# Default Web Domain Template                                             #
# DO NOT MODIFY THIS FILE! CHANGES WILL BE LOST WHEN REBUILDING DOMAINS   #
#=========================================================================#

server {
	listen      %ip%:%proxy_ssl_port% ssl;
	server_name %domain_idn% %alias_idn%;
    root        %docroot%
	error_log   /var/log/%web_system%/domains/%domain%.error.log error;

	ssl_certificate     %ssl_pem%;
	ssl_certificate_key %ssl_key%;
	ssl_stapling        on;
	ssl_stapling_verify on;

	# TLS 1.3 0-RTT anti-replay
	if ($anti_replay = 307) { return 307 https://$host$request_uri; }
	if ($anti_replay = 425) { return 425; }

	include %home%/%user%/conf/web/%domain%/nginx.hsts.conf*;

	location ~ /\.(?!well-known\/|file) {
		deny all;
		return 404;
	}

	passenger_enabled on;
	passenger_user %user%;
	passenger_group %user%;
	passenger_ruby %rubypath%;
	passenger_friendly_error_pages %rubylog%;

	location / {
	    passenger_base_uri /;
        passenger_app_root %docrtpriv%;
        passenger_document_root %docroot%;
        passenger_startup_file config.rb;
	    passenger_app_type rack;
	}

	location /error/ {
		alias %home%/%user%/web/%domain%/document_errors/;
	}

	disable_symlinks if_not_owner from=%sdocroot%;

	proxy_hide_header Upgrade;

	include %home%/%user%/conf/web/%domain%/nginx.ssl.conf_*;
}