# The HTTP (not SSL) server.

server {
	listen 80;
	listen [::]:80 default_server ipv6only=on;

	server_name $PUBLIC_HOSTNAME;

	# We'll expose this directory publicly over http.
	root $STORAGE_ROOT/www/static;

	index index.html index.htm;
	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ /index.html;
	}
	
	# Convenience redirect to https.
	rewrite ^/mail(/.*)?$ https://$PUBLIC_HOSTNAME/mail$1 permanent;
}

# The secure HTTPS server.

server {
	listen 443 ssl;

	server_name $PUBLIC_HOSTNAME;

	ssl_certificate $STORAGE_ROOT/ssl/ssl_certificate.pem;
	ssl_certificate_key $STORAGE_ROOT/ssl/ssl_private_key.pem;

	# SSL configuration by @konklone at https://gist.github.com/konklone/6532544
	# 1) prefer certain ciphersuites, to enforce Perfect Forward Secrecy and avoid known vulnerabilities. http://ggramaize.wordpress.com/2013/08/02/tls-perfect-forward-secrecy-support-with-apache/ and https://www.ssllabs.com/ssltest/analyze.html
	ssl_prefer_server_ciphers on;
	ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA:AES256-GCM-SHA384:AES256-SHA256:CAMELLIA256-SHA:ECDHE-RSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA;
	# 2) turn on session resumption, using a 10 min cache shared across nginx processes, as recommended by http://nginx.org/en/docs/http/configuring_https_servers.html
	ssl_session_cache   shared:SSL:10m;
	ssl_session_timeout 10m;
	keepalive_timeout   70;	

	# We'll expose the same static directory under https.
	root $STORAGE_ROOT/www/static;

	index index.html index.htm;

	# Roundcube Webmail configuration.
	rewrite ^/mail$ /mail/ redirect;
	rewrite ^/mail/$ /mail/index.php;
	location /mail/ {
		index index.php;
		alias /var/lib/roundcube/;
	}
	location ~ /mail/.*\.php {
		include fastcgi_params;
		fastcgi_split_path_info ^/mail(/.*)()$;
		fastcgi_index index.php;
		fastcgi_param SCRIPT_FILENAME /var/lib/roundcube/$fastcgi_script_name;
		fastcgi_pass unix:/tmp/php-fastcgi.www-data.sock;
		client_max_body_size 20M;
	}

}