server {
	   server_name www.talent.{{company-name}}.{{company-suffix}} talent.{{company-name}}.{{company-suffix}} {{company-name}}.talent.careers;
       return 301 https://talent.{{company-name}}.{{company-suffix}}$request_uri;
}

server {
		listen [::]:443 ssl;
    	listen 443 ssl;
	    server_name www.talent.{{company-name}}.{{company-suffix}};

		ssl_certificate /etc/letsencrypt/live/{{company-name}}/fullchain.pem;
		ssl_certificate_key /etc/letsencrypt/live/{{company-name}}/privkey.pem;
		ssl_trusted_certificate /etc/letsencrypt/live/{{company-name}}/chain.pem;
		ssl_session_timeout 1d;
		ssl_session_cache shared:le_nginx_SSL:1m;
  		ssl_session_tickets off;
  		ssl_prefer_server_ciphers on;
  		add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
  		ssl_stapling on;
  		ssl_stapling_verify on;
		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
		ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";
        return 301 https://talent.{{company-name}}.{{company-suffix}}$request_uri;
}

server {
		listen [::]:443 ssl;
        listen 443 ssl;
        server_name talent.{{company-name}}.{{company-suffix}} {{company-name}}.talent.careers;
	
		ssl_certificate /etc/letsencrypt/live/{{company-name}}/fullchain.pem;
		ssl_certificate_key /etc/letsencrypt/live/{{company-name}}/privkey.pem;
		ssl_trusted_certificate /etc/letsencrypt/live/{{company-name}}/chain.pem;
		ssl_session_timeout 1d;
		ssl_session_cache shared:le_nginx_SSL:1m;
  		ssl_session_tickets off;
  		ssl_prefer_server_ciphers on;
  		add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
  		ssl_stapling on;
  		ssl_stapling_verify on;
		ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
		ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";

		# Bad Bot Blocker
		include /etc/nginx/bots.d/ddos.conf;
		include /etc/nginx/bots.d/blockbots.conf;

		root /srv/http/{{company-name}}.talent.careers/web/;

		add_header Cache-Control "no-cache, no-store, must-revalidate, proxy-revalidate";
		#add_header X-Frame-Options SAMEORIGIN; # allow from startberlin, jsfiddle, ...
		add_header X-Content-Type-Options nosniff;
		add_header X-XSS-Protection "1; mode=block";
		add_header Referrer-Policy "same-origin";
		add_header Expect-CT "max-age=0, report-uri=https://sompani.report-uri.com/r/d/ct/reportOnly";
		#add_header Content-Security-Policy "default-src https:; script-src 'self' 'unsafe-inline' 'unsafe-eval' https:; style-src 'self' 'unsafe-inline' https:; font-src 'self' https:; frame-src https:; object-src 'none'";
		add_header X-Who-Is-Awesome "You are ❤";


		location / {
        	# try to serve file directly, fallback to app.php
        	try_files $uri /app.php$is_args$args;
    	}
		location ~ ^/app\.php(/|$) {
        	fastcgi_pass unix:/var/run/php-fpm/php-fpm.sock;
        	fastcgi_split_path_info ^(.+\.php)(/.*)$;
        	include fastcgi_params;
        	# When you are using symlinks to link the document root to the
        	# current version of your application, you should pass the real
        	# application path instead of the path to the symlink to PHP
        	# FPM.
        	# Otherwise, PHP's OPcache may not properly detect changes to
        	# your PHP files (see https://github.com/zendtech/ZendOptimizerPlus/issues/126
        	# for more information).
        	fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        	fastcgi_param DOCUMENT_ROOT $realpath_root;
        	# Prevents URIs that include the front controller. This will 404:
        	# http://domain.tld/app.php/some-path
        	# Remove the internal directive to allow URIs like this
        	internal;
			expires -1;
    	}

    	# return 404 for all other php files not matching the front controller
    	# this prevents access to other php files you don't want to be accessible.
    	location ~ \.php$ {
      		return 404;
    	}
   	 	
		location ^~ /og-image {
			root /srv/img/www.sompani.com/;
		}
		# ACME challenge
   	 	#location ^~ /.well-known {
   	 	#  allow all;
   	 	#  alias /var/lib/letsencrypt/.well-known/;
   	 	#  default_type "text/plain";
   	 	#  try_files $uri =404;
   		#}

    	error_log /var/log/nginx/{{company-name}}.talent.careers.error.log;
    	access_log /var/log/nginx/{{company-name}}.talent.careers.access.log;

}