worker_processes 1;
user root;

events {
    worker_connections 1024;
}

http {
{% if ssl_enabled %}
    server {
        listen {{ web_http_port}};
# IPv6 is not used so comment it by now
# This will prevent faults on hosts where IPv6 is not available
#        listen [::]:{{ web_http_port }};
        server_name .{{ hostname }};

        # LetsEncrypt ACME challenge path
        location ~ /.well-known/acme-challenge {
            allow all;
            root /var/www/certbot;
        }

        # Redirect (soft) to secure side of the force
        location / {
            return 302 https://$host$request_uri;
        }
    }
{% endif %}

    server {
{% if ssl_enabled %}
        listen {{ web_https_port }} ssl http2;
#        listen [::]:{{ web_https_port }} ssl http2;
{% else %}
        listen {{ web_http_port}};
#        listen [::]:{{ web_http_port }};
{% endif %}
        server_name .{{ hostname }};
{% if ssl_enabled %}
        ssl_certificate /etc/letsencrypt/live/{{ hostname }}/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/{{ hostname }}/privkey.pem;

        server_tokens off;
        ssl_session_tickets off;

        ssl_buffer_size 8k;
        ssl_session_cache shared:le_nginx_SSL:1m;
        ssl_session_timeout 1d;
        ssl_dhparam /etc/nginx/dhparams.pem;

        #
        # Supports Firefox 27, Android 4.4.2, Chrome 31, Edge, IE 11 on Windows 7, Java 8u31, OpenSSL 1.0.1, Opera 20, and Safari 9 and above
        #
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
        # TODO: было ssl_ecdh_curve secp384r1;

        ssl_ecdh_curve prime256v1;
        # TODO: https://www.semicolonworld.com/question/47638/sslhandshakeexception-handshake-failed-on-android-n-7-0
        # TODO: https://stackoverflow.com/questions/39133437/sslhandshakeexception-handshake-failed-on-android-n-7-0
        # TODO: ssl_ecdh_curve prime256v1;
        ssl_prefer_server_ciphers on;

        # HSTS (ngx_http_headers_module is required)
        # Disabled due to downgrade ability from https to http
        # add_header Strict-Transport-Security "max-age=86400" always;

        # OCSP stapling
        ssl_stapling on;
        ssl_stapling_verify on;
{% endif %}
        # replace with the IP address of your resolver
        resolver 8.8.8.8;

        include /etc/nginx/mime.types;

        # Redirect (soft) to Web Admin
        location / {
            return 302 $scheme://$host/web-admin/;
        }

        # Web Admin
        location ^~ /web-admin/ {
            alias /var/www/web-admin/html/;
            index index.html;
        }

        # static files will be served directly and cached
        location ~* ^.+\.(?:css|cur|js|jpe?g|gif|ico|png|otf|ttf|eot|woff|woff2|svg)$ {
            access_log off;
            expires 3h;
            add_header Cache-Control public;
            tcp_nodelay off;
        }

        # Janus REST API
        location ^~ /janus {
            proxy_pass http://127.0.0.1:{{ api_http_port }}/janus;
#            proxy_http_version 1.1;
#            proxy_set_header Upgrade $http_upgrade;
#            proxy_set_header Connection "upgrade";
#            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#            proxy_redirect off;
        }
    }
}
