cl-deck-builder2/doc/web/nginx/deck-builder-tls

server {
	listen [::]:443 default_server ssl;
	listen 443 default_server ssl;

	server_name phntsm.ddns.net;

	ssl_certificate     "/etc/ssl/nginx/phntsm.ddns.net.crt";
	ssl_certificate_key "/etc/ssl/nginx/phntsm.ddns.net.key";
	ssl_dhparam         "/etc/ssl/nginx/phntsm.ddns.net.dhparam";

	ssl_session_timeout 5m;
	ssl_protocols TLSv1.2;
	ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
	ssl_session_cache shared:SSL:50m;
	ssl_prefer_server_ciphers on;

	root /var/www/html;
	index index.html;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		# try_files $uri $uri/ =404;

		set_real_ip_from unix:;
		real_ip_header X-Forwarded-For;
		real_ip_recursive on;

		client_max_body_size 8m;
		#auth_basic "Restricted Content";
		#auth_basic_user_file /etc/nginx/.htpasswd;

		proxy_read_timeout    300;
		proxy_connect_timeout 300;
		proxy_send_timeout    300;
		fastcgi_read_timeout  300;

		proxy_pass http://127.0.0.1:5005;
		include /etc/nginx/fastcgi_params;
		include /etc/nginx/proxy_params;
	}

	# /~user web directories
	location ~ ^/~(.+?)(/.*)?$ {
		alias /home/$1/www$2;
		index index.html index.htm;
		autoindex on;
	}

	#	location /_/static/assets/ {
	#		alias /home/git/public/;
	#	}

	location /git/ {
		auth_basic "Restricted Content";
		auth_basic_user_file /etc/nginx/.htpasswd;

		proxy_read_timeout    300;
		proxy_connect_timeout 300;
		proxy_send_timeout    300;
		fastcgi_read_timeout  300;

		client_max_body_size 512M;
		# make nginx use unescaped URI, keep "%2F" as is
		rewrite ^ $request_uri;
		rewrite ^/git(/.*) $1 break;
		proxy_pass http://127.0.0.1:3000$uri;
		include /etc/nginx/fastcgi_params;
		include /etc/nginx/proxy_params;
	}

	location ~ /collectd/ {
		gzip off;
		root /home/user/code/alpine-collectd-web;

		auth_basic "Restricted Content";
		auth_basic_user_file /etc/nginx/.htpasswd;

		proxy_read_timeout    300;
		proxy_connect_timeout 300;
		proxy_send_timeout    300;
		fastcgi_read_timeout  300;

		#proxy_http_version 1.1;
		rewrite ^/collectd/(.*) /$1 break;
		proxy_pass http://127.0.0.1:8888;
	}

	location ~ /psy/ {
		auth_basic "Restricted Content";
		auth_basic_user_file /etc/nginx/.htpasswd;

		proxy_read_timeout    300;
		proxy_connect_timeout 300;
		proxy_send_timeout    300;
		fastcgi_read_timeout  300;

		#proxy_http_version 1.1;
		# rewrite ^/psy/(.*) /$1 break;
		include /etc/nginx/proxy_params;
		proxy_pass http://127.0.0.1:9292;
	}

	#	location ~ \.php$ {
	#		include /etc/nginx/fastcgi_params;
	#		include /etc/nginx/proxy_params;
	#		fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
	#		# fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
	#		fastcgi_pass   unix:/var/run/php/php-fpm.sock;
	#	}

	#	location ~ /phpmyadmin/ {
	#		auth_basic "Restricted Content";
	#		auth_basic_user_file /etc/nginx/.htpasswd;
	#		index index.php;
	#	}

	location ~ /\.ht {
		deny all;
	}

}