## RaspiBlitz NGINX config: blitzweb.conf

server {

    # localhost only
    listen 127.0.0.1:443 ssl default_server;
    listen [::1]:443 ssl default_server;
    # any interface
    #listen 443 ssl default_server;
    #listen [::]:443 ssl default_server;

    server_name _;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED";

    add_header Strict-Transport-Security "max-age=31536000";

    # ToDo(frennkie) if /mnt/hdd/app-data is missing (e.g. no disk) this will cause nginx to fail!
    ssl_certificate /mnt/hdd/app-data/nginx/tls.cert;
    ssl_certificate_key /mnt/hdd/app-data/nginx/tls.key;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access_raspiblitz.log;
    error_log /var/log/nginx/error_raspiblitz.log;

    root /var/www/blitzweb;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ =404;
    }

    location /info/ {
        auth_basic           "BlitzWeb (admin:Password B)";
        auth_basic_user_file /etc/nginx/.htpasswd;
    }

}