#daemon off; ##Included in CMD
error_log /dev/stdout info;
worker_processes 1;

# user nobody nogroup;
pid /tmp/nginx.pid;

events {
    worker_connections 1024;
    accept_mutex off;
}

http {
    include mime.types;
    default_type application/octet-stream;
    access_log /dev/stdout combined;
    sendfile on;
    client_max_body_size 16m;
    large_client_header_buffers 4 2k;

    limit_req_zone $binary_remote_addr zone=login_ip:10m rate=30r/m;
    limit_conn_zone $binary_remote_addr zone=conn_per_ip:10m;
    limit_conn conn_per_ip 100;

    upstream app_server {
        # For a TCP configuration:
        server gitrefineryapp:5000 fail_timeout=0;
    }

    server {
        listen 80 default;
        server_name _;

        keepalive_timeout 5;

        # path for static files
        root /usr/share/nginx/html;

        return 301 https://layers.openembedded.org$request_uri;
    }

    server {
        listen 80;
        server_name layers.openembedded.org;

        keepalive_timeout 5;

        # path for static files
        root /usr/share/nginx/html;

        location /.well-known/acme-challenge/ {
            limit_except GET POST OPTIONS { deny  all; }
            root /var/www/certbot;
        }

        location / {
            limit_except GET POST OPTIONS { deny  all; }
            return 301 https://layers.openembedded.org$request_uri;
        }
    }

    server {
        listen              443 ssl default;
        server_name _;
        ssl_certificate     /etc/letsencrypt/live/layers.openembedded.org/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/layers.openembedded.org/privkey.pem;
        ssl_protocols       TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers         ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:!aNULL:!eNULL;
        ssl_ecdh_curve      secp521r1;
        ssl_session_cache   shared:SSL:12m;
        ssl_session_timeout 12m;
        gzip                off;

        keepalive_timeout 5;

        # path for static files
        root /usr/share/nginx/html;

        return 301 https://layers.openembedded.org$request_uri;
    }

    server {
        listen              443 ssl;
        server_name         layers.openembedded.org;
        ssl_certificate     /etc/letsencrypt/live/layers.openembedded.org/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/layers.openembedded.org/privkey.pem;
        ssl_protocols       TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers on;
        ssl_ciphers         ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:!aNULL:!eNULL;
        ssl_ecdh_curve      secp521r1;
        ssl_session_cache   shared:SSL:12m;
        ssl_session_timeout 12m;
        gzip                off;

        add_header X-Content-Type-Options nosniff;

        keepalive_timeout 20;

        # path for static files
        root /usr/share/nginx/html;

        location /favicon.ico {
            limit_except GET POST OPTIONS { deny  all; }
            return 301 https://layers.openembedded.org/static/img/favicon.ico;
        }

        location /protected/imagecompare-patches {
            internal;
            add_header X-Status $upstream_http_x_status;
            limit_except GET POST OPTIONS { deny  all; }
            root /opt/www;
        }

        location / {
            limit_except GET POST OPTIONS { deny  all; }
            try_files $uri @proxy_to_app;
        }

        location /accounts/login {
            limit_except GET POST OPTIONS { deny  all; }
            limit_req zone=login_ip burst=5;
            try_files $uri @proxy_to_app;
        }

        location @proxy_to_app {
            limit_except GET POST OPTIONS { deny  all; }

            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_redirect off;

            proxy_pass   http://app_server;
        }
    }
}