#!/bin/bash
# Copyright (C) The Arvados Authors. All rights reserved.
#
# SPDX-License-Identifier: AGPL-3.0

exec 2>&1
set -ex -o pipefail

. /usr/local/lib/arvbox/common.sh

if [[ $containerip != $localip ]] ; then
    if ! grep -q $localip /etc/hosts ; then
	echo $containerip $localip >> /etc/hosts
    fi
fi

geo_dockerip=
if  [[ -f /var/run/localip_override ]] ; then
    geo_dockerip="$dockerip/32 0;"
fi

openssl verify -CAfile $root_cert $server_cert

cat <<EOF >$ARVADOS_CONTAINER_PATH/nginx.conf
worker_processes auto;
pid $ARVADOS_CONTAINER_PATH/nginx.pid;

error_log stderr;
daemon off;
user arvbox;

events {
	worker_connections 64;
}

http {
  access_log off;
  include /etc/nginx/mime.types;
  default_type application/octet-stream;
  client_max_body_size 128M;

  geo \$external_client {
      default     1;
      127.0.0.0/8 0;
      $containerip/32 0;
      $geo_dockerip
  }

  server {
        listen ${services[doc]} default_server;
        listen [::]:${services[doc]} default_server;
        root /usr/src/arvados/doc/.site;
        index index.html;
        server_name _;
  }

  server {
    listen 80 default_server;
    server_name _;
    return 301 https://\$host\$request_uri;
  }

  upstream controller {
    server localhost:${services[controller]};
  }
  server {
    listen *:${services[controller-ssl]} ssl default_server;
    server_name controller;
    ssl_certificate "${server_cert}";
    ssl_certificate_key "${server_cert_key}";
    location  / {
      proxy_pass http://controller;
      proxy_set_header Host \$http_host;
      proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
      proxy_set_header X-External-Client \$external_client;
      proxy_redirect off;
      # This turns off response caching
      proxy_buffering off;
    }
  }

  upstream arvados-ws {
    server localhost:${services[websockets]};
  }
  server {
    listen *:${services[websockets-ssl]} ssl default_server;
    server_name           websockets;

    proxy_connect_timeout 90s;
    proxy_read_timeout    300s;

    ssl                   on;
    ssl_certificate "${server_cert}";
    ssl_certificate_key "${server_cert_key}";

    location / {
      proxy_pass          http://arvados-ws;
      proxy_set_header    Upgrade         \$http_upgrade;
      proxy_set_header    Connection      "upgrade";
      proxy_set_header Host \$http_host;
      proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    }
  }

  upstream workbench2 {
    server localhost:${services[workbench2]};
  }
  server {
    listen *:${services[workbench2-ssl]} ssl default_server;
    server_name workbench2;
    ssl_certificate "${server_cert}";
    ssl_certificate_key "${server_cert_key}";

    # REDIRECTS FROM WORKBENCH 1 TO WORKBENCH 2

    # Paths that are not redirected because wb1 and wb2 have similar enough paths
    # that a redirect is pointless and would create a redirect loop.
    # rewrite ^/api_client_authorizations.* /api_client_authorizations redirect;
    # rewrite ^/repositories.* /repositories redirect;
    # rewrite ^/links.* /links redirect;
    # rewrite ^/projects.* /projects redirect;
    # rewrite ^/trash /trash redirect;

    # Redirects that include a uuid
    rewrite ^/work_units/(.*) /processes/$1 redirect;
    rewrite ^/container_requests/(.*) /processes/$1 redirect;
    rewrite ^/users/(.*) /user/$1 redirect;
    rewrite ^/groups/(.*) /group/$1 redirect;

    # Special file download redirects
    if (\$arg_disposition = attachment) {
      rewrite ^/collections/([^/]*)/(.*) /?redirectToDownload=/c=$1/$2? redirect;
    }
    if (\$arg_disposition = inline) {
      rewrite ^/collections/([^/]*)/(.*) /?redirectToPreview=/c=$1/$2? redirect;
    }

    # Redirects that go to a roughly equivalent page
    rewrite ^/virtual_machines.* /virtual-machines-admin redirect;
    rewrite ^/users/.*/virtual_machines /virtual-machines-user redirect;
    rewrite ^/authorized_keys.* /ssh-keys-admin redirect;
    rewrite ^/users/.*/ssh_keys /ssh-keys-user redirect;
    rewrite ^/containers.* /all_processes redirect;
    rewrite ^/container_requests /all_processes redirect;
    rewrite ^/job.* /all_processes redirect;
    rewrite ^/users/link_account /link_account redirect;
    rewrite ^/search.* /search-results redirect;
    rewrite ^/keep_services.* /keep-services redirect;
    rewrite ^/trash_items.* /trash redirect;

    # Redirects that don't have a good mapping and
    # just go to root.
    rewrite ^/themes.* / redirect;
    rewrite ^/keep_disks.* / redirect;
    rewrite ^/user_agreements.* / redirect;
    rewrite ^/nodes.* / redirect;
    rewrite ^/humans.* / redirect;
    rewrite ^/traits.* / redirect;
    rewrite ^/sessions.* / redirect;
    rewrite ^/logout.* / redirect;
    rewrite ^/logged_out.* / redirect;
    rewrite ^/current_token / redirect;
    rewrite ^/logs.* / redirect;
    rewrite ^/factory_jobs.* / redirect;
    rewrite ^/uploaded_datasets.* / redirect;
    rewrite ^/specimens.* / redirect;
    rewrite ^/pipeline_templates.* / redirect;
    rewrite ^/pipeline_instances.* / redirect;

    location  / {
      proxy_pass http://workbench2;
      proxy_set_header Host \$http_host;
      proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
      proxy_redirect off;
    }
    location  /sockjs-node {
      proxy_pass http://workbench2;
      proxy_set_header    Upgrade         \$http_upgrade;
      proxy_set_header    Connection      "upgrade";
      proxy_set_header Host \$http_host;
      proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    }
  }

  upstream keep-web {
    server localhost:${services[keep-web]};
  }
  server {
    listen *:${services[keep-web-ssl]} ssl default_server;
    server_name keep-web;
    ssl_certificate "${server_cert}";
    ssl_certificate_key "${server_cert_key}";
    client_max_body_size 0;
    location  / {
      proxy_pass http://keep-web;
      proxy_set_header Host \$http_host;
      proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
      proxy_redirect off;
    }
  }
  server {
    listen *:${services[keep-web-dl-ssl]} ssl default_server;
    server_name keep-web-dl;
    ssl_certificate "${server_cert}";
    ssl_certificate_key "${server_cert_key}";
    client_max_body_size 0;
    location  / {
      proxy_pass http://keep-web;
      proxy_set_header Host \$http_host;
      proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
      proxy_redirect off;
    }
  }

  upstream keepproxy {
    server localhost:${services[keepproxy]};
  }
  server {
    listen *:${services[keepproxy-ssl]} ssl default_server;
    server_name keepproxy;
    ssl_certificate "${server_cert}";
    ssl_certificate_key "${server_cert_key}";
    client_max_body_size 128M;
    location  / {
      proxy_pass http://keepproxy;
      proxy_set_header Host \$http_host;
      proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
      proxy_redirect off;
    }
  }

  upstream arvados-git-httpd {
    server localhost:${services[arv-git-httpd]};
  }
  server {
    listen *:${services[arv-git-httpd-ssl]} ssl default_server;
    server_name arvados-git-httpd;
    proxy_connect_timeout 90s;
    proxy_read_timeout 300s;

    ssl on;
    ssl_certificate "${server_cert}";
    ssl_certificate_key "${server_cert_key}";
    client_max_body_size 50m;

    location  / {
      proxy_pass http://arvados-git-httpd;
      proxy_set_header Host \$http_host;
      proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
      proxy_redirect off;
    }
  }


upstream arvados-webshell {
  server                localhost:${services[webshell]};
}
server {
  listen                ${services[webshell-ssl]} ssl;
  server_name           arvados-webshell;

  proxy_connect_timeout 90s;
  proxy_read_timeout    300s;

  ssl                   on;
  ssl_certificate "${server_cert}";
  ssl_certificate_key "${server_cert_key}";

  location / {
    if (\$request_method = 'OPTIONS') {
       add_header 'Access-Control-Allow-Origin' '*';
       add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
       add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
       add_header 'Access-Control-Max-Age' 1728000;
       add_header 'Content-Type' 'text/plain charset=UTF-8';
       add_header 'Content-Length' 0;
       return 204;
    }
    if (\$request_method = 'POST') {
       add_header 'Access-Control-Allow-Origin' '*';
       add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
       add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
    }
    if (\$request_method = 'GET') {
       add_header 'Access-Control-Allow-Origin' '*';
       add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
       add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
    }

    proxy_ssl_session_reuse off;
    proxy_read_timeout  90;
    proxy_set_header    X-Forwarded-Proto https;
    proxy_set_header    Host \$http_host;
    proxy_set_header    X-Real-IP \$remote_addr;
    proxy_set_header    X-Forwarded-For \$proxy_add_x_forwarded_for;
    proxy_pass          http://arvados-webshell;
  }
}
}

EOF

exec nginx -c $ARVADOS_CONTAINER_PATH/nginx.conf