server {

    listen       443;
    server_name  secure.hivtrace.cdc.gov;

    ssl                  on;
    ssl_certificate /etc/letsencrypt/live/secure.hivtrace.cdc.gov/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/secure.hivtrace.cdc.gov/privkey.pem; # managed by Certbot

    ssl_session_timeout  5m;

    ssl_protocols TLSv1.2;
    ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA256:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EDH+aRSA+AESGCM:EDH+aRSA+SHA256:EDH+aRSA:EECDH:!aNULL:!eNULL:!MEDIUM:!LOW:!DES:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED";
    ssl_prefer_server_ciphers   on;
    client_max_body_size 800M;

    gzip            on;
    gzip_min_length 1000;
    gzip_proxied    expired no-cache no-store private auth;
    gzip_types      application/json;

    add_header x-frame-options "SAMEORIGIN" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

    #charset koi8-r;
    #access_log  logs/host.access.log  main;

    location /qa {
        rewrite ^/qa/(.*)$ /$1;
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

   location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }


}