upstream c3lf-sys3 {
    server unix:/var/www/c3lf-sys3/web.sock;
}

map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

server {

    server_name {{ web_domain }};
    client_max_body_size 1024M;

    location / {
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, DELETE, PUT';
        add_header 'Content-Security-Policy' "default-src 'self' 'unsafe-inline' 'unsafe-eval' data: blob: wss:;";
        root /var/www/c3lf-sys3/repo/web/dist;
        index index.html index.htm index.nginx-debian.html;
        try_files $uri $uri/ /index.html;
    }

    location /ws {
        proxy_http_version 1.1;
        #auth_basic off;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_pass http://c3lf-sys3;
    }

    location ~ ^/(api|media)/ {
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_redirect off;
        proxy_buffering off;
        proxy_pass http://c3lf-sys3;

        location ~ ^/api/1 {
            auth_basic C3LF;
            auth_basic_user_file conf.d/lf-prod.htpasswd;
        }
    }

    location /djangoadmin {
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_redirect off;
        proxy_buffering off;
        proxy_pass http://c3lf-sys3;
    }

    location /redirect_media/ {
        internal;
        alias /var/www/c3lf-sys3/userfiles/;
    }

    location /redirect_thumbnail/ {
        internal;
        alias /var/www/c3lf-sys3/userfiles/thumbnails/;
    }

    location /static/ {
        alias /var/www/c3lf-sys3/staticfiles/;
    }

    location /metrics {
        allow 95.156.226.90;
        allow 127.0.0.1;
        allow ::1;
        deny all;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_redirect off;
        proxy_buffering off;
        proxy_pass http://c3lf-sys3;
    }

    listen 443 ssl http2; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/{{ web_domain }}/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/{{ web_domain }}/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

server {
    if ($host = {{ web_domain }}) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name {{ web_domain }};

    listen 80;
    return 404; # managed by Certbot
}