upstream freshrss {
	server 192.168.1.219:8080;
	keepalive 64;
}

server {
        listen 80;
        listen [::]:80;

        server_name rss.shad.moe www.rss.shad.moe;

        location / {
            return 301 https://$host$request_uri;
        }
}

server {
	server_name rss.shad.moe www.rss.shad.moe;
	listen 443 ssl;
        listen [::]:443 ssl;

        http2 on;

	ssl_certificate /etc/letsencrypt/live/rss.shad.moe/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/rss.shad.moe/privkey.pem;
        ssl_session_timeout 1d;
        ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
        ssl_session_tickets off;

        ssl_dhparam /etc/nginx/dhparam.txt;

        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305;
        ssl_prefer_server_ciphers off;

        add_header Strict-Transport-Security "max-age=63072000" always;

        include snippets/http-cat-error-pages.conf;

	location / {
		proxy_pass http://freshrss/;
		add_header X-Frame-Options SAMEORIGIN;
		add_header X-XSS-Protection "1; mode=block";
		proxy_redirect off;
		proxy_buffering off;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Forwarded-Port $server_port;
		proxy_read_timeout 90;

		# Forward the Authorization header for the Google Reader API.
		proxy_set_header Authorization $http_authorization;
		proxy_pass_header Authorization;
	}
}