## Define the address of the web instance ##
upstream template-web {
    server 127.0.0.1:8000;
}
## Define the address of the web websocket interface for persistent connections ##
upstream template-websocket {
    server 127.0.0.1:9000;
}

# http -> https
server {
    listen 80;
    server_name template.tld www.template.tld;
    rewrite ^(.*) https://$host$1 permanent;
}

server {
    listen 443 ssl http2;
    server_name template.tld www.template.tld;
    client_max_body_size 0;
    proxy_read_timeout 720s;
    proxy_connect_timeout 720s;
    proxy_send_timeout 720s;
    proxy_max_temp_file_size 0;
    sendfile_max_chunk 1m;

    ## Add Headers for web proxy mode ##
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Real-IP $remote_addr;

    ## SSL parameters ##
    ssl_certificate /etc/ssl/webcloud/sites/template.tld/template.tld.crt;
    ssl_certificate_key /etc/ssl/webcloud/sites/template.tld/template.tld.key;
    ssl_dhparam /etc/ssl/webcloud/dhparam.pem;
    ssl_session_cache shared:MozSSL:50m;
    ssl_session_timeout 1d;
    ssl_session_tickets off;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers off;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.4.4 8.8.8.8;

    ## Log ##
    access_log /var/log/nginx/template.tld.access.log;
    error_log /var/log/nginx/template.tld.error.log;

    ## Redirect all web traffic to the web instance ##
    location / {
        proxy_redirect off;
        proxy_pass http://template-web;
    }

    location ~* ^/([^/]+/static/|web/(css|js)/|website/image/) {
        proxy_cache stale_cache;
        proxy_cache_valid 200 100m;
        proxy_cache_valid any 1m;
        proxy_cache_revalidate on;
        proxy_cache_use_stale error timeout updating;
        proxy_cache_background_update on;
        proxy_cache_lock on;

        proxy_buffering on;
        proxy_cache_bypass $http_cache_control;
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Credentials' 'true';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
        add_header X-Cache-Status $upstream_cache_status;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

        proxy_set_header If-None-Match $http_if_none_match;
        expires 30d;
        
        proxy_pass http://template-web;
    }

    ## Redirect persistent connections to the websocket endpoint ##
    location /longpolling {
        proxy_pass http://template-websocket;
    }
    ## Define content types that can be gzipped and cached for better network performance ##
    ## Define content types that can be compressed and cached for better network performance ##
    gzip on;
    gzip_types text/css text/less text/plain text/xml application/xml application/json application/javascript;
    brotli on;
    brotli_static on;
    brotli_comp_level 6;
    brotli_types text/xml image/svg+xml application/x-font-ttf image/vnd.microsoft.icon application/x-font-opentype application/json font/eot application/vnd.ms-fontobject application/javascript font/otf application/xml application/xhtml+xml text/javascript  application/x-javascript text/plain application/x-font-truetype application/xml+rss image/x-icon font/opentype text/css image/x-win-bitmap;
}