#............................................................................
#   Eenos Symfonay Nginx Stand Alone Vhost Configurations 
#   All files will be served from Nginx
#............................................................................
# Build Time - ${time}
# Domain name - ${servername}
#.......... HTTP VHOST ..................................
# Version 25.10
server {
    %if isipv4 == "on":
    listen ${ips['ipv4']}:${webports['nginx']['http']};
    %endif
    %if isipv6 == "on":
    listen  [${ips['ipv6']}]:${webports['nginx']['http']};
    %endif
    % if iswildcard == "off":
        %if isdedicatedip == "on" and isdedicatedip6 == "on":
    server_name  ${servername} ${serveralias} ${ips['ipv4']} www.${ips['ipv4']} [${ips['ipv6']}];
        %elif isdedicatedip == "on" and isdedicatedip6 == "off":
    server_name  ${servername} ${serveralias} ${ips['ipv4']} www.${ips['ipv4']};
        %elif isdedicatedip == "off" and isdedicatedip6 == "on":
    server_name ${servername} ${serveralias} [${ips['ipv6']}];   
        %else:
    server_name  ${servername} ${serveralias};   
        %endif
    % else:
        %if isdedicatedip == "on" and isdedicatedip6 == "on":
    server_name  ${servername} ${ips['ipv4']} www.${ips['ipv4']} [${ips['ipv6']}];
        %elif isdedicatedip == "on" and isdedicatedip6 == "off":
    server_name  ${servername} ${ips['ipv4']} www.${ips['ipv4']};
        %elif isdedicatedip == "off" and isdedicatedip6 == "on":
    server_name  ${servername} [${ips['ipv6']}]; 
        %else:
    server_name  ${servername}; 
        %endif   
    %endif
    # lets encrypt auto ssl acme validation
    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";                
        root /var/www/html;
    }
    root ${docroot};
    index index.php  index.perl index.pl  index.cgi  index.phtml index.shtml index.xhtml index.html index.htm index.wml Default.html Default.htm default.html default.htm home.html home.htm eenos.html;
    location = /favicon.ico { log_not_found off; }
    %if siteredirect['status']=="on":
        %if isvarnish=="off":
    location /{
        rewrite ^/(.*)$ ${siteredirect['url']}$1 permanent;
    }
        %else:
    # SSL redirection disabled with varnish to avoid never ending loop
    # Please set the redirection in app
        %endif
    %elif redirect['http-to-https'] == "on" :
    location /{
        rewrite ^/(.*) https://$host$request_uri permanent;
    }
    % else:
    # All access logs  
    %if nginx['access_log_buffering'] == "on":
    access_log /var/log/domlogs/${servername} main buffer=32k flush=5m;
    access_log /var/log/domlogs/${servername}-bytes_log bytes_log buffer=32k flush=5m; 
    %else:
    access_log /var/log/domlogs/${servername} main;
    access_log /var/log/domlogs/${servername}-bytes_log bytes_log;  
    %endif
    % if redirect['www-to-nonwww'] == "tononwww":
    # Redirect www to non-ww
    if ($host = 'www.${servername}' ) {                                                                                                                                                                                               
        rewrite  ^/(.*)$  http://${servername}/$1  permanent;                                                                                                                                                                    
    } 
    % endif
    % if redirect['www-to-nonwww'] == "towww":
    # Redirect non-www to www
    if ($host = '${servername}' ) {                                                                                                                                                                                               
        rewrite  ^/(.*)$  http://www.${servername}/$1  permanent;                                                                                                                                                                    
    } 
    % endif
    %if ismodsec == "on":
        %if nginx['modsec'] == 'off' or modsecurity == 'off' :
    # Disabled ModSecurity for this domain
    modsecurity_rules ' SecRuleEngine Off ';
        % endif
    %endif   
    %if nginx['userdir'] == "on":
    # Userdir enabled
    location  ~ ^/~${user}(/.*)?$ {
        alias   ${docroot}/$2;
        autoindex on;
        try_files $uri $uri/ ;

    } 
    % endif
    referer_hash_bucket_size 512;    
    # Run static file directly from nginx 
    location ~* ^.+.(${nginx['file_extensions']})$ {
        expires 30d;
        add_header Pragma public;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";    
    }

    # Disable direct access to .ht files and folders
    location ~ /\.(ht|ini|log|conf)$ {
          deny all;
    }
    % if nginx['slowloris'] == "on":
    # Slowloris Dos Attack Protection
    client_body_timeout ${nginx['client_body_timeout']};
    client_header_timeout ${nginx['client_header_timeout']};
    % endif 
    keepalive_requests ${nginx['keepalive_requests']};
    keepalive_timeout ${nginx['keepalive_timeout']};
    % if nginx['symlink_protect'] == "on":
    # Symlink attack
    disable_symlinks on from=$document_root;
    % endif
    % if nginx['dirlist'] == "on":
    # Directory listing enabled
    autoindex on;
    % else:
    # Directory listing disabled
    autoindex off;
    % endif
    % if nginx['pseudoflv'] == "on":
    # Enabled FLV streaming    
    location ~ .flv$ {
        flv;
    }
    % endif 
    %if nginx['pseudomp4'] == "on":
    # Enabled MP4 streaming
    location ~ .mp4$ {
        mp4;
        mp4_buffer_size 4M;
        mp4_max_buffer_size 10M;
    }
    % endif 
    % if nginx['limit_connection'] == "on":
    # DDOS Layer  7 protection using ngx_http_limit_conn_module
    limit_conn perip ${nginx['limit_connection_perip']};
    limit_conn perserver ${nginx['limit_connection_perdomain']};
    limit_conn_status 444;
    % endif 
    % if nginx['request_module'] == "on":
    # DDOS Layer  7 protection using ngx_http_limit_conn_module
    limit_req zone=reqperip burst=${nginx['request_module_perip']} nodelay;
    limit_req zone=reqperserver burst=${nginx['request_module_perdomain']};
    limit_req_status 444;
    % endif 

    %if nginx['limitmethod'] == "on":
    # HTTP LIMIT METHOD PROTECTION ONLY ALLOW GET,POST,HEAD,PURGE error code 447
    if ($badmethod = 1) {
        return 447;
    }
    % endif
    %if nginx['useragent']== "on":
    # Blocking access from bad bots  error code 448
    if ($badbot){
        return 448;
    }
    % endif

    %if nginx['xss'] == "on": 
    # X-XSS protection
    add_header X-XSS-Protection "1; mode=block";
    % endif

    % if nginx['xframe'] == "on":
    # X-FRAME attach protection
    add_header X-Frame-Options "SAMEORIGIN";
    % endif

    %if nginx['scanner'] == "on":
    # Protect from  bad site scanners error code 449
    if ($badscanner = 1){
        return 449;
    }
    % endif

    %if nginx['refspam'] == "on":
    # Protect from bad refferer error code 460 
    if ($badreferer){
        return 460;
    }
    % endif
    % if nginx['sql_injection'] =="on":
    # Protect sql injections
    set $block_sql_injections 0;
    if ($query_string ~ "union.*select.*\(") {
        set $block_sql_injections 1;
    }
    if ($query_string ~ "union.*all.*select.*") {
        set $block_sql_injections 1;
    }
    if ($query_string ~ "concat.*\(") {
        set $block_sql_injections 1;
    }
    if ($block_sql_injections = 1) {
        return 403;
    }
    % endif 
    % if nginx['file_injection'] == "on":
    # Protect file injections
    set $block_file_injections 0;
    if ($query_string ~ "[a-zA-Z0-9_]=http://") {
        set $block_file_injections 1;
    }
    if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
        set $block_file_injections 1;
    }
    if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
        set $block_file_injections 1;
    }
    if ($block_file_injections = 1) {
        return 403;
    }
    % endif

    % if nginx['cep'] == "on":
    # common exploit protection
     set $block_common_exploits 0;
    if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "proc/self/environ") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "base64_(en|de)code\(.*\)") {
        set $block_common_exploits 1;
    }
    if ($block_common_exploits = 1) {
        return 403;
    }
    % endif
    % if nginx['hotlink'] == "on":
    # Hot Link protections    
    location ~ \.(jpe?g|png|gif|svg|tiff|bmp|webp|bpg|css|ico|js|woff|woff2|ttf|ttc|otf|eot)$ {
        expires 30d;    
        add_header Pragma public;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";    
        %if iswildcard == "off":
        valid_referers none blocked ${servername} *.${servername};
        %else:
        valid_referers none blocked ${servername};
        %endif
        if ($invalid_referer) {
            return   403;
        }
    }   
    % endif
    %if nginx['xmlrpc']=="on":
    #xml-rpc attack protection
    location ~* ^/xmlrpc.php$ {
        deny all;            
        return 444;    
    }
    %endif   
    # External Alias
    # Eenos Alias
    include /etc/nginx/eenos[.]conf;
    # Mailman    
    include /etc/nginx/mailman[.]conf;    
    # PHPMyadmin 
    include /etc/nginx/phpmyadmin[.]conf;
    # phpPgAdmin 
    include /etc/nginx/phppgadmin[.]conf;    
    # Roudcube
    include /etc/nginx/roundcube[.]conf;
    # External Alias
    location / {        
        % if iscustomrewrite == 'on':
        # Custom rewrite rules
        include /var/eenos/userdata/${user}/vhosts/nginx/${servername}.rewrite;
        % else:
        # Place the custom rewrite rules in and rebuild vhost
        # include /var/eenos/userdata/${user}/vhosts/nginx/${servername}.rewrite;
        % endif        
        client_max_body_size ${nginx['client_max_body_size']};
        client_body_buffer_size ${nginx['client_body_buffer_size']};
        try_files $uri /app.php$is_args$args;        
    }
    #phpfiles
    location ~ ^/index\.php(/|$) {
        try_files $uri =404;
        fastcgi_pass unix:${fpmsocket};
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT $realpath_root;
        include /etc/nginx/fastcgi_params;
        % if nginx['fcgicache'] == "on":
        # PHp-FPm FCGI Cache Enabled
        set $no_cache 0;                                                                                                                                                                                                                
        # Only cache GET requests                                                                                                                                                                                                       
        if ($request_method != GET){                                                                                                                                                                                                    
            set $no_cache 1;                                                                                                                                                                                                        
        }                                                                                                                                                                                                                               
        #Don't cache if the URL contains a query string                                                                                                                                                                                 
        if ($query_string != ""){                                                                                                                                                                                                       
            set $no_cache 1;                                                                                                                                                                                                        
        }                                                                                                                                                                                                                               
        #Don't cache if there is a cookie called wordpress_logged_in_[hash]                                                                                                                                                             
        if ($http_cookie ~* "wordpress_logged_in_"){
            set $no_cache 1;
        }
        #Don't cache POST requests
        if ($request_method = POST)
        {
        set $no_cache 1;
        }
        #Don't cache the following URLs
        if ($request_uri ~* "/(wp-login.php|wp-admin|administrator/|login.php|backend|admin)"){
            set $no_cache 1;
        }
        #Don't cache if there is a cookie called PHPSESSID
        if ($http_cookie ~* "PHPSESSID")
        {
            set $no_cache 1;
        }
        if ($no_cache = "1") {
            add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/";
            add_header X-Microcachable "0";
        }
        fastcgi_no_cache $no_cache $http_pragma $http_authorization;
        fastcgi_cache_bypass $no_cache $cookie_nocache $arg_nocache$arg_comment;
        fastcgi_cache FASTCGICACHE;
        userid  on;
        userid_name uid;
        userid_domain   $host;
        userid_path /;
        userid_expires 30d;
        userid_p3p     'policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"';
        fastcgi_cache_key "$host$request_uri$request_method";
        fastcgi_cache_valid ${nginx['fastcgi_cache_valid']};
            % if nginx['fastcgi_cache_use_stale'] == "on":
        fastcgi_cache_use_stale updating error timeout invalid_header http_500;
            % endif
        fastcgi_cache_min_uses ${nginx['fastcgi_cache_min_use']};
            % if nginx['fastcgi_cache_revalidate'] == "on":
        fastcgi_cache_revalidate on;
            % else:
        fastcgi_cache_revalidate off;
            % endif    
            % if nginx['fastcgi_cache_lock']=="on":
        fastcgi_cache_lock on;
            % else:
        fastcgi_cache_lock off;
            % endif
        fastcgi_pass_header Set-Cookie;
        fastcgi_pass_header Cookie;
        fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
        add_header X-Cache-Status $upstream_cache_status;
        fastcgi_cache_purge PURGE purge_all from all;
        % endif  
        internal;              
    }

    location ~ \.php$ {
        return 404;
    }
    % if iscustominclude == 'on':
# Custom include
include /var/eenos/userdata/${user}/vhosts/nginx/${servername}.include;
    % else:
# Place your custom includes and rebuild vhost
# include /var/eenos/userdata/${user}/vhosts/nginx/${servername}.include;
    % endif 
    % endif
}

%if havessl=="on":
#.......... HTTPS VHOST ..................................
%if isvarnish=="on":
# Varnish ssl termination 
server {
    %if isipv4 == "on":
    listen ${ips['ipv4']}:${webports['nginx']['https']} ssl ;
    %endif
    %if isipv6 == "on":
    listen  [${ips['ipv6']}]:${webports['nginx']['https']} ssl;
    %endif
    %if nginx['http2'] == "on": 
    http2 on;    
    %else:
    http2 off;
    %endif
    % if iswildcard == "off":
        %if isdedicatedip == "on" and isdedicatedip6 == "on":
    server_name  ${servername} ${serveralias} ${ips['ipv4']} www.${ips['ipv4']} [${ips['ipv6']}];
        %elif isdedicatedip == "on" and isdedicatedip6 == "off":
    server_name  ${servername} ${serveralias} ${ips['ipv4']} www.${ips['ipv4']};
        %elif isdedicatedip == "off" and isdedicatedip6 == "on":
    server_name ${servername} ${serveralias} [${ips['ipv6']}];   
        %else:
    server_name  ${servername} ${serveralias};   
        %endif
    % else:
        %if isdedicatedip == "on" and isdedicatedip6 == "on":
    server_name  ${servername} ${ips['ipv4']} www.${ips['ipv4']} [${ips['ipv6']}];
        %elif isdedicatedip == "on" and isdedicatedip6 == "off":
    server_name  ${servername} ${ips['ipv4']} www.${ips['ipv4']};
        %elif isdedicatedip == "off" and isdedicatedip6 == "on":
    server_name  ${servername} [${ips['ipv6']}]; 
        %else:
    server_name  ${servername}; 
        %endif   
    %endif
    ssl_certificate ${sslcrt};
    ssl_certificate_key ${sslkey};
    ssl_protocols ${nginx['sslprotocol']};
    ssl_ciphers ${nginx['sslcipher']};
    %if nginx['ssl_prefer_server_ciphers'] == "on":
    # Web server control ssl ciphers
    ssl_prefer_server_ciphers on;
    %else:
    # Browser control ssl ciphers
    ssl_prefer_server_ciphers off;
    %endif
    ssl_session_cache   shared:SSL:20m;
    ssl_session_timeout 60m;
    %if nginx['ssl_stapling'] == "on":
    # SSL Stapling on 
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate ${sslcrt};
    %endif
    %if nginx['hsts'] == "on":
    #HSTS Protection
    add_header Strict-Transport-Security "max-age=31536000;" always;
    %endif 
    add_header X-Served-By "Eenos"; 
    # All access logs will be handled by proxy
    access_log off;
     # Disable direct access to .ht files and folders
    location ~ /\.(ht|ini|log|conf)$ {
          deny all;
    }
    % if nginx['slowloris'] == "on":
    # Slowloris Dos Attack Protection
    client_body_timeout ${nginx['client_body_timeout']};
    client_header_timeout ${nginx['client_header_timeout']};
    % endif 
    keepalive_requests ${nginx['keepalive_requests']};
    keepalive_timeout ${nginx['keepalive_timeout']};
    % if nginx['symlink_protect'] == "on":
    # Symlink attack
    disable_symlinks on from=$document_root;
    % endif
    % if nginx['dirlist'] == "on":
    # Directory listing enabled
    autoindex on;
    % else:
    # Directory listing disabled
    autoindex off;
    % endif    
    % if nginx['limit_connection'] == "on":
    # DDOS Layer  7 protection using ngx_http_limit_conn_module
    limit_conn perip ${nginx['limit_connection_perip']};
    limit_conn perserver ${nginx['limit_connection_perdomain']};
    limit_conn_status 444;
    % endif 
    % if nginx['request_module'] == "on":
    # DDOS Layer  7 protection using ngx_http_limit_conn_module
    limit_req zone=reqperip burst=${nginx['request_module_perip']} nodelay;
    limit_req zone=reqperserver burst=${nginx['request_module_perdomain']};
    limit_req_status 444;
    % endif 

    %if nginx['limitmethod'] == "on":
    # HTTP LIMIT METHOD PROTECTION ONLY ALLOW GET,POST,HEAD,PURGE error code 447
    if ($badmethod = 1) {
        return 447;
    }
    % endif
    %if nginx['useragent']== "on":
    # Blocking access from bad bots  error code 448
    if ($badbot){
        return 448;
    }
    % endif

    %if nginx['xss'] == "on": 
    # X-XSS protection
    add_header X-XSS-Protection "1; mode=block";
    % endif

    % if nginx['xframe'] == "on":
    # X-FRAME attach protection
    add_header X-Frame-Options "SAMEORIGIN";
    % endif

    %if nginx['scanner'] == "on":
    # Protect from  bad site scanners error code 449
    if ($badscanner = 1){
        return 449;
    }
    % endif

    %if nginx['refspam'] == "on":
    # Protect from bad refferer error code 460 
    if ($badreferer){
        return 460;
    }
    % endif
    % if nginx['sql_injection'] =="on":
    # Protect sql injections
    set $block_sql_injections 0;
    if ($query_string ~ "union.*select.*\(") {
        set $block_sql_injections 1;
    }
    if ($query_string ~ "union.*all.*select.*") {
        set $block_sql_injections 1;
    }
    if ($query_string ~ "concat.*\(") {
        set $block_sql_injections 1;
    }
    if ($block_sql_injections = 1) {
        return 403;
    }
    % endif 
    % if nginx['file_injection'] == "on":
    # Protect file injections
    set $block_file_injections 0;
    if ($query_string ~ "[a-zA-Z0-9_]=http://") {
        set $block_file_injections 1;
    }
    if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
        set $block_file_injections 1;
    }
    if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
        set $block_file_injections 1;
    }
    if ($block_file_injections = 1) {
        return 403;
    }
    % endif

    % if nginx['cep'] == "on":
    # common exploit protection
     set $block_common_exploits 0;
    if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "proc/self/environ") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "base64_(en|de)code\(.*\)") {
        set $block_common_exploits 1;
    }
    if ($block_common_exploits = 1) {
        return 403;
    }
    % endif    
    %if nginx['xmlrpc']=="on":
    # xml-rpc attack protection
    location ~* ^/xmlrpc.php$ {
        deny all;            
        return 444;    
    }
    %endif
    # External Alias
    # Eenos Alias
    include /etc/nginx/eenos[.]conf;
    # Mailman    
    include /etc/nginx/mailman[.]conf;    
    # PHPMyadmin 
    include /etc/nginx/phpmyadmin[.]conf;
    # phpPgAdmin 
    include /etc/nginx/phppgadmin[.]conf;   
    # Roudcube
    include /etc/nginx/roundcube[.]conf; 
    # External Alias
    %if ismodsec == "on":
        %if nginx['modsec'] == 'off' or modsecurity == 'off' :
    # Disabled ModSecurity for this domain
    modsecurity_rules ' SecRuleEngine Off ';
        % endif
    %endif
    %if siteredirect['status']=="on":        
    location /{
        rewrite ^/(.*)$ ${siteredirect['url']}$1 permanent;
    }
    %else:
    location / {
        proxy_pass http://${ips['ipv4']}:${webports['varnish']['http']};
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-Port ${webports['nginx']['https']};
        proxy_set_header HTTPS "on";
        proxy_buffering ${nginx['proxy_buffering']};
        proxy_send_timeout ${nginx['proxy_send_timeout']};
        proxy_read_timeout ${nginx['proxy_read_timeout']};
        proxy_buffer_size ${nginx['proxy_buffer_size']};
        proxy_buffers ${nginx['proxy_buffers_num']} ${nginx['proxy_buffers_size']};
        proxy_busy_buffers_size ${nginx['proxy_busy_buffers_size']};
        proxy_temp_file_write_size ${nginx['proxy_temp_file_write_size']};
        proxy_connect_timeout ${nginx['proxy_connect_timeout']};
        proxy_http_version ${nginx['proxy_http_version']};
    }
    %endif
}
%else:
# Nginx SSL
server {
    %if isipv4 == "on":
    listen ${ips['ipv4']}:${webports['nginx']['https']} ssl ;
        %if nginx['http3'] == "on": 
    listen ${ips['ipv4']}:${webports['nginx']['https']} quic ;        
        %endif
    %endif
    %if isipv6 == "on":
    listen  [${ips['ipv6']}]:${webports['nginx']['https']} ssl;
        %if nginx['http3'] == "on": 
    listen  [${ips['ipv6']}]:${webports['nginx']['https']} quic ;           
        %endif
    %endif
    %if nginx['http2'] == "on": 
    http2 on;    
    %else:
    http2 off;
    %endif
    %if nginx['http3'] == "on": 
    # HTTP3/QUIC Support  
    http3 on;    
    http3_hq on;
    add_header Alt-Svc 'h3=":$server_port"; ma=86400';
    %else:
    http3 off;
    %endif
    % if iswildcard == "off":
        %if isdedicatedip == "on" and isdedicatedip6 == "on":
    server_name  ${servername} ${serveralias} ${ips['ipv4']} www.${ips['ipv4']} [${ips['ipv6']}];
        %elif isdedicatedip == "on" and isdedicatedip6 == "off":
    server_name  ${servername} ${serveralias} ${ips['ipv4']} www.${ips['ipv4']};
        %elif isdedicatedip == "off" and isdedicatedip6 == "on":
    server_name ${servername} ${serveralias} [${ips['ipv6']}];   
        %else:
    server_name  ${servername} ${serveralias};   
        %endif
    % else:
        %if isdedicatedip == "on" and isdedicatedip6 == "on":
    server_name  ${servername} ${ips['ipv4']} www.${ips['ipv4']} [${ips['ipv6']}];
        %elif isdedicatedip == "on" and isdedicatedip6 == "off":
    server_name  ${servername} ${ips['ipv4']} www.${ips['ipv4']};
        %elif isdedicatedip == "off" and isdedicatedip6 == "on":
    server_name  ${servername} [${ips['ipv6']}]; 
        %else:
    server_name  ${servername}; 
        %endif   
    %endif
    ssl_certificate ${sslcrt};
    ssl_certificate_key ${sslkey};
    ssl_protocols ${nginx['sslprotocol']};
    ssl_ciphers ${nginx['sslcipher']};
    %if nginx['ssl_prefer_server_ciphers'] == "on":
    # Web server control ssl ciphers
    ssl_prefer_server_ciphers on;
    %else:
    # Browser control ssl ciphers
    ssl_prefer_server_ciphers off;
    %endif
    ssl_session_cache   shared:SSL:20m;
    ssl_session_timeout 60m;
    %if nginx['ssl_stapling'] == "on":
    # SSL Stapling on 
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate ${sslcrt};
    %endif
    %if nginx['hsts'] == "on":
    #HSTS Protection
    add_header Strict-Transport-Security "max-age=31536000;" always;
    %endif 

    # lets encrypt auto ssl acme validation
    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";                
        root /var/www/html;
    }
    root ${docroot};
    index index.php  index.perl index.pl  index.cgi  index.phtml index.shtml index.xhtml index.html index.htm index.wml Default.html Default.htm default.html default.htm home.html home.htm eenos.html;
    
    location = /favicon.ico { log_not_found off; }      
    # All access logs   
    %if nginx['access_log_buffering'] == "on":
    access_log /var/log/domlogs/${servername} main buffer=32k flush=5m;
    access_log /var/log/domlogs/${servername}-bytes_log bytes_log buffer=32k flush=5m; 
    %else:
    access_log /var/log/domlogs/${servername} main;
    access_log /var/log/domlogs/${servername}-bytes_log bytes_log;  
    %endif
    % if redirect['www-to-nonwww'] == "tononwww":
    # Redirect www to non-ww
    if ($host = 'www.${servername}' ) {                                                                                                                                                                                               
        rewrite  ^/(.*)$  https://${servername}/$1  permanent;                                                                                                                                                                    
    } 
    % endif

    % if redirect['www-to-nonwww'] == "towww":
    # Redirect non-www to www
    if ($host = '${servername}' ) {                                                                                                                                                                                               
        rewrite  ^/(.*)$  https://www.${servername}/$1  permanent;                                                                                                                                                                    
    } 
    % endif

    %if ismodsec == "on":
        %if nginx['modsec'] == 'off' or modsecurity == 'off' :
    # Disabled ModSecurity for this domain
    modsecurity_rules ' SecRuleEngine Off ';
        % endif
    %endif
    %if nginx['userdir'] == "on":
    # Userdir enabled
    location  ~ ^/~${user}(/.*)?$ {
        alias   ${docroot}/$2;
        autoindex on;
        try_files $uri $uri/ ;
    }  
    % endif
    referer_hash_bucket_size 512;   
    # Run static file directly from nginx 
    location ~* ^.+.(${nginx['file_extensions']})$ {
        expires 30d;
        add_header Pragma public;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";        
    }
    # Disable direct access to .ht files and folders
    location ~ /\.(ht|ini|log|conf)$ {
          deny all;
    }
    % if nginx['slowloris'] == "on":
    # Slowloris Dos Attack Protection
    client_body_timeout ${nginx['client_body_timeout']};
    client_header_timeout ${nginx['client_header_timeout']};
    % endif 
    keepalive_requests ${nginx['keepalive_requests']};
    keepalive_timeout ${nginx['keepalive_timeout']};
    % if nginx['symlink_protect'] == "on":
    # Symlink attack
    disable_symlinks on from=$document_root;
    % endif
    % if nginx['dirlist'] == "on":
    autoindex on;
    % else:
    autoindex off;
    % endif
    % if nginx['pseudoflv'] == "on":
    # Enabled FLV streaming    
    location ~ .flv$ {
        flv;
    }
    % endif 
    %if nginx['pseudomp4'] == "on":
    # Enabled MP4 streaming
    location ~ .mp4$ {
        mp4;
        mp4_buffer_size 4M;
        mp4_max_buffer_size 10M;
    }
    % endif 
    % if nginx['limit_connection'] == "on":
    # DDOS Layer  7 protection using ngx_http_limit_conn_module
    limit_conn perip ${nginx['limit_connection_perip']};
    limit_conn perserver ${nginx['limit_connection_perdomain']};
    limit_conn_status 444;
    % endif 
    % if nginx['request_module'] == "on":
    # DDOS Layer  7 protection using ngx_http_limit_conn_module
    limit_req zone=reqperip burst=${nginx['request_module_perip']} nodelay;
    limit_req zone=reqperserver burst=${nginx['request_module_perdomain']};
    limit_req_status 444;
    % endif 

    %if nginx['limitmethod'] == "on":
    # HTTP LIMIT METHOD PROTECTION ONLY ALLOW GET,POST,HEAD,PURGE error code 447
    if ($badmethod = 1) {
        return 447;
    }
    % endif
    %if nginx['useragent']== "on":
    # Blocking access from bad bots  error code 448
    if ($badbot){
        return 448;
    }
    % endif

    %if nginx['xss'] == "on": 
    # X-XSS protection
    add_header X-XSS-Protection "1; mode=block";
    % endif

    % if nginx['xframe'] == "on":
    # X-FRAME attach protection
    add_header X-Frame-Options "SAMEORIGIN";
    % endif

    %if nginx['scanner'] == "on":
    # Protect from  bad site scanners error code 449
    if ($badscanner = 1){
        return 449;
    }
    % endif

    %if nginx['refspam'] == "on":
    # Protect from bad refferer error code 460 
    if ($badreferer){
        return 460;
    }
    % endif
    % if nginx['sql_injection'] =="on":
    # Protect sql injections
    set $block_sql_injections 0;
    if ($query_string ~ "union.*select.*\(") {
        set $block_sql_injections 1;
    }
    if ($query_string ~ "union.*all.*select.*") {
        set $block_sql_injections 1;
    }
    if ($query_string ~ "concat.*\(") {
        set $block_sql_injections 1;
    }
    if ($block_sql_injections = 1) {
        return 403;
    }
    % endif 
    % if nginx['file_injection'] == "on":
    # Protect file injections
    set $block_file_injections 0;
    if ($query_string ~ "[a-zA-Z0-9_]=http://") {
        set $block_file_injections 1;
    }
    if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") {
        set $block_file_injections 1;
    }
    if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") {
        set $block_file_injections 1;
    }
    if ($block_file_injections = 1) {
        return 403;
    }
    % endif

    % if nginx['cep'] == "on":
    # common exploit protection
     set $block_common_exploits 0;
    if ($query_string ~ "(<|%3C).*script.*(>|%3E)") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "proc/self/environ") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") {
        set $block_common_exploits 1;
    }
    if ($query_string ~ "base64_(en|de)code\(.*\)") {
        set $block_common_exploits 1;
    }
    if ($block_common_exploits = 1) {
        return 403;
    }
    % endif
    % if nginx['hotlink'] == "on":
    # Hot Link protections
    location ~ \.(jpe?g|png|gif|svg|tiff|bmp|webp|bpg|css|ico|js|woff|woff2|ttf|ttc|otf|eot)$ {    
        expires 30d;    
        add_header Pragma public;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";    
        %if iswildcard == "off":
        valid_referers none blocked ${servername} *.${servername};
        %else:
        valid_referers none blocked ${servername};
        %endif
        if ($invalid_referer) {
            return   403;
        }
    }   
    % endif
    %if nginx['xmlrpc']=="on":
    #xml-rpc attack protection
    location ~* ^/xmlrpc.php$ {
        deny all;            
        return 444;    
    }
    %endif
    # External Alias
    # Eenos Alias
    include /etc/nginx/eenos[.]conf;
    # Mailman    
    include /etc/nginx/mailman[.]conf;    
    # PHPMyadmin 
    include /etc/nginx/phpmyadmin[.]conf;
    # phpPgAdmin 
    include /etc/nginx/phppgadmin[.]conf;   
    # Roudcube
    include /etc/nginx/roundcube[.]conf; 
    # External Alias
    %if siteredirect['status']=="on":        
    location /{
        rewrite ^/(.*)$ ${siteredirect['url']}$1 permanent;
    }
    %else:
    location / {        
        % if iscustomrewrite == 'on':
        # Custom rewrite rules
        include /var/eenos/userdata/${user}/vhosts/nginx/${servername}.rewrite;
        % else:
        # Place the custom rewrite rules and rebuild vhost
        # include /var/eenos/userdata/${user}/vhosts/nginx/${servername}.rewrite;
        % endif
        log_not_found  off;
        client_max_body_size ${nginx['client_max_body_size']};
        client_body_buffer_size ${nginx['client_body_buffer_size']};
        try_files $uri /index.php$is_args$args;        
    }
    %endif
    #phpfiles
    location ~ ^/index\.php(/|$) {
        try_files $uri =404;
        fastcgi_pass unix:${fpmsocket};
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
        fastcgi_param DOCUMENT_ROOT $realpath_root;        
        include /etc/nginx/fastcgi_params;
        % if nginx['fcgicache'] == "on":
        # PHp-FPm FCGI Cache Enabled
        set $no_cache 0;                                                                                                                                                                                                                
        # Only cache GET requests                                                                                                                                                                                                       
        if ($request_method != GET){                                                                                                                                                                                                    
            set $no_cache 1;                                                                                                                                                                                                        
        }                                                                                                                                                                                                                               
        #Don't cache if the URL contains a query string                                                                                                                                                                                 
        if ($query_string != ""){                                                                                                                                                                                                       
            set $no_cache 1;                                                                                                                                                                                                        
        }                                                                                                                                                                                                                               
        #Don't cache if there is a cookie called wordpress_logged_in_[hash]                                                                                                                                                             
        if ($http_cookie ~* "wordpress_logged_in_"){
            set $no_cache 1;
        }
        #Don't cache POST requests
        if ($request_method = POST)
        {
        set $no_cache 1;
        }
        #Don't cache the following URLs
        if ($request_uri ~* "/(wp-login.php|wp-admin|administrator/|login.php|backend|admin)"){
            set $no_cache 1;
        }
        #Don't cache if there is a cookie called PHPSESSID
        if ($http_cookie ~* "PHPSESSID")
        {
            set $no_cache 1;
        }
        if ($no_cache = "1") {
            add_header Set-Cookie "_mcnc=1; Max-Age=2; Path=/";
            add_header X-Microcachable "0";
        }
        fastcgi_no_cache $no_cache $http_pragma $http_authorization;
        fastcgi_cache_bypass $no_cache $cookie_nocache $arg_nocache$arg_comment;
        fastcgi_cache FASTCGICACHE;
        userid  on;
        userid_name uid;
        userid_domain   $host;
        userid_path /;
        userid_expires 30d;
        userid_p3p     'policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"';
        fastcgi_cache_key "$host$request_uri$request_method";
        fastcgi_cache_valid ${nginx['fastcgi_cache_valid']};
            % if nginx['fastcgi_cache_use_stale'] == "on":
        fastcgi_cache_use_stale updating error timeout invalid_header http_500;
            % endif
        fastcgi_cache_min_uses ${nginx['fastcgi_cache_min_use']};
            % if nginx['fastcgi_cache_revalidate'] == "on":
        fastcgi_cache_revalidate on;
            % else:
        fastcgi_cache_revalidate off;
            % endif    
            % if nginx['fastcgi_cache_lock']=="on":
        fastcgi_cache_lock on;
            % else:
        fastcgi_cache_lock off;
            % endif
        fastcgi_pass_header Set-Cookie;
        fastcgi_pass_header Cookie;
        fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
        add_header X-Cache-Status $upstream_cache_status;
        fastcgi_cache_purge PURGE purge_all from all;
        % endif     
        internal;           
    }

    location ~ \.php$ {
        return 404;
    }
    % if iscustominclude == 'on':
# Custom include
include /var/eenos/userdata/${user}/vhosts/nginx/${servername}.include;
    % else:
# Place your custom includes and rebuild vhost
# include /var/eenos/userdata/${user}/vhosts/nginx/${servername}.include;
    % endif 
    
}
%endif
%endif
% if iswildcard == "off":
# .....................................................
# Webmail vhost for  mail.${servername}
#HTTP
server {
    %if isipv4 == "on":
    listen ${ips['ipv4']}:${webports['nginx']['http']};
    %endif
    %if isipv6 == "on":
    listen  [${ips['ipv6']}]:${webports['nginx']['http']};
    %endif
    server_name  mail.${servername};
    # lets encrypt auto ssl acme validation
    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";                
        root /var/www/html;
    }
    root /usr/local/eenos/3rdparty/webmail/;
    index index.php index.html index.htm; 
    location = /favicon.ico { log_not_found off; }
    %if redirect['http-to-https'] == "on" and issvarnish=="off" :        
    location /{
        rewrite ^/(.*) https://$host$request_uri permanent;
    }   
    %else:
    %if ismodsec == "on":       
    # Disabled ModSecurity for this domain
    modsecurity_rules ' SecRuleEngine Off ';       
    %endif
        %if issvarnish=="off":
    # Varnish ssl redirect Disabled
        %endif
    # All access logs   
    %if nginx['access_log_buffering'] == "on":
    access_log /var/log/domlogs/${servername} main buffer=32k flush=5m;
    access_log /var/log/domlogs/${servername}-bytes_log bytes_log buffer=32k flush=5m; 
    %else:
    access_log /var/log/domlogs/${servername} main;
    access_log /var/log/domlogs/${servername}-bytes_log bytes_log;  
    %endif
    location ~/(bin|config|installer|logs|SQL|examples|setup)/ {
        deny all;
        return 403;
    }
    location ~* \.(inc.*\.php)$ {
        deny all;
        return 403;       
    }
    location ~\.(ini|log|conf|lock|json|md|dist)$ {
         deny all;
         return 403;             
    }
    location ~ ^/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
        deny all;
    }
    # Run static file directly from nginx 
    location ~* ^.+.(${nginx['file_extensions']})$ {
        expires 30d;
        add_header Pragma public;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";        
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass unix:/run/eenos-data-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include /etc/nginx/fastcgi_params;        
    }
    location = /robots.txt { log_not_found off; }
    location /{  
        try_files $uri $uri/ =404; 
    }       
    %endif
}
%if havessl=="on" or mail_ssl=="on":
#HTTPS
%if isvarnish=="on":
# Varnish ssl termination 
server {
    %if isipv4 == "on":
    listen ${ips['ipv4']}:${webports['nginx']['https']} ssl ;
    %endif
    %if isipv6 == "on":
    listen  [${ips['ipv6']}]:${webports['nginx']['https']} ssl;
    %endif
    %if nginx['http2'] == "on": 
    http2 on;    
    %else:
    http2 off;
    %endif
    server_name  mail.${servername};
    %if mail_ssl=='on':
    ssl_certificate ${mail_ssl_crt};
    ssl_certificate_key ${mail_ssl_key};
    %else:
    ssl_certificate ${sslcrt};
    ssl_certificate_key ${sslkey};
    %endif
    ssl_protocols ${nginx['sslprotocol']};
    ssl_ciphers ${nginx['sslcipher']};
    %if nginx['ssl_prefer_server_ciphers'] == "on":
    # Web server control ssl ciphers
    ssl_prefer_server_ciphers on;
    %else:
    # Browser control ssl ciphers
    ssl_prefer_server_ciphers off;
    %endif
    ssl_session_cache   shared:SSL:20m;
    ssl_session_timeout 60m;
    %if nginx['ssl_stapling'] == "on":
    # SSL Stapling on 
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate ${sslcrt};
    %endif
    %if nginx['hsts'] == "on":
    #HSTS Protection
    add_header Strict-Transport-Security "max-age=31536000;" always;
    %endif 
    add_header X-Served-By "eenos varnish"; 
    # All access logs will be handled by proxy
    access_log off;
     # Disable direct access to .ht files and folders
    location ~ /\.(ht|ini|log|conf)$ {
          deny all;
    }
    %if ismodsec == "on":       
    # Disabled ModSecurity for this domain
    modsecurity_rules ' SecRuleEngine Off ';       
    %endif
    location / {
        proxy_pass http://${ips['ipv4']}:${webports['varnish']['http']};
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Forwarded-Port ${webports['nginx']['https']};
        proxy_set_header HTTPS "on";
          
    }
}
%else:
# Nginx SSL
server {
    %if isipv4 == "on":
    listen ${ips['ipv4']}:${webports['nginx']['https']} ssl ;
        %if nginx['http3'] == "on": 
    listen ${ips['ipv4']}:${webports['nginx']['https']} quic ;        
        %endif
    %endif
    %if isipv6 == "on":
    listen  [${ips['ipv6']}]:${webports['nginx']['https']} ssl;
        %if nginx['http3'] == "on": 
    listen  [${ips['ipv6']}]:${webports['nginx']['https']} quic ;           
        %endif
    %endif
    %if nginx['http2'] == "on": 
    http2 on;    
    %else:
    http2 off;
    %endif
    %if nginx['http3'] == "on": 
    # HTTP3/QUIC Support  
    http3 on;    
    http3_hq on;
    add_header Alt-Svc 'h3=":$server_port"; ma=86400';
    %else:
    http3 off;
    %endif
    server_name  mail.${servername};
    %if mail_ssl=='on':
    ssl_certificate ${mail_ssl_crt};
    ssl_certificate_key ${mail_ssl_key};
    %else:
    ssl_certificate ${sslcrt};
    ssl_certificate_key ${sslkey};
    %endif
    ssl_protocols ${nginx['sslprotocol']};
    ssl_ciphers ${nginx['sslcipher']};
    %if nginx['ssl_prefer_server_ciphers'] == "on":
    # Web server control ssl ciphers
    ssl_prefer_server_ciphers on;
    %else:
    # Browser control ssl ciphers
    ssl_prefer_server_ciphers off;
    %endif
    ssl_session_cache   shared:SSL:20m;
    ssl_session_timeout 60m;
    %if nginx['ssl_stapling'] == "on":
    # SSL Stapling on 
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate ${sslcrt};
    %endif
    %if nginx['hsts'] == "on":
    #HSTS Protection
    add_header Strict-Transport-Security "max-age=31536000;" always;
    %endif 
    # lets encrypt auto ssl acme validation
    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";                
        root /var/www/html;
    }
    root /usr/local/eenos/3rdparty/webmail/;
    index index.php index.html index.htm; 
    location = /favicon.ico { log_not_found off; }
    # All access logs   
    %if nginx['access_log_buffering'] == "on":
    access_log /var/log/domlogs/${servername} main buffer=32k flush=5m;
    access_log /var/log/domlogs/${servername}-bytes_log bytes_log buffer=32k flush=5m; 
    %else:
    access_log /var/log/domlogs/${servername} main;
    access_log /var/log/domlogs/${servername}-bytes_log bytes_log;  
    %endif
    %if ismodsec == "on":       
    # Disabled ModSecurity for this domain
    modsecurity_rules ' SecRuleEngine Off ';       
    %endif
    location ~/(bin|config|installer|logs|SQL|examples|setup)/ {
        deny all;
        return 403;
    }
    location ~* \.(inc.*\.php)$ {
        deny all;
        return 403;       
    }
    location ~\.(ini|log|conf|lock|json|md|dist)$ {
         deny all;
         return 403;             
    }
    location ~ ^/(README|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
        deny all;
    }
    # Run static file directly from nginx 
    location ~* ^.+.(${nginx['file_extensions']})$ {
        expires 30d;
        add_header Pragma public;
        add_header Cache-Control "public, must-revalidate, proxy-revalidate";        
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_pass unix:/run/eenos-data-fpm.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include /etc/nginx/fastcgi_params;        
    }
    location = /robots.txt { log_not_found off; }
    location /{  
        try_files $uri $uri/ =404; 
    }   
}
%endif
%endif
# End of Webmail vhost
%endif