include /etc/nginx/mime.types;
  charset utf-8;
  override_charset on;

  server_tokens off;

  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;
  ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305;
  ssl_ecdh_curve X25519:X448:secp384r1:secp256k1;
  ssl_session_cache shared:SSL:50m;
  ssl_session_timeout 1d;
  ssl_session_tickets off;

  add_header Strict-Transport-Security "max-age=15768000;";
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Robots-Tag none;
  add_header X-Download-Options noopen;
  add_header X-Frame-Options "SAMEORIGIN" always;
  add_header X-Permitted-Cross-Domain-Policies none;
  add_header Referrer-Policy strict-origin;

  index index.php index.html;

  client_max_body_size 0;

  gzip on;
  gzip_disable "msie6";

  gzip_vary on;
  gzip_proxied off;
  gzip_comp_level 6;
  gzip_buffers 16 8k;
  gzip_http_version 1.1;
  gzip_min_length 256;
  gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype image/svg+xml image/x-icon;

  location ~ ^/(fonts|js|css|img)/ {
    expires max;
    add_header Cache-Control public;
  }

  error_log  /var/log/nginx/error.log;
  access_log /var/log/nginx/access.log;
  fastcgi_hide_header X-Powered-By;
  absolute_redirect off;
  root /web;

  location / {
    try_files $uri $uri/ @strip-ext;
  }

  location /qhandler {
    rewrite ^/qhandler/(.*)/(.*) /qhandler.php?action=$1&hash=$2;
  }

  location /edit {
    rewrite ^/edit/(.*)/(.*) /edit.php?$1=$2;
  }

  location @strip-ext {
    rewrite ^(.*)$ $1.php last;
  }

  location ~ ^/api/v1/(.*)$ {
    try_files $uri $uri/ /json_api.php?query=$1&$args;
  }

  location ^~ /.well-known/acme-challenge/ {
    allow all;
    default_type "text/plain";
  }

  # If behind reverse proxy, forwards the correct IP
  set_real_ip_from 10.0.0.0/8;
  set_real_ip_from 172.16.0.0/12;
  set_real_ip_from 192.168.0.0/16;
  set_real_ip_from fc00::/7;
  real_ip_header X-Forwarded-For;
  real_ip_recursive on;

  rewrite ^/.well-known/caldav$ /SOGo/dav/ permanent;
  rewrite ^/.well-known/carddav$ /SOGo/dav/ permanent;

  location ^~ /principals {
    return 301 /SOGo/dav;
  }

  location ^~ /inc/lib/ {
    deny all;
    return 403;
  }

  location ~ \.php$ {
    try_files $uri =404;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass phpfpm:9002;
    fastcgi_index index.php;
    include /etc/nginx/fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $fastcgi_path_info;
    fastcgi_read_timeout 3600;
    fastcgi_send_timeout 3600;
  }

  location /rspamd/ {
    location /rspamd/auth {
      # proxy_pass is not inherited
      proxy_pass       http://rspamd:11334/auth;
      proxy_intercept_errors on;
      proxy_set_header Host      $http_host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_redirect off;
      error_page 403 /_rspamderror.php;
    }
    proxy_pass       http://rspamd:11334/;
    proxy_set_header Host      $http_host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_redirect off;
  }

  location ~* ^/Autodiscover/Autodiscover.xml {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass phpfpm:9002;
    include /etc/nginx/fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    try_files /autodiscover.php =404;
  }

  location ~* ^/Autodiscover/Autodiscover.json {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass phpfpm:9002;
    include /etc/nginx/fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    try_files /autodiscover-json.php =404;
  }

  location ~ /(?:m|M)ail/(?:c|C)onfig-v1.1.xml {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    fastcgi_pass phpfpm:9002;
    include /etc/nginx/fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    try_files /autoconfig.php =404;
  }

  location /sogo-auth-verify {
    internal;
    proxy_set_header  X-Original-URI $request_uri;
    proxy_set_header  X-Real-IP $remote_addr;
    proxy_set_header  Host $http_host;
    proxy_set_header  Content-Length "";
    proxy_pass        http://127.0.0.1:65510/sogo-auth;
    proxy_pass_request_body off;
  }

  location ^~ /Microsoft-Server-ActiveSync {
    include /etc/nginx/conf.d/includes/sogo_proxy_auth.conf;
    include /etc/nginx/conf.d/sogo_eas.active;
    proxy_connect_timeout 75;
    proxy_send_timeout 3600;
    proxy_read_timeout 3600;
    proxy_buffer_size 128k;
    proxy_buffers 64 512k;
    proxy_busy_buffers_size 512k;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    client_body_buffer_size 512k;
    client_max_body_size 0;
  }

  location ^~ /SOGo {
    location ~* ^/SOGo/so/.*\.(xml|js|html|xhtml)$ {
      include /etc/nginx/conf.d/includes/sogo_proxy_auth.conf;
      include /etc/nginx/conf.d/sogo.active;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Host $http_host;
      proxy_set_header x-webobjects-server-protocol HTTP/1.0;
      proxy_set_header x-webobjects-remote-host $remote_addr;
      proxy_set_header x-webobjects-server-name $server_name;
      proxy_set_header x-webobjects-server-url $client_req_scheme://$http_host;
      proxy_set_header x-webobjects-server-port $server_port;
      proxy_hide_header Content-Type;
      add_header Content-Type text/plain;
      break;
    }
    include /etc/nginx/conf.d/includes/sogo_proxy_auth.conf;
    include /etc/nginx/conf.d/sogo.active;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_set_header x-webobjects-server-protocol HTTP/1.0;
    proxy_set_header x-webobjects-remote-host $remote_addr;
    proxy_set_header x-webobjects-server-name $server_name;
    proxy_set_header x-webobjects-server-url $client_req_scheme://$http_host;
    proxy_set_header x-webobjects-server-port $server_port;
    proxy_buffer_size 128k;
    proxy_buffers 64 512k;
    proxy_busy_buffers_size 512k;
    proxy_send_timeout 3600;
    proxy_read_timeout 3600;
    client_body_buffer_size 128k;
    client_max_body_size 0;
    break;
  }

  location ~* /sogo$ {
    return 301 $client_req_scheme://$http_host/SOGo;
  }

  location /SOGo.woa/WebServerResources/ {
    alias /usr/lib/GNUstep/SOGo/WebServerResources/;
  }

  location /.woa/WebServerResources/ {
    alias /usr/lib/GNUstep/SOGo/WebServerResources/;
  }

  location /SOGo/WebServerResources/ {
    alias /usr/lib/GNUstep/SOGo/WebServerResources/;
  }

  location (^/SOGo/so/ControlPanel/Products/[^/]*UI/Resources/.*\.(jpg|png|gif|css|js)$) {
    alias /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2;
  }

  include /etc/nginx/conf.d/site.*.custom;

  error_page 502 @awaitingupstream;

  location @awaitingupstream {
    rewrite ^(.*)$ /_status.502.html break;
  }

  location ~ ^/cache/(.*)$ {
      try_files $uri $uri/ /resource.php?file=$1;
  }