ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
ssl_session_timeout 4h;
ssl_session_cache shared:SSL:20m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
resolver 8.8.8.8 8.8.4.4;

root /var/www/danbooru/current/public;
index index.html;
access_log off;
error_log /var/www/danbooru/shared/log/server.error.log;
try_files $uri/index.html $uri.html $uri @app;
client_max_body_size 35m;
error_page 503 @maintenance;
error_page 404 /404.html;
error_page 500 502 503 504 /500.html;

location /assets {
  expires max;
  break;
}

location /data/preview {
  expires max;
  break;
}

location /posts/mobile {
  return 404;
}

location /users {
  limit_req zone=users burst=5;
  limit_req_status 429;
  try_files $uri @app_server;
}

location /posts {
  limit_req zone=posts burst=20;
  limit_req_status 429;
  try_files $uri @app_server;
}

location /data {
  valid_referers none *.donmai.us donmai.us ~\.google\. ~\.bing\. ~\.yahoo\.;

  if ($invalid_referer) {
    return 403;
  }

  rewrite ^/data/sample/__.+?__(.+) /data/sample/$1 last;
  rewrite ^/data/__.+?__(.+) /data/$1 last;

  expires max;
  break;
}

location /maintenance.html {
  expires 10;
}

if (-f $document_root/maintenance.html) {
  return 503;
}

if ($http_user_agent ~ (WinHttp\.WinHttpRequest\.5) ) {
  return 403;
}

location @maintenance {
  rewrite ^(.*)$ /maintenance.html last;
}

location @app_server {
  proxy_pass http://app_server;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_redirect off;
  proxy_set_header Host $http_host;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_buffer_size 128k;
  proxy_buffers 4 256k;
  proxy_busy_buffers_size 256k;
}

location / {
  try_files $uri @app_server;
}