# Copyright (C) The Arvados Authors. All rights reserved.
#
# SPDX-License-Identifier: Apache-2.0

daemon off;
events {
}
http {
  log_format customlog
    '[$time_local] "$http_x_request_id" $server_name $status $body_bytes_sent $request_time $request_method "$scheme://$http_host$request_uri" $remote_addr:$remote_port '
    '"$http_referer" "$http_user_agent"';
  access_log "{{ACCESSLOG}}" customlog;
  client_body_temp_path "{{TMPDIR}}";
  proxy_temp_path "{{TMPDIR}}";
  fastcgi_temp_path "{{TMPDIR}}";
  uwsgi_temp_path "{{TMPDIR}}";
  scgi_temp_path "{{TMPDIR}}";
  geo $external_client {
    default 1;
    127.0.0.0/8 0;
    ::1 0;
    fd00::/8 0;
    {{INTERNALSUBNETS}}
  }
  upstream controller {
    server {{UPSTREAMHOST}}:{{CONTROLLERPORT}};
  }
  server {
    listen {{LISTENHOST}}:{{CONTROLLERSSLPORT}} ssl;
    server_name controller ~.*;
    ssl_certificate "{{SSLCERT}}";
    ssl_certificate_key "{{SSLKEY}}";
    client_max_body_size 0;
    location  / {
      proxy_pass http://controller;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header Host $http_host;
      proxy_set_header X-External-Client $external_client;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
      proxy_redirect off;
      proxy_max_temp_file_size 0;
      proxy_request_buffering off;
      proxy_buffering off;
      proxy_http_version 1.1;
    }
  }
  upstream arv-git-http {
    server {{UPSTREAMHOST}}:{{GITPORT}};
  }
  server {
    listen {{LISTENHOST}}:{{GITSSLPORT}} ssl;
    server_name arv-git-http git.*;
    ssl_certificate "{{SSLCERT}}";
    ssl_certificate_key "{{SSLKEY}}";
    location  / {
      proxy_pass http://arv-git-http;
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
      proxy_redirect off;
    }
  }
  upstream keepproxy {
    server {{UPSTREAMHOST}}:{{KEEPPROXYPORT}};
  }
  server {
    listen {{LISTENHOST}}:{{KEEPPROXYSSLPORT}} ssl;
    server_name keepproxy keep.*;
    ssl_certificate "{{SSLCERT}}";
    ssl_certificate_key "{{SSLKEY}}";
    location  / {
      proxy_pass http://keepproxy;
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
      proxy_redirect off;

      client_max_body_size 67108864;
      proxy_http_version 1.1;
      proxy_request_buffering off;
    }
  }
  upstream keep-web {
    server {{UPSTREAMHOST}}:{{KEEPWEBPORT}};
  }
  server {
    listen {{LISTENHOST}}:{{KEEPWEBSSLPORT}} ssl;
    server_name keep-web collections.* ~\.collections\.;
    ssl_certificate "{{SSLCERT}}";
    ssl_certificate_key "{{SSLKEY}}";
    location  / {
      proxy_pass http://keep-web;
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
      proxy_redirect off;

      client_max_body_size 0;
      proxy_http_version 1.1;
      proxy_request_buffering off;
    }
  }
  upstream health {
    server {{UPSTREAMHOST}}:{{HEALTHPORT}};
  }
  server {
    listen {{LISTENHOST}}:{{HEALTHSSLPORT}} ssl;
    server_name health health.*;
    ssl_certificate "{{SSLCERT}}";
    ssl_certificate_key "{{SSLKEY}}";
    location  / {
      proxy_pass http://health;
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
      proxy_redirect off;

      proxy_http_version 1.1;
      proxy_request_buffering off;
    }
  }
  server {
    listen {{LISTENHOST}}:{{KEEPWEBDLSSLPORT}} ssl;
    server_name keep-web-dl download.* ~.*;
    ssl_certificate "{{SSLCERT}}";
    ssl_certificate_key "{{SSLKEY}}";
    location  / {
      proxy_pass http://keep-web;
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
      proxy_redirect off;

      client_max_body_size 0;
      proxy_http_version 1.1;
      proxy_request_buffering off;
    }
  }
  upstream ws {
    server {{UPSTREAMHOST}}:{{WSPORT}};
  }
  server {
    listen {{LISTENHOST}}:{{WSSSLPORT}} ssl;
    server_name websocket ws.*;
    ssl_certificate "{{SSLCERT}}";
    ssl_certificate_key "{{SSLKEY}}";
    location  / {
      proxy_pass http://ws;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
      proxy_redirect off;

      client_max_body_size 0;
      proxy_http_version 1.1;
      proxy_request_buffering off;
    }
  }
  # wb1->wb2 redirects copied from
  # /tools/salt-install/config_examples/multi_host/aws/pillars/nginx_workbench_configuration.sls
  map $request_uri $wb1_redirect {
    default                        0;

    ~^/actions\?uuid=(.*-4zz18-.*) /collections/$1;
    ~^/actions\?uuid=(.*-j7d0g-.*) /projects/$1;
    ~^/actions\?uuid=(.*-tpzed-.*) /projects/$1;
    ~^/actions\?uuid=(.*-7fd4e-.*) /workflows/$1;
    ~^/actions\?uuid=(.*-xvhdp-.*) /processes/$1;
    ~^/actions\?uuid=(.*)          /;

    ^/work_units/(.*)              /processes/$1;
    ^/container_requests/(.*)      /processes/$1;
    ^/users/(.*)                   /user/$1;
    ^/groups/(.*)                  /group/$1;

    ^/virtual_machines.*           /virtual-machines-admin;
    ^/users/.*/virtual_machines    /virtual-machines-user;
    ^/authorized_keys.*            /ssh-keys-admin;
    ^/users/.*/ssh_keys            /ssh-keys-user;
    ^/containers.*                 /all_processes;
    ^/container_requests           /all_processes;
    ^/job.*                        /all_processes;
    ^/users/link_account           /link_account;
    ^/keep_services.*              /keep-services;
    ^/trash_items.*                /trash;

    ^/themes.*                     /;
    ^/keep_disks.*                 /;
    ^/user_agreements.*            /;
    ^/nodes.*                      /;
    ^/humans.*                     /;
    ^/traits.*                     /;
    ^/sessions.*                   /;
    ^/logout.*                     /;
    ^/logged_out.*                 /;
    ^/current_token                /;
    ^/logs.*                       /;
    ^/factory_jobs.*               /;
    ^/uploaded_datasets.*          /;
    ^/specimens.*                  /;
    ^/pipeline_templates.*         /;
    ^/pipeline_instances.*         /;
  }
  upstream workbench2 {
    server {{UPSTREAMHOST}}:{{WORKBENCH2PORT}};
  }
  server {
    listen {{LISTENHOST}}:{{WORKBENCH2SSLPORT}} ssl;
    listen {{LISTENHOST}}:{{WORKBENCH1SSLPORT}} ssl;
    server_name workbench2 workbench2.* workbench1 workbench1.* workbench workbench.*;
    ssl_certificate "{{SSLCERT}}";
    ssl_certificate_key "{{SSLKEY}}";

    if ($wb1_redirect) {
      return 301 $wb1_redirect;
    }

    # file download redirects
    if ($arg_disposition = attachment) {
      rewrite ^/collections/([^/]*)/(.*) /?redirectToDownload=/c=$1/$2? redirect;
    }
    if ($arg_disposition = inline) {
      rewrite ^/collections/([^/]*)/(.*) /?redirectToPreview=/c=$1/$2? redirect;
    }

    location / {
      proxy_pass http://workbench2;
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto https;
      proxy_redirect off;
    }
  }
}