# Allnet
server {
	listen 80;
	server_name naominet.jp;
	
	location / {
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_pass_request_headers on;
		proxy_pass http://localhost:8000/;
	}
}

# Non-SSL titles
server {
	listen 80;
	server_name your.hostname.here;

	location / {
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_pass_request_headers on;
		proxy_pass http://localhost:8080/;
	}
}

# SSL titles, comment out if you don't plan on accepting SSL titles
server {
	listen 443 ssl;
	server_name your.hostname.here;

	ssl_certificate /path/to/cert/title.crt;
	ssl_certificate_key /path/to/cert/title.key;
	ssl_session_timeout 1d;
	ssl_session_cache shared:MozSSL:10m;
	ssl_session_tickets off;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
	ssl_ciphers "ALL:@SECLEVEL=0";
	ssl_prefer_server_ciphers off;

	location / {
		proxy_pass http://localhost:8080/;
	}
}

# Billing
server {
	listen 8443 ssl;	
	server_name ib.naominet.jp;
	
	ssl_certificate /path/to/cert/server.pem;
	ssl_certificate_key /path/to/cert/server.key;
	ssl_session_timeout 1d;
	ssl_session_cache shared:MozSSL:10m;
	ssl_session_tickets off;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
	ssl_ciphers "ALL:@SECLEVEL=0";
	ssl_prefer_server_ciphers off;

	location / {
		proxy_pass http://localhost:8444/;
	}
}

# Pokken, comment this out if you don't plan on serving pokken.
server {
	listen 443 ssl;	
	server_name pokken.hostname.here;
	
	ssl_certificate /path/to/cert/pokken.pem;
	ssl_certificate_key /path/to/cert/pokken.key;
	ssl_session_timeout 1d;
	ssl_session_cache shared:MozSSL:10m;
	ssl_session_tickets off;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
	ssl_ciphers "ALL:@SECLEVEL=0";
	ssl_prefer_server_ciphers off;

	location / {
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_pass_request_headers on;
		proxy_pass http://localhost:8080/;
	}
}

# Frontend, set to redirect to HTTPS. Comment out if you don't intend to use the frontend
server {
    listen 80;
	server_name frontend.hostname.here

    location / {
        return 301 https://$host$request_uri;
		# If you don't want https redirection, comment the line above and uncomment the line below
		# proxy_pass http://localhost:8090/;
    }
}

# Frontend HTTPS. Comment out if you on't intend to use the frontend
server {
    listen 443 ssl;
	server_name frontend.hostname.here;

    ssl_certificate /path/to/cert/frontend.pem;
	ssl_certificate_key /path/to/cert/frontend.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    # intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;

	location / {
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_pass_request_headers on;
		proxy_pass http://localhost:8090/;
	}
}