#
# Config for bondingadmin
#

server {
        listen   [::]:80 ipv6only=off default_server;
        listen   [::]:443 ipv6only=off default_server ssl;

        ssl_certificate /etc/bondingadmin/crt.pem;
        ssl_certificate_key /etc/bondingadmin/key.pem;

        ssl_session_timeout 20m;
        ssl_session_cache shared:SSL:10m;
        ssl_protocols TLSv1.2;
        ssl_ciphers AES128+EECDH:AES128+EDH:!aNULL;
        ssl_prefer_server_ciphers on;

        ssl_dhparam /etc/bondingadmin/dhparams.pem;

        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;

        include /etc/bondingadmin/nginx/resolver.conf;

        # Makimum read timeout of 5 minutes to allow for longer speed tests.
        # This should be reduced when we refactor speed tests
        uwsgi_read_timeout 300s;

        gzip on;
        gzip_types text/css text/plain text/xml application/xml application/javascript application/x-javascript text/javascript application/json text/x-json;

        location /api/ {
                # Ignore non-https requests to /api
                if ($scheme = http) {
                        return 444;
                }
                include uwsgi_params;
                uwsgi_pass unix:///run/bondingadmin/uwsgi.sock;
        }

        # Temporary beta frontend passed an upstream defined below
        #
        location /beta {
                proxy_pass http://beta/;
        }

        # Include the chosen default frontend. The commands
        # bondingadmin-frontend-beta and bondingadmin-frontend-classic can be
        # used to choose one.
        #
        include /etc/bondingadmin/nginx/frontend.conf;

        error_page 502 503 504 @error;

        location @error {
                root /usr/share/bondingadmin;
                rewrite ^(.*)$ /50x.html break;
        }

        location /static/ {
                gzip_static on;
                alias /var/lib/bondingadmin/static-files/;
        }

        location /media/ {
                gzip_static on;
                alias /var/lib/bondingadmin/media/;
        }

        location /robots.txt {
                return 200 "User-agent: *\nDisallow: /\n";
        }

        location ~ ^/docs/(attachments|images|styles)/(.*)$ {
                alias /usr/share/doc/bondingadmin/documentation/$1/$2;
        }

        location ~ ^/iso/$ {
                deny all;
        }

        location ~ ^/iso/(.*)$ {
                alias /var/lib/bondingadmin/isos/$1;
                autoindex on;
        }

        location ~ ^/oem-iso/$ {
                deny all;
        }

        location ~ ^/oem-iso/(.*)$ {
                alias /var/lib/bondingadmin/isos/$1;
                autoindex on;
        }

        location /metrics_api/ {
                proxy_buffering off;
                include /etc/bondingadmin/influxdb_proxy.conf;
        }

        location ~ ^/preseed.*cfg.* {
                # Don't redirect preseed requests to HTTPS
                include uwsgi_params;
                uwsgi_pass unix:///run/bondingadmin/uwsgi.sock;
                uwsgi_intercept_errors on;
                error_page 404 @preseederror;
        }

        location @preseederror {
                root /usr/share/bondingadmin;
                rewrite ^(.*)$ /preseed404.html break;
        }

        location ~ ^/preseed-network-interface-names.sh {
                alias /usr/share/bondingadmin/installer-scripts/preseed-network-interface-names.sh;
                default_type text/plain;
        }

        location /download/ {
                include /etc/bondingadmin/nginx/download.conf;
                rewrite ^/download(.*) /bonding$1 break;
                proxy_pass http://$download;
                proxy_redirect http://$download/bonding /download;
        }

        location /debian {
                include uwsgi_params;
                uwsgi_pass unix:///run/bondingadmin/uwsgi.sock;
        }

        location /repos {
                rewrite ^/repos/([0-9.]+)$ $1/ permanent; # Adds trailing slash if missing
                rewrite ^/repos/([0-9.]+)/(.*)$ /download/$1/debian/$2 last;
        }

        location /nginx_status {
                stub_status on;
                access_log off;
                allow 127.0.0.1;
                deny all;
        }

        location /protected/ {
                internal;
                alias /var/lib/bondingadmin/http/protected/;
        }

        location /_docs/ {
                internal;
                alias /var/lib/bondingadmin/http/docs/;
                try_files $uri $uri/index.html =404;
                error_page 404 =404 /_docs/404.html;
        }

        location /.well-known/ {
                root /var/lib/bondingadmin/certbot/;
                allow all;
        }
}

# Temporary beta frontend.
#
# This is handled as an upstream since nginx has issues with try_files on a
# suburl. Page reloads for HTML5 URLs would end up hitting Django and causing
# a 404 that gets passed to the client. By handling it as a separate server,
# try_files won't attempt to hit Django and we can simply proxy the /beta
# location internally
#
upstream beta {
        server 127.0.0.1;
}

server {
        listen [::]:80;

        server_name beta;
        root /usr/share/bondingadmin/frontend-beta;
        index index.html;

        location / {
                try_files $uri $uri/ @index;
        }

        location @index {
                rewrite ^(.+)$ /index.html last;
        }
}
