user nobody nogroup;
worker_processes auto;          # auto-detect number of logical CPU cores

events {
	worker_connections 512;       # set the max number of simultaneous connections (per worker process)
}

http {
	client_max_body_size 250M;

	include mime.types;

	# thanks stackoverflow http://stackoverflow.com/a/5132440/2406040
	gzip  on;
	gzip_http_version 1.1;
	gzip_vary on;
	gzip_comp_level 6;
	gzip_proxied any;
	gzip_types text/plain text/css application/json application/javascript application/x-javascript text/javascript text/xml application/xml application/rss+xml application/atom+xml application/rdf+xml;

	# make sure gzip does not lose large gzipped js or css files
	# see http://blog.leetsoft.com/2007/07/25/nginx-gzip-ssl.html
	gzip_buffers 16 8k;

	# Disable gzip for certain browsers.
	gzip_disable "MSIE [1-6].(?!.*SV1)";

	server {
		listen         80;
		server_name    "localhost";

		#location /static/js/* {
		#	# avoid clickjacking
		#	add_header X-Frame-Options DENY;
		#	add_header X-Content-Type-Options nosniff;
		#	add_header ;
		#	# block MIME sniffing

		#	# security headers
		#	add_header X-XSS-Protection "1; mode=block";
		#	# add_header Content-Security-Policy "default-src 'self'";
		#	add_header Referrer-Policy "no-referrer";
		#	server_tokens off;

		#	root /usr/share/nginx/html;
		#	gzip_static on;
		#	expires 1y;
		#	add_header Cache-Control public;
		#	add_header ETag "";
		#	try_files $uri /index.html;
		#}

		location / {
			# avoid clickjacking
			add_header X-Frame-Options DENY;
			# block MIME sniffing
			add_header X-Content-Type-Options nosniff;

			# security headers
			add_header X-XSS-Protection "1; mode=block";
			# add_header Content-Security-Policy "default-src 'self'";
			add_header Referrer-Policy "no-referrer";
			server_tokens off;

			root /usr/share/nginx/html;
			gzip_static on;
			expires 1y;
			add_header Cache-Control public;
			add_header ETag "";
			try_files $uri /index.html;
		}

		location ~ /api/v(1|2) {
			proxy_pass http://{{ getenv "BACKEND_HOSTNAME" "shuffle-backend" }}:5001;
			proxy_buffering off;
			proxy_http_version 1.1;
			
			proxy_connect_timeout 900;
			proxy_send_timeout 900;
			proxy_read_timeout 900;
			send_timeout 900;
		}
	}

	server {
		listen              443 ssl;
		server_name         "localhost";
		ssl_certificate     fullchain.cert.pem;
		ssl_certificate_key privkey.pem;
		ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
		ssl_ciphers         HIGH:!aNULL:!MD5;

		location / {
			# avoid clickjacking
			add_header X-Frame-Options DENY;
			# block MIME sniffing
			add_header X-Content-Type-Options nosniff;

			# security headers
			add_header X-XSS-Protection "1; mode=block";
			# add_header Content-Security-Policy "default-src 'self'";
			add_header Referrer-Policy "no-referrer";
			server_tokens off;

			root /usr/share/nginx/html;
			gzip_static on;
			expires 1y;
			add_header Cache-Control public;
			add_header ETag "";
			try_files $uri /index.html;
		}

		# Get the hostname from environment here?
		location ~ /api/v(1|2) {
			proxy_pass http://{{ getenv "BACKEND_HOSTNAME" "shuffle-backend" }}:5001;
			proxy_buffering off;
			proxy_http_version 1.1;

			proxy_connect_timeout 900;
			proxy_send_timeout 900;
			proxy_read_timeout 900;
			send_timeout 900;
		}
	}
}