#
# Config for bondingadmin
#

server {
        listen   [::]:80 ipv6only=off default_server;
        listen   [::]:443 ipv6only=off default_server ssl;

        ssl_certificate /etc/bondingadmin/crt.pem;
        ssl_certificate_key /etc/bondingadmin/key.pem;

        ssl_session_timeout 20m;
        ssl_session_cache shared:SSL:10m;
        ssl_protocols TLSv1.2;
        ssl_ciphers AES128+EECDH:AES128+EDH:!aNULL;
        ssl_prefer_server_ciphers on;

        ssl_dhparam /etc/bondingadmin/dhparams.pem;

        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;

        # Makimum read timeout of 5 minutes to allow for longer speed tests.
        # This should be reduced when we refactor speed tests
        uwsgi_read_timeout 300s;

        gzip on;
        gzip_types text/css text/plain text/xml application/xml application/javascript application/x-javascript text/javascript application/json text/x-json;

        location /api/ {
                # Ignore non-https requests to /api
                if ($scheme = http) {
                        return 444;
                }
                include uwsgi_params;
                uwsgi_pass unix:///run/bondingadmin/uwsgi.sock;
        }

        location / {
                # Redirect http to https
                if ($scheme = http) {
                        return 301 https://$host$request_uri;
                }
                # Don't use compatibility mode in Internet Explorer
                add_header "X-UA-Compatible" "IE=Edge";
                include uwsgi_params;
                uwsgi_pass unix:///run/bondingadmin/uwsgi.sock;
        }

        error_page 502 503 504 @error;

        location @error {
                root /usr/share/bondingadmin;
                rewrite ^(.*)$ /50x.html break;
        }

        location /static/ {
                gzip_static on;
                alias /var/lib/bondingadmin/static-files/;
        }

        location /media/ {
                gzip_static on;
                alias /var/lib/bondingadmin/media/;
        }

        location /robots.txt {
                return 200 "User-agent: *\nDisallow: /\n";
        }

        location ~ ^/docs/(attachments|images|styles)/(.*)$ {
                alias /usr/share/doc/bondingadmin/documentation/$1/$2;
        }

        location ~ ^/iso/$ {
                deny all;
        }

        location ~ ^/iso/(.*)$ {
                alias /var/lib/bondingadmin/isos/$1;
                autoindex on;
        }

        location ~ ^/oem-iso/$ {
                deny all;
        }

        location ~ ^/oem-iso/(.*)$ {
                alias /var/lib/bondingadmin/debian-10-isos/$1;
                autoindex on;
        }

        location /metrics_api/ {
                proxy_buffering off;
                include /etc/bondingadmin/influxdb_proxy.conf;
        }

        location ~ ^/preseed.*cfg.* {
                # Don't redirect preseed requests to HTTPS
                include uwsgi_params;
                uwsgi_pass unix:///run/bondingadmin/uwsgi.sock;
                uwsgi_intercept_errors on;
                error_page 404 @preseederror;
        }

        location @preseederror {
                root /usr/share/bondingadmin;
                rewrite ^(.*)$ /preseed404.html break;
        }

        location ~ ^/preseed-network-interface-names.sh {
                alias /usr/share/bondingadmin/installer-scripts/preseed-network-interface-names.sh;
                default_type text/plain;
        }

        location /debian/ {
                alias /var/lib/bondingadmin/debian/;
                autoindex on;
        }

        location /repos/ {
                alias /var/lib/bondingadmin/repos/;
                autoindex on;
        }

        location /nginx_status {
                stub_status on;
                access_log off;
                allow 127.0.0.1;
                deny all;
        }

        location /protected/ {
                internal;
                alias /var/lib/bondingadmin/http/protected/;
        }

        location /_docs/ {
                internal;
                alias /var/lib/bondingadmin/http/docs/;
                try_files $uri $uri/index.html =404;
                error_page 404 =404 /_docs/404.html;
        }

        location /.well-known/ {
                root /var/lib/bondingadmin/certbot/;
                allow all;
        }
}
