# leviathan ----------------------------------------------------------------------------------------------
server {
	listen 80;
	listen [::]:80;

	# Public file folder
	root /var/leviathan/public;
	index index.html;
	autoindex off;

	# Server Alias
	server_name leviathan.moderation.twitch.tv;

	access_log /var/log/nginx/access_leviathan.log access_normal;
	error_log /var/log/nginx/error_access_leviathan.log error;

	include disallow_hidden_folders.conf;

	# Move all traffic to https
	return 301 https://$host$request_uri;
}

# leviathan SSL -------------------------------------------------------------------------------------------
server {
	listen 81;
	listen [::]:81;

	add_header X-Frame-Options SAMEORIGIN;
	add_header X-Content-Type-Options nosniff;
	# HSTS (15768000 seconds = 6 months)
	add_header Strict-Transport-Security max-age=15768000;


	# Public file folder
	root /var/leviathan/public;
	index index.html;
	autoindex off;

	# Server Alias
	server_name leviathan.moderation.twitch.tv;

	access_log /var/log/nginx/access_leviathan-ssl.log access_normal;
	error_log /var/log/nginx/error_leviathan-ssl.log error;

	include disallow_hidden_folders.conf;

	# Proxy to rails
	location / {
		try_files $uri @rails;
	}

	location @rails {
		proxy_pass http://127.0.0.1:3000;

		proxy_set_header 	Host $host;
		proxy_set_header 	X-Forwarded-By    $server_addr:$server_port;
		proxy_set_header 	X-Forwarded-For   $remote_addr;
		proxy_set_header 	X-Forwarded-Proto $scheme;
		proxy_set_header  	X-Real-IP         $remote_addr;
		proxy_set_header  	CLIENT_IP         $remote_addr;

		proxy_pass_request_headers on;

		# Ignore client aborts in case of too strict timeouts on web/web or other services
		proxy_ignore_client_abort on;
	}

	# Proxy file uploads to S3
	location /file-uploads/ {
		proxy_pass https://leviathan-prod.s3-us-west-2.amazonaws.com;

		proxy_set_header 	Host "leviathan-prod.s3-us-west-2.amazonaws.com";
		proxy_set_header 	X-Forwarded-By    $server_addr:$server_port;
		proxy_set_header 	X-Forwarded-For   $remote_addr;
		proxy_set_header 	X-Forwarded-Proto $scheme;
		proxy_set_header  	X-Real-IP         $remote_addr;
		proxy_set_header  	CLIENT_IP         $remote_addr;
		proxy_set_header 	Cookie "";

		proxy_http_version 1.1;
		proxy_connect_timeout 5s;
		proxy_read_timeout 20s;

		proxy_intercept_errors on;
		error_page 403 =404 /404.html;

		add_header X-Content-Type-Options "";

		proxy_ignore_headers X-Accel-Redirect X-Accel-Expires X-Accel-Limit-Rate X-Accel-Buffering X-Accel-Charset Expires Cache-Control Set-Cookie Vary;
	}
	
	# Proxy for clips API (to avoid cross-origin issues on Javascript)
	location /clips-api/ {
		rewrite /clips-api/(.*) /api/v1/clips/$1 break;
		proxy_pass https://clips.twitch.tv;

		proxy_set_header 	Host "clips.twitch.tv";
		proxy_set_header 	X-Forwarded-For   $remote_addr;
		proxy_set_header  	X-Real-IP         $remote_addr;
		proxy_set_header 	Cookie "";

		proxy_http_version 1.1;
		proxy_connect_timeout 5s;
		proxy_read_timeout 20s;

		add_header X-Content-Type-Options "";
		
		proxy_ignore_headers X-Accel-Redirect X-Accel-Expires X-Accel-Limit-Rate X-Accel-Buffering X-Accel-Charset Expires Cache-Control Set-Cookie Vary;
	}
	
	# Proxy Slack reminder
	location ^~ /slack_webhook.php {
		proxy_pass http://10.199.9.8:8000;

		proxy_set_header 	X-Forwarded-For   $remote_addr;
		proxy_set_header  	X-Real-IP         $remote_addr;
		proxy_set_header 	Cookie "";

		proxy_http_version 1.1;
		proxy_connect_timeout 5s;
		proxy_read_timeout 20s;
		
		proxy_ignore_headers X-Accel-Redirect X-Accel-Expires X-Accel-Limit-Rate X-Accel-Buffering X-Accel-Charset Expires Cache-Control Set-Cookie Vary;
	}
}
