# {{ ansible_managed }}

resolver 10.89.0.1 ipv6=off valid=10s;

# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
  default upgrade;
  '' close;
}

# Apply fix for very long server names
server_names_hash_bucket_size 128;

gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

# HTTP 1.1 support
proxy_http_version 1.1;

proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;

# Mitigate httpoxy attack
proxy_set_header Proxy "";

server {
    listen 80;
    listen [::]:80;

    server_name {{ podman_link_web_hostname }};
    server_tokens off;

    location /.well-known/acme-challenge/ {
        root /var/www/certbot;
    }

    location / {
        return 301 https://{{ podman_link_web_hostname }}$request_uri;
    }
}

upstream zammad {
    zone zammad_upstream 64k;
	server zammad-nginx:8080 resolve;
}

server {
	server_name {{ podman_link_web_hostname }};
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;
    server_tokens off;

    ssl_certificate /etc/letsencrypt/live/{{ podman_link_web_hostname }}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/{{ podman_link_web_hostname }}/privkey.pem;

	add_header Strict-Transport-Security "max-age=31536000" always;
	add_header Referrer-Policy origin always;  # make sure outgoing links don't show the URL to the Matomo instance
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;

	location / {
		proxy_pass http://zammad;
		proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Port 443;
	}
}