# some doc: https://www.nginx.com/resources/wiki/start/topics/examples/full/
error_log  /dev/stderr info;

events {}

http {
  ##
  # Basic Settings
  ##
  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  keepalive_timeout 65;
  types_hash_max_size 2048;


  # mimetypes, required by jitsi!
  include /etc/nginx/mime.types;
  default_type application/octet-stream;

  types {
    application/wasm wasm;
  }

  ##
  # SSL Settings
  ##

  ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
  ssl_prefer_server_ciphers on;
       
  ##
  # Gzip Settings
  ##
  gzip on;

  access_log /dev/stdout;
  server_names_hash_bucket_size 64;

  # Log real IPs
  set_real_ip_from  10.0.0.0/8;
  set_real_ip_from  172.16.0.0/12;
  set_real_ip_from  192.168.0.0/16;
  real_ip_header    X-Forwarded-For;

  # inspired by https://raw.githubusercontent.com/jitsi/docker-jitsi-meet/master/web/rootfs/defaults/meet.conf
  server {
    #listen 0.0.0.0:{{ env "NOMAD_PORT_https_port" }} ssl http2 default_server;
    #listen [::]:{{ env "NOMAD_PORT_https_port" }} ssl http2 default_server;
    listen 0.0.0.0:{{ env "NOMAD_PORT_https_port" }} default_server;
    listen [::]:{{ env "NOMAD_PORT_https_port" }} default_server;
    client_max_body_size 0;
    server_name _;

    # ssi on with javascript for multidomain variables in config.js
    ssi on;
    ssi_types application/x-javascript application/javascript;

    #ssl_certificate /etc/nginx/jitsi.crt;
    #ssl_certificate_key /etc/nginx/jitsi.key;
    root /srv/jitsi-meet;
    index index.html;
    error_page 404 /static/404.html;

    location = /config.js {
      alias /srv/jitsi-meet/config.js;
    }

    location = /interface_config.js {
      alias /srv/jitsi-meet/interface_config.js;
    }

    location = /external_api.js {
      alias /srv/jitsi-meet/libs/external_api.min.js;
    }

    # ensure all static content can always be found first
    location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$
    {
      add_header 'Access-Control-Allow-Origin' '*';
      alias /srv/jitsi-meet/$1/$2;
    }

    # Disallow robots indexation 
    location = /robots.txt {
      add_header  Content-Type  text/plain;
      return 200 "User-agent: *\nDisallow: /\n";
    }

    # not used yet VVV
    # colibri (JVB) websockets
    #location ~ ^/colibri-ws/([a-zA-Z0-9-\.]+)/(.*) {
    #  proxy_pass http://$1:9090/colibri-ws/$1/$2$is_args$args;
    #  proxy_http_version 1.1;
    #  proxy_set_header Upgrade $http_upgrade;
    #  proxy_set_header Connection "upgrade";
    #  tcp_nodelay on;
    #}


    location ~* {{ key "secrets/jitsi/blacklist_regex" }} {
      return 302 https://www.service-public.fr/particuliers/vosdroits/R17674; 
    }

    location = /http-bind {
	if ($args ~* {{ key "secrets/jitsi/blacklist_regex" }}) {
	    return 403 'forbidden';
	}

        # We add CORS to use a different frontend which is useful for load testing as we do not want to advertise too much our URL
        add_header 'Access-Control-Allow-Headers' 'content-type';
        add_header 'Access-Control-Allow-Methods' 'GET,POST,PUT,DELETE,OPTIONS';
        add_header 'Access-Control-Allow-Origin' '*';
        proxy_pass      http://{{ env "NOMAD_ADDR_bosh_port" }}/http-bind;
        proxy_set_header X-Forwarded-For $remote_addr;
        #proxy_set_header Host $http_host;
        proxy_set_header Host jitsi-bosh;
    }

    # not used yet VVV
    # xmpp websockets
    #location = /xmpp-websocket {
    #    proxy_pass {{ .Env.XMPP_BOSH_URL_BASE }}/xmpp-websocket;
    #    proxy_http_version 1.1;
    #    proxy_set_header Connection "upgrade";
    #    proxy_set_header Upgrade $http_upgrade;
    #    proxy_set_header Host {{ .Env.XMPP_DOMAIN }};
    #    proxy_set_header X-Forwarded-For $remote_addr;
    #    tcp_nodelay on;
    #}

    location ~ ^/([^/?&:'"]+)$ {
      try_files $uri @root_path;
    }

    location @root_path {
      rewrite ^/(.*)$ / break;
    }

  # Not used yet VVVV
  # Etherpad-lite
  # location /etherpad/ {
  #    proxy_http_version 1.1;
  #    proxy_set_header Upgrade $http_upgrade;
  #    proxy_set_header Connection 'upgrade';
  #    proxy_set_header Host $host;
  #    proxy_cache_bypass $http_upgrade;
  #    proxy_pass {{ .Env.ETHERPAD_URL_BASE }}/;
  #    proxy_set_header X-Forwarded-For $remote_addr;
  #    proxy_buffering off;
  #    proxy_set_header Host {{ .Env.XMPP_DOMAIN }};
  #  }

  }
}