user  www-data www-data;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;

events {
  worker_connections  1024;
}


http {
  charset utf-8;

  include       /etc/nginx/mime.types;
  default_type  application/octet-stream;

  set_real_ip_from {{ site.subnet_gateway_ip }};
  log_format  main  '$http_x_real_ip - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

  access_log  /var/log/nginx/access.log  main;

  ##
  # Basic Settings
  ##

  sendfile    on;
  tcp_nopush  on;
  tcp_nodelay on;
  keepalive_timeout   15s;
  types_hash_max_size 2048;
  server_tokens   off;
  client_max_body_size    10M;
  client_body_timeout     60;
  # server_names_hash_bucket_size 64;
  server_name_in_redirect off;


  ##
  # Gzip Settings
  ##

  gzip on;
  gzip_disable "msie6";

  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 6;
  gzip_buffers 16 8k;
  gzip_http_version 1.1;
  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;


  include /etc/nginx/conf.d/*.conf;


  server {
    listen 80 default;
    listen [::]:80 default;
    server_name {{ site.url }} www.{{ site.url }};

    root /var/www/html;
    index index.php;

    # Restrictions
    location = /favicon.ico {
      log_not_found off;
      access_log off;
    }
    location = /robots.txt {
      allow all;
      log_not_found off;
      access_log off;
    }
    location ~ /\. {
      deny all;
    }
    location = /_.gif {
      expires max;
      empty_gif;
    }
    location ~* ^.+\.(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|rss|atom|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
      expires max;
      log_not_found off;
    }
    location ~* /(?:uploads|files)/.*\.php$ {
      deny all;
    }
    # XMLRPC is a great way to bruteforce passwords
    location = /xmlrpc.php {
      deny all;
    }

    location / {
      try_files $uri $uri/ /index.php?$args;
    }

    location ~ \.php$ {
      # regex to split $uri to $fastcgi_script_name and $fastcgi_path
      fastcgi_split_path_info ^(.+\.php)(/.+)$;
      
      # Check that the PHP script exists before passing it
      # Breaks site...
      # try_files $fastcgi_script_name =404;
      
      # Block httpoxy attacks. See https://httpoxy.org/ :
      fastcgi_param HTTP_PROXY "";
      
      # Bypass the fact that try_files resets $fastcgi_path_info
      # see: http://trac.nginx.org/nginx/ticket/321
      set $path_info $fastcgi_path_info;
      fastcgi_param PATH_INFO $path_info;
      
      # Do not diplay errors:
      # fastcgi_intercept_errors on;
      
      fastcgi_index index.php;
      
      include fastcgi_params; 

      fastcgi_pass site:9000;

      fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }
  }
}