conf.template

# -*- conf -*-

upstream wsgi-server {
    # fail_timeout=0 means we always retry an upstream even if it failed
    # to return a good HTTP response (in case the gunicorn master nukes a
    # single worker for timing out).
    server api:8000 fail_timeout=0;
}

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    # Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    #return 301 https://$host$request_uri;
    # For testing, use 307 so that redirect is not cached in browser
    return 307 https://$host$request_uri;
}

server {
    # SSL configuration
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name ${DOMAINS};

    # reduce "upstream response is buffered to a temporary file" warnings
    proxy_buffers 16 16k;
    proxy_buffer_size 16k;
    proxy_read_timeout 120s;
    proxy_max_temp_file_size 0; # disable data being stored on disk

    ssl_session_tickets off;
    ssl_certificate /etc/ssl/certs/ssl-cert.pem;
    ssl_certificate_key /etc/ssl/private/ssl-cert.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    # ssl_client_certificate /etc/ssl/certs/ca.crt;
    # ssl_verify_client on;
    # ssl_ocsp on; # Enable OCSP validation
    ssl_verify_depth 4;
    # path for static files
    root /var/www/scos-sensor/;

    location = /favicon.ico { access_log off; log_not_found off; }

    location / {
      # checks for static file, if not found proxy to wsgi server
      try_files $uri @proxy_to_wsgi_server;
    }

    # Pass off requests to Gunicorn
    location @proxy_to_wsgi_server {

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header Host $http_host;
        proxy_set_header X-SSL-CLIENT-DN $ssl_client_s_dn;
        proxy_redirect off;
        proxy_pass   http://wsgi-server;

    }

}