#!/bin/bash
# Copyright (C) The Arvados Authors. All rights reserved.
#
# SPDX-License-Identifier: AGPL-3.0

exec 2>&1
set -ex -o pipefail

. /usr/local/lib/arvbox/common.sh

cat <<EOF >/var/lib/arvados/nginx.conf
worker_processes auto;
pid /var/lib/arvados/nginx.pid;

error_log stderr;
daemon off;
user arvbox;

events {
	worker_connections 64;
}

http {
     access_log off;
     include /etc/nginx/mime.types;
     default_type application/octet-stream;
     server {
            listen ${services[doc]} default_server;
            listen [::]:${services[doc]} default_server;
            root /usr/src/arvados/doc/.site;
            index index.html;
            server_name _;
     }

  server {
    listen 80 default_server;
    server_name _;
    return 301 https://\$host\$request_uri;
  }

  upstream controller {
    server localhost:${services[controller]};
  }
  server {
    listen *:${services[controller-ssl]} ssl default_server;
    server_name controller;
    ssl_certificate "/var/lib/arvados/server-cert-${localip}.pem";
    ssl_certificate_key "/var/lib/arvados/server-cert-${localip}.key";
    location  / {
      proxy_pass http://controller;
      proxy_set_header Host \$http_host;
      proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
      proxy_redirect off;
    }
  }

upstream arvados-ws {
  server localhost:${services[websockets]};
}
server {
  listen *:${services[websockets-ssl]} ssl default_server;
  server_name           websockets;

  proxy_connect_timeout 90s;
  proxy_read_timeout    300s;

  ssl                   on;
  ssl_certificate "/var/lib/arvados/server-cert-${localip}.pem";
  ssl_certificate_key "/var/lib/arvados/server-cert-${localip}.key";

  location / {
    proxy_pass          http://arvados-ws;
    proxy_set_header    Upgrade         \$http_upgrade;
    proxy_set_header    Connection      "upgrade";
    proxy_set_header Host \$http_host;
    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
  }
}

  upstream workbench2 {
    server localhost:${services[workbench2]};
  }
  server {
    listen *:${services[workbench2-ssl]} ssl default_server;
    server_name workbench2;
    ssl_certificate "/var/lib/arvados/server-cert-${localip}.pem";
    ssl_certificate_key "/var/lib/arvados/server-cert-${localip}.key";
    location  / {
      proxy_pass http://workbench2;
      proxy_set_header Host \$http_host;
      proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
      proxy_redirect off;
    }
    location  /sockjs-node {
      proxy_pass http://workbench2;
      proxy_set_header    Upgrade         \$http_upgrade;
      proxy_set_header    Connection      "upgrade";
      proxy_set_header Host \$http_host;
      proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    }
  }

  upstream keep-web {
    server localhost:${services[keep-web]};
  }
  server {
    listen *:${services[keep-web-ssl]} ssl default_server;
    server_name keep-web;
    ssl_certificate "/var/lib/arvados/server-cert-${localip}.pem";
    ssl_certificate_key "/var/lib/arvados/server-cert-${localip}.key";
    location  / {
      proxy_pass http://keep-web;
      proxy_set_header Host \$http_host;
      proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
      proxy_redirect off;
    }
  }

}

EOF

exec nginx -c /var/lib/arvados/nginx.conf