@@ -1,6 +1,7 @@

 user www-data;

-worker_processes 1;

+worker_processes auto;

 pid /run/nginx.pid;

+include /etc/nginx/modules-enabled/*.conf;

 events {

 	worker_connections 768;

@@ -15,13 +16,11 @@ http {

 	sendfile on;

 	tcp_nopush on;

-	tcp_nodelay on;

-	keepalive_timeout 65;

 	types_hash_max_size 2048;

-	server_tokens off;

+	# server_tokens off;

 	# server_names_hash_bucket_size 64;

-	 server_name_in_redirect off;

+	# server_name_in_redirect off;

 	include /etc/nginx/mime.types;

 	default_type application/octet-stream;

@@ -30,19 +29,8 @@ http {

 	# SSL Settings

 	##

+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE

 	ssl_prefer_server_ciphers on;

-        ssl_certificate ssl_keys/default.pem;

-        ssl_certificate_key ssl_keys/default.key;

-        #ssl_dhparam ssl_keys/dhparam-1024.pem;

-        ssl_dhparam /etc/ssl/private/dhparams.pem;

-        ssl_session_timeout 5m;

-        ssl_session_cache shared:SSL:10m;

-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE

-        # ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;

-        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

-#        ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:HIGH:!aNULL;

-

-        add_header Strict-Transport-Security "max-age=15768000; includeSubdomains;";

 	##

 	# Logging Settings

@@ -56,14 +44,13 @@ http {

 	##

 	gzip on;

-	gzip_disable "msie6";

-	gzip_vary on;

-	gzip_proxied any;

-	gzip_comp_level 6;

-	gzip_buffers 16 8k;

-	gzip_http_version 1.1;

-	gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

+	# gzip_vary on;

+	# gzip_proxied any;

+	# gzip_comp_level 6;

+	# gzip_buffers 16 8k;

+	# gzip_http_version 1.1;

+	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

 	##

 	# Virtual Host Configs

@@ -74,3 +61,23 @@ http {

 }

+#mail {

+#	# See sample authentication script at:

+#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript

+#

+#	# auth_http localhost/auth.php;

+#	# pop3_capabilities "TOP" "USER";

+#	# imap_capabilities "IMAP4rev1" "UIDPLUS";

+#

+#	server {

+#		listen     localhost:110;

+#		protocol   pop3;

+#		proxy      on;

+#	}

+#

+#	server {

+#		listen     localhost:143;

+#		protocol   imap;

+#		proxy      on;

+#	}

+#}

@@ -0,0 +1,71 @@

+server {

+	listen         80;

+	server_name    paris12.pcf.fr;

+

+	access_log off;

+

+    location ~ /\.well-known/acme-challenge {

+        allow all;

+        default_type "text/plain";

+        root /var/www/grav;

+    }

+

+    location / {

+        return 301 https://$host$request_uri;

+    }

+}

+

+server {

+	listen 443 ssl;

+	server_name paris12.pcf.fr;

+	root /var/www/grav;

+    index index.html index.php;

+

+	access_log off;

+	error_log /var/log/nginx/grav/error.log;

+

+	ssl_certificate /etc/letsencrypt/live/paris12.pcf.fr/fullchain.pem;

+	ssl_certificate_key /etc/letsencrypt/live/paris12.pcf.fr/privkey.pem;

+

+    location ^~ /\.well-known/acme-challenge {

+        allow all;

+        default_type "text/plain";

+    }

+

+    location ^~ /cgi-bin/mailman/admin/ {

+        return 301 https://listes.pcf.fr$request_uri;

+    }

+

+    location / {

+        try_files $uri $uri/ /index.php?$query_string;

+    }

+

+    # deny all direct access for these folders

+    location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; }

+

+    # deny running scripts inside core system folders

+    location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }

+

+    # deny running scripts inside user folder

+    location ~* /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }

+

+    # deny access to specific files in the root folder

+    location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; }

+

+    location ~ \.php$ {

+        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;

+

+        fastcgi_split_path_info ^(.+\.php)(/.+)$;

+        fastcgi_index index.php;

+        include fastcgi_params;

+        fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;

+    }

+

+    location ~* /logements-(e|%C3%A9|é)tudiants-jc {

+        rewrite ^.* https://cloud.paris12.pcf.fr/index.php/apps/forms/Pgoe5oGTpwAEFP6F permanent;

+    }

+    location ~* /pr(e|%C3%A9|é)pa-soir(e|%C3%A9|é)e-commission-culture {

+        rewrite ^.* https://cloud.paris12.pcf.fr/index.php/s/H3YPpQsxcAN5555 permanent;

+    }

+}

+

@@ -0,0 +1,126 @@

+server {

+	listen         80;

+	server_name    cloud.paris12.pcf.fr;

+

+    location ~ /\.well-known/acme-challenge {

+        allow all;

+        default_type "text/plain";

+        root /var/www/nextcloud;

+    }

+

+    location / {

+        return 301 https://$host$request_uri;

+    }

+}

+

+server {

+	listen 443 ssl;

+	server_name cloud.paris12.pcf.fr;

+

+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

+

+	root /var/www/nextcloud/;

+

+	access_log off;

+	error_log /var/log/nginx/cloud/error.log;

+

+	client_max_body_size 10G;

+	fastcgi_buffers 64 4K;

+

+    proxy_connect_timeout       1800;

+    proxy_send_timeout          1800;

+    proxy_read_timeout          1800;

+    send_timeout                1800;

+

+	rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;

+	rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;

+	rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;

+

+	index index.php;

+	error_page 403 /core/templates/403.php;

+	error_page 404 /core/templates/404.php;

+

+	ssl_certificate /etc/letsencrypt/live/cloud.paris12.pcf.fr/fullchain.pem;

+	ssl_certificate_key /etc/letsencrypt/live/cloud.paris12.pcf.fr/privkey.pem;

+

+	location = /robots.txt {

+		deny all;

+		log_not_found off;

+		access_log off;

+	}

+

+	location ~ ^/(?:\.htaccess|data|config|db_structure\.xml|README){

+		deny all;

+	}

+

+	location / {

+                # The following 2 rules are only needed with webfinger

+		rewrite ^/.well-known/host-meta /public.php?service=host-meta last;

+		rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;

+

+		rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;

+		rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;

+

+		rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;

+

+		try_files $uri $uri/ /index.php;

+	}

+

+	location ~ \.php(?:$|/) {

+		fastcgi_split_path_info ^(.+\.php)(/.+)$;

+		include fastcgi_params;

+		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

+		fastcgi_param PATH_INFO $fastcgi_path_info;

+		fastcgi_param HTTPS on;

+		fastcgi_pass php-handler-cloud;

+        fastcgi_read_timeout 1800;

+	}

+

+    location ^~ /adminprinter {

+	    auth_basic "Halte ! Qui va la ?";

+	    auth_basic_user_file /etc/nginx/htpasswd;

+		proxy_pass https://192.168.1.54/;

+		proxy_http_version 1.1;

+		proxy_set_header Upgrade $http_upgrade;

+		proxy_set_header Connection 'upgrade';

+		proxy_set_header Host $host;

+		proxy_cache_bypass $http_upgrade;

+    }

+

+    location ^~ /adminbdd {

+        root /var/www/;

+	auth_basic "Halte ! Qui va la ?";

+	auth_basic_user_file /etc/nginx/htpasswd;

+        location ~ \.php {

+            fastcgi_split_path_info ^(.+\.php)(/.+)$;

+            include fastcgi_params;

+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;

+            fastcgi_param PATH_INFO $fastcgi_path_info;

+            fastcgi_param HTTPS on;

+            fastcgi_pass php-handler-cloud;

+        }

+    }

+

+	# set long EXPIRES header on static assets

+	location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|css|js|swf)$ {

+		expires 30d;

+		access_log off;

+	}

+

+	location ^~ /cartes-elections {

+		proxy_pass http://127.0.0.1:8080;

+		proxy_http_version 1.1;

+		proxy_set_header Upgrade $http_upgrade;

+		proxy_set_header Connection 'upgrade';

+		proxy_set_header Host $host;

+		proxy_cache_bypass $http_upgrade;

+	}

+

+	location ^~ /images/ {

+		alias /var/www/images/;

+	}

+

+    location ^~ /petitions/logements-etudiants-jc {

+        rewrite ^/petitions/logements-etudiants-jc /index.php/apps/forms/Pgoe5oGTpwAEFP6F permanent;

+    }

+}