###Permanently redirect clients to 443
server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name lipo.lol;
	return 301 https://$host$request_uri;
}

###VARNISH BACKEND HTTP SERVER, SSL TERMINATION NEXT
server {
  listen 8080;
  listen [::]:8080;
  server_name  lipo.lol;
  root /%%%%%CENSORED%%%/;
  port_in_redirect off;
  index index.php;

	gzip off; #Running brotli

##PHP extension stripping
	location / {

	    try_files $uri $uri.html $uri/ @extensionless-php;
	    index index.html index.htm index.php;
	}

	location ~ \.php$ {
        	include snippets/fastcgi-php.conf;
        	fastcgi_pass unix:/run/php/php7.0-fpm.sock;
	}

	location @extensionless-php {
	rewrite ^(.*)$ $1.php last;
	}

	location ~ /\.ht {
        deny all;
	}

   location ~* \.(ico|css|js|gif|jpeg|jpg|png|woff|ttf|ttf2|otf|svg|woff2|eot|webp)$ {
       expires 30d;
       add_header Pragma public;
       add_header Cache-Control "public";
       add_header X-Asset "yes";
   }

error_log /%%%%%CENSORED%%%.log notice;
}


#HTTPS ssl termination server drawing from Varnish

server {
	listen 443 ssl http2 default_server;
	listen [::]:443 ssl http2 default_server;
        server_name lipo.lol;
        root /%%%%%CENSORED%%%;
	index index.html index.php index.htm index.nginx-debian.html;
	gzip off;

	ssl on;
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 8.8.8.8;
        ssl_trusted_certificate /%%%%%%%CENSORED%%%%%%.crt;
        ssl_certificate /%%%%%CENSORED%%%.crt;
        ssl_certificate_key /%%%%%CENSORED%%%.key;
	ssl_prefer_server_ciphers on;
	ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
	ssl_dhparam  /%%%%%CENSORED%%%.pem;	
	ssl_protocols       TLSv1.2;
	ssl_ecdh_curve secp384r1;
	ssl_session_cache shared:SSL:5m;
	ssl_session_timeout 1h;
	add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload';
	add_header X-Frame-Options DENY;
	add_header X-Content-Type-Options nosniff;

   location / {           #####PASSING THROUGH VARNISH####
     proxy_pass http://127.0.0.1:6081;
     proxy_set_header Host $http_host;
     proxy_set_header X-Forwarded-Host $http_host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto https;
     proxy_set_header HTTPS "on";

     access_log /%%%%%CENSORED%%%.log;
     error_log  /%%%%%CENSORED%%%.log notice;..\lipo
     }

	include /etc/nginx/conf.d/pagespeed.conf;
	pagespeed on;
#	pagespeed off;

	pagespeed FileCachePath              "/%%%%CENSORED%%%%%/";
	pagespeed FileCacheSizeKb            1024000;
	pagespeed FileCacheCleanIntervalMs   3600000;
	pagespeed FileCacheInodeLimit        500000;
	pagespeed RewriteLevel CoreFilters;
	pagespeed HttpCacheCompressionLevel 0; ### Prevents pagespeed from subbing gzip for brotli
	
	pagespeed EnableFilters combine_css,extend_cache,rewrite_images;
	pagespeed EnableFilters rewrite_css,rewrite_javascript;
	pagespeed EnableFilters collapse_whitespace;
	pagespeed EnableFilters elide_attributes;
	pagespeed EnableFilters prioritize_critical_css;
	pagespeed EnableFilters remove_comments;
	pagespeed EnableFilters remove_quotes;
	pagespeed EnableFilters trim_urls;
	pagespeed EnableFilters insert_image_dimensions;
	pagespeed EnableFilters responsive_images,resize_images;
	pagespeed EnableFilters strip_image_color_profile;
	pagespeed EnableFilters strip_image_meta_data;
	pagespeed EnableFilters include_js_source_maps;
	pagespeed EnableFilters inline_css;
	pagespeed EnableFilters inline_javascript;
	pagespeed EnableFilters convert_jpeg_to_progressive;
	pagespeed EnableFilters resize_images;
	pagespeed EnableFilters add_instrumentation;
	pagespeed EnableFilters defer_javascript;
	pagespeed EnableFilters insert_dns_prefetch;
	pagespeed EnableFilters hint_preload_subresources;
	pagespeed EnableFilters in_place_optimize_for_browser;
	#pagespeed EnableFilters 
}