resolver 8.8.8.8;

{% if enable_https %}
acme_client {{ app }} https://acme-v02.api.letsencrypt.org/directory;
{% endif %}

upstream app-backend {
  server 127.0.0.1:8000;
}
upstream app-frontend {
  server 127.0.0.1:3000;
}

server {
    {% if enable_https %}
    listen       443 ssl;
    http2 on;

    acme {{ app }};
    ssl_certificate      $acme_cert_{{ app }};
    ssl_certificate_key  $acme_cert_key_{{ app }};

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 5m;
    ssl_stapling on;
    {% else %}
    listen 80;
    {% endif %}
    server_name  {{ domain }};

    gzip on;
    gzip_comp_level 6;
    gzip_types image/svg+xml text/plain text/html text/xml text/css text/javascript application/xml application/xhtml+xml application/rss+xml application/javascript application/x-javascript application/x-font-ttf application/vnd.ms-fontobject font/opentype font/ttf font/eot font/otf;
    gzip_disable "MSIE [1-6]\. ";

    add_header Strict-Transport-Security "max-age=31536000;includeSubDomains" always;#Secure header

    if ($host = www.{{domain}}) {
        return 301 https://{{domain}}$request_uri;
    }
    if ($host != {{domain}}) {
        return 410;
    }

    #access_log  /var/log/angie/host.access.log  main;

    location /status/ {
        api     /status/;
        allow   127.0.0.1;
        deny    all;
    }

    location /static {
      alias /home/{{ user }}/static;

      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;#Secure header
      expires 1y;
      add_header Cache-Control "public ";
      etag on;
    }

    location /media {
      alias /home/{{ user }}/media;

      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;#Secure header
      expires 1w;
      add_header Cache-Control "public ";
      etag on;
    }

    location /api/v1 {
        proxy_pass http://app-backend;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $server_name;
    }

    location /admin {
        proxy_pass http://app-backend;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $server_name;
    }

    location / {
        proxy_pass http://app-frontend;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $server_name;
    }


    #error_page  404              /404.html;

    client_max_body_size 50M;

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/angie/html;
    }

}

{% if enable_https %}
server {
    listen 80;
    listen [::]:80;

    server_name {{ domain }};

    if ($host != {{domain}}) {
        return 410;
    }
    return 301 https://{{ domain }}$request_uri;
}
{% endif %}