server {
  listen 8544 ssl http2;
  listen [::]:8544 ssl http2;
  server_name flarum.bubblesthebunny.com;

  ssl_protocols TLSv1.2 TLSv1.3;

  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;

  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off;

  ssl_certificate     /etc/nginx/flarum.bubblesthebunny.com/fullchain.pem;
  ssl_certificate_key /etc/nginx/flarum.bubblesthebunny.com/privkey.pem;

  root /var/www/flarum/public;
  index index.php index.html index.htm;

  location ~ \.php$ {
      include fastcgi_params;
      fastcgi_split_path_info ^(.+\.php)(/.+)$;
      fastcgi_pass  127.0.0.1:9000;
  }

  # Pass requests that don't refer directly to files in the filesystem to index.php
  location / {
    index index.php;
    try_files $uri $uri/ /index.php?$query_string;
  }

  # Uncomment the following lines if you are not using a `public` directory
  # to prevent sensitive resources from being exposed.
  # <!-- BEGIN EXPOSED RESOURCES PROTECTION -->
  # location ~* ^/(\.git|composer\.(json|lock)|auth\.json|config\.php|flarum|storage|vendor) {
  #   deny all;
  #   return 404;
  # }
  # <!-- END EXPOSED RESOURCES PROTECTION -->

  # The following directives are based on best practices from H5BP Nginx Server Configs
  # https://github.com/h5bp/server-configs-nginx

  # Expire rules for static content
  location ~* \.(?:manifest|appcache|html?|xml|json)$ {
    add_header Cache-Control "max-age=0";
  }

  location ~* \.(?:rss|atom)$ {
    add_header Cache-Control "max-age=3600";
  }

  location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|mp4|ogg|ogv|webm|htc)$ {
    add_header Cache-Control "max-age=2592000";
    access_log off;
  }

  location ~* \.(?:css|js)$ {
    add_header Cache-Control "max-age=31536000";
    access_log off;
  }

  location ~* \.(?:ttf|ttc|otf|eot|woff|woff2)$ {
    add_header Cache-Control "max-age=2592000";
    access_log off;
  }

  # Gzip compression
  gzip on;
  gzip_comp_level 5;
  gzip_min_length 256;
  gzip_proxied any;
  gzip_vary on;
  gzip_types
      application/atom+xml
      application/javascript
      application/json
      application/ld+json
      application/manifest+json
      application/rss+xml
      application/vnd.geo+json
      application/vnd.ms-fontobject
      application/x-font-ttf
      application/x-web-app-manifest+json
      application/xhtml+xml
      application/xml
      font/opentype
      image/bmp
      image/svg+xml
      image/x-icon
      text/cache-manifest
      text/css
      text/javascript
      text/plain
      text/vcard
      text/vnd.rim.location.xloc
      text/vtt
      text/x-component
      text/x-cross-domain-policy;
}