# Basic DoS prevention measures
limit_conn addr 10;
client_body_timeout 5s;
client_header_timeout 5s;
limit_conn_zone $binary_remote_addr zone=addr:10m;

# Backend configuration
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-SSL-CERT $ssl_client_cert;
proxy_connect_timeout 600;
proxy_send_timeout 600;
proxy_read_timeout 600;
send_timeout 600;

# Don't buffer any messages
nchan_message_buffer_length 0;

# To use CA-s own certificate for frontend and mutually authenticated connections
ssl_certificate {{ directory }}/signed/{{ common_name }}.pem;
ssl_certificate_key {{ directory }}/self_key.pem;

server {
    # Uncomment following to automatically redirect to HTTPS
    #rewrite ^/$ https://$server_name$request_uri? permanent;

    # Section for serving insecure HTTP, note that this is suitable for
    # OCSP, SCEP, CRL-s etc which is already covered by PKI protection mechanisms.
    # This also solves the chicken-and-egg problem of deploying the certificates

    server_name {{ common_name }};
    listen 80 default_server;

    # Proxy pass to backend
    location /api/ {
        proxy_pass http://127.0.1.1:8080/api/;
    }

    # Path to compiled assets
    location /assets/ {
        alias {{ assets_dir }}/;
    }

    # Rewrite /cgi-bin/pkiclient.exe to /api/scep for SCEP protocol
    location /cgi-bin/pkiclient.exe {
        rewrite /cgi-bin/pkiclient.exe /api/scep/ last;
    }

    {% if not push_server %}
    # Long poll for CSR submission
    location ~ "^/lp/sub/(.*)" {
        nchan_channel_id $1;
        nchan_subscriber longpoll;
    }
    {% endif %}

    # Comment everything below in this server definition if you're using HTTPS

    {% if not push_server %}
    # Event source for web interface
    location ~ "^/ev/sub/(.*)" {
        nchan_channel_id $1;
        nchan_subscriber eventsource;
    }
    {% endif %}

    # Path to static files
    root {{static_path}};
    error_page 502 /502.json;

    access_log /var/log/nginx/certidude-plaintext-access.log;
    error_log /var/log/nginx/certidude-plaintext-error.log;
}

server {
    # Section for accessing web interface over HTTPS
    listen 443 ssl http2 default_server;
    server_name {{ common_name }};

    # To use Let's Encrypt certificates
    {% if not letsencrypt %}#{% endif %}ssl_certificate {{ letsencrypt_fullchain }};
    {% if not letsencrypt %}#{% endif %}ssl_certificate_key {{ letsencrypt_privkey }};

    # Also run the following to set up Let's Encrypt certificates:
    #
    # apt install letsencrypt
    # certbot certonly -d {{common_name}} --webroot /var/www/html/

    # HSTS header below should make sure web interface will be accessed over HTTPS only
    # once it has been configured
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";

    # Proxy pass to backend
    location /api/ {
        proxy_pass http://127.0.1.1:8080/api/;
    }

    # Path to compiled assets
    location /assets/ {
        alias {{ assets_dir }}/;
    }

    # This is for Let's Encrypt enroll/renewal
    location /.well-known/ {
        alias /var/www/html/.well-known/;
    }

{% if not push_server %}
    # Event stream for pushing events to web browsers
    location ~ "^/ev/sub/(.*)" {
        nchan_channel_id $1;
        nchan_subscriber eventsource;
    }

    # Long poll for CSR submission
    location ~ "^/lp/sub/(.*)" {
        nchan_channel_id $1;
        nchan_subscriber longpoll;
    }
{% endif %}

    # Path to static files
    root {{static_path}};
    error_page 502 /502.json;

    access_log /var/log/nginx/certidude-frontend-access.log;
    error_log /var/log/nginx/certidude-frontend-error.log;
}


server {
    # Section for certificate authenticated HTTPS clients,
    # for submitting information to CA eg. leases,
    # requesting/renewing certificates and
    # for delivering scripts to clients

    server_name {{ common_name }};
    listen 8443 ssl http2;

    # Allow client authentication with certificate,
    # backend must still check if certificate was used for TLS handshake
    ssl_verify_client optional;
    ssl_client_certificate {{ directory }}/ca_cert.pem;

    # Proxy pass to backend
    location /api/ {
        proxy_pass http://127.0.1.1:8080/api/;
    }

    # Long poll
    location ~ "^/lp/sub/(.*)" {
        nchan_channel_id $1;
        nchan_subscriber longpoll;
    }

    # Path to static files
    root {{static_path}};
    error_page 502 /502.json;

    access_log /var/log/nginx/certidude-mutual-auth-access.log;
    error_log /var/log/nginx/certidude-mutual-auth-error.log;
}

{% if not push_server %}
server {
    # Allow publishing only from localhost to prevent abuse
    server_name localhost;
    listen 127.0.0.1:80;

    location ~ "^/lp/pub/(.*)" {
        nchan_publisher;
        nchan_channel_id $1;
    }

    location ~ "^/ev/pub/(.*)" {
        nchan_publisher;
        nchan_channel_id $1;
    }

    access_log /var/log/nginx/certidude-push-access.log;
    error_log /var/log/nginx/certidude-push-error.log;
}
{% endif %}