server {
    listen 10.8.0.1:443 ssl http2;
    listen [::]:443 ssl http2;
    server_name pbx.ins;

    ssl_certificate /etc/nginx/ssl/pbx-ins.chain.crt;
    ssl_certificate_key /etc/nginx/ssl/pbx-ins.key.pem;

    ssl_session_cache builtin:1000 shared:SSL:10m;
    #include /etc/nginx/error/502;
    #include /etc/nginx/error/504;
    #include /etc/nginx/error/500;
    #include /etc/nginx/error/404;
    #include /etc/nginx/error/429;
    ssl_protocols TLSv1.2;

    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

    ssl_prefer_server_ciphers on;

    ssl_stapling on;
    ssl_stapling_verify on;
    client_max_body_size 230M;
    client_body_timeout 1h;
    #limit_req zone=one burst=15;
    root /var/www/html;

    index index.html index.htm index.php;

    location / {
        try_files $uri $uri/ =404;
    }

    location ~ \.php$ {
        include snippets/fastcgi-php.conf;  # server defaults are good
        fastcgi_pass unix:/run/php/php7.3-fpm-asterisk.sock;
        fastcgi_param HTACCESS on;  # disables FreePBX htaccess warning
        proxy_read_timeout 800;
    }

    # disallows the things that the FreePBX .htaccess files disallow
    location ~ (/\.ht|/\.git|\.ini$|/libraries|/helpers|/i18n|/node|/views/.+php$) {
        deny all;
    }

    # from the api module .htaccess file
    rewrite ^/admin/api/([^/]*)/([^/]*)/?(.*)?$ /admin/api/api.php?module=$1&command=$2&route=$3 last;

}