user nginx;
worker_processes auto;

pid         /var/run/nginx.pid;
error_log   /var/log/nginx/error.log;

events {
    worker_connections 2048;
}

http {
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    server_tokens off;

    default_type application/octet-stream;

    ### SSL Settings for all servers (https://ssl-config.mozilla.org/#server=nginx&server-version=1.17.2&config=intermediate)
    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate     /etc/nginx/ssl/{{ kuma_domain }}.fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/{{ kuma_domain }}.privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    # intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/nginx/ssl/dhparam.pem (TODO: check if it's secure to use others DH parameters!)
    # openssl dhparam -out /etc/nginx/ssl/dhparam.pem 4096
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;

    log_format main '$remote_addr - $remote_user [$time_local] "$request_method $scheme://$host$request_uri $server_protocol" $status $body_bytes_sent '
                 '"$http_referer" "$http_user_agent" $request_time $upstream_response_time UPA:$upstream_addr BYS:$bytes_sent BYR:$request_length';
    access_log  /var/log/nginx/access.log main;

    ### Set additional headers to be send to upstream
    proxy_set_header    Host                $http_host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header    X-Forwarded-Proto   $scheme;

    # Remove Headers that gonna be sent to client
    proxy_hide_header   X-Powered-By;
    proxy_hide_header   Server;

    # Redirect HTTP request to HTTPS
    server {
      listen              80 default_server;
      server_name         {{ kuma_domain }};
      return 302 https://$host$request_uri;
    }

    server {
        server_name     {{ kuma_domain }};
        listen          443 ssl http2 default_server;

        access_log      /var/log/nginx/{{ kuma_domain }}/access.log main;
        error_log       /var/log/nginx/{{ kuma_domain }}/error.log;

        location / {
            # rewrite ^/(.*)/$ /$1 permanent;
            ### redirect urls with trailing slash to non-trailing slash
            # https://serverfault.dev/questions/597302/removing-the-trailing-slash-from-a-url-with-nginx
            # location ~ (?<no_slash>.+)/$ {
            #     return 302 https://$host$no_slash;
            # }
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass         http://uptime-kuma:3001/;
            proxy_http_version 1.1;
            proxy_set_header   Upgrade $http_upgrade;
            proxy_set_header   Connection "upgrade";
        }
    }
}