map $http_upgrade $connection_upgrade {
	default upgrade;
	'' close;
}

upstream django {
	server unix://$uwsgi_socket;
}

upstream websocket {
	server 127.0.0.1:$port_websocket;
}

server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name _;
	return 301 https://$host$request_uri;
}

server {
	listen 443 ssl http2 default_server;
	listen [::]:443 ssl http2 default_server;

	server_name $domain;
	charset	utf-8;
	client_max_body_size 75M;

	gzip on;
	gzip_types      text/plain application/javascript;
	gzip_proxied    no-cache no-store private expired auth;
	gzip_min_length 1000;

	ssl on;
	ssl_certificate $ssl_chain;
	ssl_trusted_certificate $ssl_fullchain;
	ssl_certificate_key $ssl_key;
	ssl_dhparam $dhparam;

	ssl_session_cache shared:SSL:20m;
	ssl_session_timeout 180m;
	ssl_prefer_server_ciphers on;
	ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DHE+AES128:!ADH:!AECDH:!MD5;
	ssl_protocols TLSv1.1 TLSv1.2;
	ssl_stapling on;
	ssl_stapling_verify on;
	resolver 141.3.175.65 141.3.175.66;

	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

	root $dist;
	index index.html;

	# Cache webpage assets
	location /assets {
		alias $dist/assets/;
		expires 30d;
		add_header Pragma public;
		add_header Cache-Control "public";
	}
	
	# Cache static assets of the django admin
	location ^~ /backend/static/ {
		alias $static/;
		expires 30d;
		add_header Pragma public;
		add_header Cache-Control "public";
	}	

	# Shortened path for the user rest interface
	location /rest {
		rewrite ^/rest/(.*)$ /backend/user-api/$1;
	}

	# Calls to the backend are handled by uwsgi (see upstream django)
	location /backend {
		uwsgi_pass django;
		include $config/uwsgi_params;
	}

	# The webpage is placed at the root (including its index.html)
	location /frontend {
		try_files $uri  $uri/ /index.html;
	}

	# Handle websocket
	location /ws {
		proxy_pass http://websocket/ws;
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection $connection_upgrade;
	}

	# Redirect to direct login when we have the 'idp' parameter
	location / {
		if ($arg_idp) {
			return 301 /backend/auth/v1/request$is_args$args;
		}
		rewrite "^$" /frontend;
	}

	# Cache images
	location ~* \.(?:ico|css|js|gif|jpe?g|png)$ {
		expires 30d;
		add_header Pragma public;
		add_header Cache-Control "public";
	}
}