server {
  listen *:8443 http2 ssl;
  ssl on;

  ssl_certificate /etc/letsencrypt/live/{{ domainname }}/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/{{ domainname }}/privkey.pem;
  ssl_session_timeout 5m;

  ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
  ssl_prefer_server_ciphers on;
  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

  # Add headers to serve security related headers
  # Before enabling Strict-Transport-Security headers please read into this
  # topic first.
  add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
  
  # WARNING: Only add the preload option once you read about
  # the consequences in https://hstspreload.org/. This option
  # will add the domain to a hardcoded list that is shipped
  # in all major browsers and getting removed from this list
  # could take several months.
  add_header Referrer-Policy "no-referrer" always;
  add_header X-Content-Type-Options "nosniff" always;
  add_header X-Download-Options "noopen" always;
  add_header X-Frame-Options "SAMEORIGIN" always;
  add_header X-Permitted-Cross-Domain-Policies "none" always;
  add_header X-Robots-Tag "none" always;
  add_header X-XSS-Protection "1; mode=block" always;

  # Remove X-Powered-By, which is an information leak
  fastcgi_hide_header X-Powered-By;

  gzip_types text/plain text/css application/json application/x-javascript
       text/xml application/xml application/xml+rss text/javascript;

  server_name {{ domainname }};

 # static files
 location ^~ /browser {
   proxy_pass http://127.0.0.1:9980;
   proxy_set_header Host $http_host;
 }

 # WOPI discovery URL
 location ^~ /hosting/discovery {
   proxy_pass http://127.0.0.1:9980;
   proxy_set_header Host $http_host;
 }

 # Capabilities
 location ^~ /hosting/capabilities {
   proxy_pass http://127.0.0.1:9980;
   proxy_set_header Host $http_host;
 }

 # main websocket
 location ~ ^/cool/(.*)/ws$ {
   proxy_pass http://127.0.0.1:9980;
   proxy_set_header Upgrade $http_upgrade;
   proxy_set_header Connection "Upgrade";
   proxy_set_header Host $http_host;
   proxy_read_timeout 36000s;
 }

 # download, presentation and image upload
 location ~ ^/(c|l)ool {
   proxy_pass http://127.0.0.1:9980;
   proxy_set_header Host $http_host;
 }

 # Admin Console websocket
 location ^~ /cool/adminws {
   proxy_pass http://127.0.0.1:9980;
   proxy_set_header Upgrade $http_upgrade;
   proxy_set_header Connection "Upgrade";
   proxy_set_header Host $http_host;
   proxy_read_timeout 36000s;
 }
}