#  Basic configuration
user nginx;
worker_processes  1;
error_log /dev/stderr info;
pid /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    # Standard HTTP configuration with slight hardening
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    access_log /dev/stdout;
    sendfile on;
    keepalive_timeout  65;
    server_tokens off;

    #Websockets Server
    server {

      {% if NODE_ENV == "development" %}
        listen {{SOCKET_PORT}};
      {% else %}
        listen 80;
        listen [::]:80;
        server_name {{ SOCKETS_URL }};

        # Only enable HTTPS if TLS is enabled with no error
        {% if TLS and not TLS_ERROR %}
          listen 443 ssl;
          listen [::]:443 ssl;

          include /etc/nginx/tls.conf;
          add_header Strict-Transport-Security max-age=15768000;

          if ($scheme = http) {
            return 301 https://$host$request_uri;
          }
        {% endif %}

      {% endif %}

      location / {
        proxy_pass http://ohmyform:20523;
        proxy_read_timeout 90;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # WebSocket support
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        {% if TLS and not TLS_ERROR %}
          proxy_set_header X-Forwarded-Proto https;
        {% endif %}
      }

      {% if TLS_FLAVOR == 'letsencrypt' %}
      location ^~ /.well-known/acme-challenge/ {
          proxy_pass http://127.0.0.1:8008;
      }
      {% endif %}
    }

    server {
      #Add server_name for per-user subdomains
      {% if SUBDOMAINS_DISABLED == "FALSE" %}
        server_name {{BASE_URL}} {{SUBDOMAIN_URL}};
      {% else %}
        server_name {{BASE_URL}};
      {% endif %}

      listen 80;
      listen [::]:80;

      # Only enable HTTPS if TLS is enabled with no error
      {% if TLS and not TLS_ERROR %}
        listen 443 ssl;
        listen [::]:443 ssl;

        include /etc/nginx/tls.conf;
        add_header Strict-Transport-Security max-age=15768000;

        if ($scheme = http) {
          return 301 https://$host$request_uri;
        }
      {% endif %}

      root /usr/share/nginx/html;
      index index.html index.htm;

      location / {
        proxy_pass http://ohmyform:5000;
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for ;

        {% if TLS and not TLS_ERROR %}
          proxy_set_header X-Forwarded-Proto https;
        {% endif %}
      }

      {% if TLS_FLAVOR == 'letsencrypt' %}
      location ^~ /.well-known/acme-challenge/ {
          proxy_pass http://127.0.0.1:8008;
      }
      {% endif %}
    }
}