# Nginx configuration template

# The template is used by **oTree Virtual Machine Manager** to embed new users
# in the configuration.

# Please, change the commented sections to match your system's configuration.

# Note that DAPHNEPORT, HTTPPORT, OTREEHOME, and SSLPORT are identifiers
# which will be replaced by the correct values when creating a new user.

map $http_upgrade $connection_upgrade { # Some variables for configuring the protocol switch
        default upgrade;
        ''      close;
    }

server {
    listen SSLPORT ssl ;
    listen [::]:SSLPORT ssl ;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

# replace the 2 lines below with your own ssl certificates using e.g. letsencrypt (installed on system)
    ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
    ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;

    add_header Strict_Transport-Secutiry max-age=31536000;
    # ssl_dhparam /etc/nginx/ssl/dhparam.pem;
    ssl_session_cache shared:ssl_session_cache:10m;

# reroute http request on this port to https
    error_page 497 https://$host:SSLPORT$request_uri;

    root OTREEHOME;
    index index.html index.htm index.nginx-debian.html;

    server_name _;
    location ^~ /_static/  {
            root OTREEHOME;
            include /etc/nginx/mime.types;
        }
    location = /favico.ico  {
            root /app/favico.ico;
        }
    location / {
            proxy_pass http://127.0.0.1:DAPHNEPORT;
            proxy_http_version 1.1; # protocol switch needed
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade; # End of the configuration for oTree
# add ssl port to all server addresses
            proxy_set_header HOST $host:SSLPORT;
            proxy_set_header X-Real-Ip $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Host $server_name;
    }
}
