upstream backend {
    server 127.0.0.1:9392;
    keepalive 64;
}

server {
        listen IP:80;
        server_name openvas.domain.tdl;
        return 301 https://openvas.domain.tdl$request_uri;
}

server {
        listen IP:443 ssl http2;
        server_name openvas.domain.tdl;
        access_log /var/log/nginx/openvas.domain.tdl.access.log;
        error_log  /var/log/nginx/openvas.domain.tdl.error.log;
        # Not sourcing directly from file
        fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
	fastcgi_param  QUERY_STRING       $query_string;
	fastcgi_param  REQUEST_METHOD     $request_method;
	fastcgi_param  CONTENT_TYPE       $content_type;
	fastcgi_param  CONTENT_LENGTH     $content_length;
	fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
	fastcgi_param  REQUEST_URI        $request_uri;
	fastcgi_param  DOCUMENT_URI       $document_uri;
	fastcgi_param  SERVER_PROTOCOL    $server_protocol;
	fastcgi_param  REQUEST_SCHEME     $scheme;
	fastcgi_param  HTTPS              $https;
	fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
	fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
	fastcgi_param  REMOTE_ADDR        $remote_addr;
	fastcgi_param  REMOTE_PORT        $remote_port;
	fastcgi_param  SERVER_ADDR        $server_addr;
	fastcgi_param  SERVER_PORT        $server_port;
	fastcgi_param  SERVER_NAME        $server_name;
	fastcgi_param  REDIRECT_STATUS    200;
        fastcgi_param  HTTP_PROXY "";
        fastcgi_param  PATH_INFO          $fastcgi_path_info;
	fastcgi_param  PATH_TRANSLATED    $document_root$fastcgi_path_info;
        fastcgi_param  DOCUMENT_ROOT	  $document_root;

        location / {        
                proxy_set_header   Host             $http_host;
                proxy_set_header   X-Real-IP        $remote_addr;
                proxy_set_header   REMOTE_HOST      $remote_addr;
                proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
                proxy_set_header   X-FORWARDED-PROTOCOL $scheme;
                proxy_pass https://backend;
                proxy_http_version 1.1;
                proxy_pass_request_headers on;
                proxy_set_header Connection "keep-alive";
                proxy_store off;
                gzip on;
                gzip_proxied any;
                gzip_types *;
        }

	resolver 127.0.0.1;
        resolver_timeout 6s;
	ssl_certificate /openvas.domain.tdl/fullchain.pem;
	ssl_certificate_key /openvas.domain.tdl/privkey.pem;
        ssl_trusted_certificate /openvas.domain.tdl/chain.pem;        
        ssl_dhparam /openvas.domain.tdl/dhparam.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
        ssl_ecdh_curve  secp384r1;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_session_cache shared:SSL:40m;
        ssl_session_timeout 21h;
        ssl_session_tickets off;
        ssl_buffer_size 4k;
        add_header Referrer-Policy no-referrer-when-downgrade;
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-Content-Type-Options "nosniff";
        add_header X-XSS-Protection "1; mode=block";
}