
    listen 80;

    server_name ;

    charset UTF-8;

    index index.php;

    access_log /var/log/nginx/.access.log main buffer=32k flush=5m;
    error_log /var/log/nginx/.error.log notice;

    include /etc/nginx/conf.d/acme.location;

    location / {
        return 301 https://$request_uri;
    }
}

server {
    listen 443 ssl http2;

    server_name ;


    access_log /var/log/nginx/.access.log main buffer=32k flush=5m;
    error_log /var/log/nginx/.error.log notice;

    set $root_path //release/;
    root $root_path;

        ssl_certificate /etc/letsencrypt/live/test.mspmo.ru.dev.2204535.ru/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/test.mspmo.ru.dev.2204535.ru/privkey.pem;
        ssl_dhparam /etc/ssl/certs/dhparam4096.pem;

    ssl_session_tickets on;
#    ssl_stapling on;
#    ssl_stapling_verify on;
    ssl_prefer_server_ciphers   on;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers EECDH:+AES256:-3DES:RSA+AES:RSA+3DES:!NULL:!RC4;
	ssl_session_cache shared:SSL:50m;
    ssl_session_timeout 600s;

        auth_basic "Unauthorized";
    auth_basic_user_file /var/www/web/.htpasswd;
    	
    add_header Strict-Transport-Security "max-age=31536000;";

    charset UTF-8;

    index index.php;

    include /etc/nginx/conf.d/acme.location;

    location /prox {
         proxy_pass         http://192.168.33.11/;
         proxy_redirect     off;

         proxy_set_header  Host             $host;
         proxy_set_header  X-Real-IP        $remote_addr;
         proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
         proxy_set_header  X-Forwarded-Proto http;

         client_max_body_size       100m;
         client_body_buffer_size    128k;

         client_body_temp_path      /var/nginx/client_body_temp;

         proxy_connect_timeout      70;
         proxy_send_timeout         90;
         proxy_read_timeout         90;

         proxy_buffer_size          4k;
         proxy_buffers              4 32k;
         proxy_busy_buffers_size    64k;
         proxy_temp_file_write_size 64k;

         proxy_temp_path            /var/nginx/proxy_temp;
    }
	
    location ~* \.(jpeg|jpg|png)$ {
        add_header Vary "Accept";
        try_files $uri $uri =404;
        expires 365d;
        access_log off;
    }

    location ~* \.(js|gif|css|tgz|gz|rar|bz2|doc|pdf|ppt|tar|wav|bmp|rtf|swf|ico|flv|txt|woff|woff2|svg)$ {
        expires 30d;
        add_header Pragma "public";
        add_header Cache-Control "public";
        access_log        off;
   }

   location / {
        try_files       $uri $uri/ @bitrix;
    }

    location ~ \.php$ {
        try_files       $uri @bitrix;
        fastcgi_pass    192.168.33.11:9000;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }

    location @bitrix {
        fastcgi_pass    192.168.33.11:9000;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root/bitrix/urlrewrite.php;
    }

    location ~* /bitrix/admin.+\.php$ {
        try_files       $uri @bitrixadm;
        fastcgi_pass    192.168.33.11:9000;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
    location @bitrixadm{
        fastcgi_pass    192.168.33.11:9000;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root/bitrix/admin/404.php;
    }

    location @php {
        try_files      $uri =404;
        fastcgi_pass   192.168.33.11:9000;
        fastcgi_index  index.php;
        include        fastcgi_params;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_ignore_client_abort off;
    }

    location ~* /upload/.*\.(php|php3|php4|php5|php6|phtml|pl|asp|aspx|cgi|dll|exe|shtm|shtml|fcg|fcgi|fpl|asmx|pht|py|psp|rb|var)$ {
        types {
            text/plain text/plain php php3 php4 php5 php6 phtml pl asp aspx cgi dll exe ico shtm shtml fcg fcgi fpl asmx pht py psp rb var;
        }
    }

    location ~ /\. {
        deny all;
    }

    #
    # block this locations for any installation
    #
    # ht(passwd|access)
    location ~* /\.ht  { deny all; }
    # repositories
    location ~* /\.(svn|hg|git) { deny all; }
    # bitrix internal locations
    location ~* ^/bitrix/(modules|local_cache|stack_cache|managed_cache|php_interface) {
    deny all;
    }
    # upload files
    location ~* ^/upload/1c_[^/]+/ { deny all; }
    # use the file system to access files outside the site (cache)
    location ~* /\.\./ { deny all; }
    location ~* ^/bitrix/html_pages/\.config\.php { deny all; }
    location ~* ^/bitrix/html_pages/\.enabled { deny all; }
    # Intenal locations
    location ^~ /upload/support/not_image   { internal; }
    # Cache location: composite and general site
    location ~* @.*\.html$ {
        internal;
        # disable browser cache, php manage file
        expires -1y;
        add_header X-Bitrix-Composite "Nginx (file)";
    }
    # Player options, disable no-sniff
    location ~* ^/bitrix/components/bitrix/player/mediaplayer/player$ {
        add_header Access-Control-Allow-Origin *;
    }
    # Accept access for merged css and js
    location ~* ^/bitrix/cache/(css/.+\.css|js/.+\.js)$ {
        expires 30d;
        error_page 404 /404.html;
    }
    # Disable access for other assets in cache location
    location ~* ^/bitrix/cache              { deny all; }

    # Static content
    location ~* ^/(upload|bitrix/images|bitrix/tmp) {
        expires 30d;
    }

    location ^~ /upload/ {
        alias                /var/www/web/shared/upload//;
        access_log            off;
        userid                off;
    }
}