map $var_lang $lang_host {
    be "yandex.by";
    et "yandex.com";
    en "yandex.com";
    fi "yandex.com";
    fr "yandex.com";
    hy "yandex.ru";
    it "yandex.com";
    ka "yandex.ru";
    kk "yandex.kz";
    pt-br "yandex.com";
    ru "yandex.ru";
    tr "yandex.com.tr";
    uk "yandex.ua";
    default "legal.yandex.com";
}
map $var_lang $lang_url {
    be "/legal/rules/";
    et "/legal/rules/";
    en "/legal/rules/";
    fi "/legal/rules_fi/";
    fr "/legal/rules_fr/";
    hy "/legal/rules_hy/";
    it "/legal/rules/";
    ka "/legal/rules_ka/";
    kk "/legal/rules/";
    pt-br "/legal/rules/";
    ru "/legal/rules/";
    tr "/legal/rules/";
    uk "/legal/rules/";
    default "/rules/";
}
map $var_lang $lang_param {
    be "mode=html";
    et "";
    en "lang=en&mode=html";
    fi "mode=html";
    fr "mode=html";
    hy "mode=html";
    it "lang=en&mode=html";
    ka "mode=html";
    kk "mode=html";
    pt-br "mode=html";
    ru "lang=ru&mode=html";
    tr "lang=tr&mode=html";
    uk "lang=uk&mode=html";
    default "lang=en&mode=html";
}

server {
    # SLB IP
    listen 213.180.193.115:443;
    listen [2a02:6b8::115]:443;

    # Tunnel IP
    listen 5.45.202.34:443;
    listen 5.45.202.35:443;
    listen 5.45.202.36:443;
    listen 5.45.202.37:443;

    # Server IP
    listen [1::2:3:4]:443;
    listen 127.0.0.1:443;
    listen [::1]:443;


    server_name mobileproxy.mobile.pssp.smilink.ru;

    set $ya_consumer_client_ip $remote_addr;

    ssl on;
    ssl_certificate certs/mobileproxy.mobile.pssp.smilink.ru.crt;
    ssl_certificate_key certs/mobileproxy.mobile.pssp.smilink.ru.key;
    ssl_ciphers kEECDH+AES128:kECDH:kEDH:-3DES:kRSA+AES128:kEDH+3DES:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2;
    ssl_prefer_server_ciphers on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:32m;
    ssl_session_timeout 5m;

    access_log /var/log/nginx/mobileproxy.access.log mobileproxy buffer=128k flush=5s;
    error_log /var/log/nginx/mobileproxy.error.log warn;

    location ^~ /ping {
        proxy_set_header    Host                        passport-internal.yandex.ru;
        proxy_set_header    Ya-Consumer-Client-Ip       $ya_consumer_client_ip;
        proxy_set_header    X-Request-Id                $request_id;
        proxy_set_header    X-YProxy-Header-Ip          $http_x_yproxy_header_ip;

        proxy_pass https://passport-internal.yandex.ru;
    }

    location ~ ^/1/token/?$ {
        rewrite ^/(.*)/$ /$1;
        rewrite ^/1/(.*)$ /$1 break;
        proxy_set_header    Host                        oauth-internal.yandex.ru;
        proxy_set_header    Ya-Consumer-Client-Ip       $ya_consumer_client_ip;
        proxy_set_header    X-Request-Id                $request_id;
        proxy_set_header    X-YProxy-Header-Ip          $http_x_yproxy_header_ip;

        antirobot_request /nocaptcha-antirobot;

        proxy_pass https://oauth-internal.yandex.ru;
        mirror /ysa_mirror;
    }

    location ~ ^/1/(?:revoke_token|check_in|device/code)/?$ {
        rewrite ^/(.*)/$ /$1;
        rewrite ^/1/(.*)$ /$1 break;
        proxy_set_header    Host                        oauth-internal.yandex.ru;
        proxy_set_header    Ya-Consumer-Client-Ip       $ya_consumer_client_ip;
        proxy_set_header    X-Request-Id                $request_id;
        proxy_set_header    X-YProxy-Header-Ip          $http_x_yproxy_header_ip;

        antirobot_request /nocaptcha-antirobot;

        proxy_pass https://oauth-internal.yandex.ru;
    }

    location ~ ^/(?:3/authorize/submit|2/authorize/commit|1/device/authorize/(?:submit|commit))/?$ {
        rewrite ^/(.*)/$ /$1;
        rewrite ^/(.*)$ /iface_api/$1?consumer=mobileproxy break;
        proxy_set_header    Host                        oauth-internal.yandex.ru;
        proxy_set_header    Ya-Consumer-Client-Ip       $ya_consumer_client_ip;
        proxy_set_header    X-Request-Id                $request_id;
        proxy_set_header    X-YProxy-Header-Ip          $http_x_yproxy_header_ip;

        antirobot_request /nocaptcha-antirobot;

        proxy_pass https://oauth-internal.yandex.ru;
    }

    location ~ ^/1/user_info/anonymized/?$ {
        rewrite ^/(.*)/$ /$1;
        rewrite ^/(.*)$ /api/$1?consumer=mobileproxy break;
        proxy_set_header    Host                        oauth-internal.yandex.ru;
        proxy_set_header    Ya-Consumer-Client-Ip       $ya_consumer_client_ip;
        proxy_set_header    X-Request-Id                $request_id;
        proxy_set_header    X-YProxy-Header-Ip          $http_x_yproxy_header_ip;

        antirobot_request /nocaptcha-antirobot;

        proxy_pass https://oauth-internal.yandex.ru;
    }

    location ~ ^/1/account/register/(?:simple|alternative)/? {
        return 404;
    }

    location ~ ^/1/bundle/mobile/auth/password/? {
        rewrite ^/(.*)/$ /$1;
        rewrite ^/(.*)$ /mobileproxy/$1/ break;
        proxy_set_header    Host                        passport-internal.yandex.ru;
        proxy_set_header    Ya-Consumer-Client-Ip       $ya_consumer_client_ip;
        proxy_set_header    X-Request-Id                $request_id;
        proxy_set_header    X-YProxy-Header-Ip          $http_x_yproxy_header_ip;

        antirobot_request /nocaptcha-antirobot;

        proxy_pass https://passport-internal.yandex.ru;
        mirror /ysa_mirror;
    }

    location ~ ^/(?:1/(?:account/(?:register|subscription)|captcha|login|oauth/token|phonenumber|questions|social_token$|statbox|suggest|track|user_info/?$|validation)|1/bundle/|2/bundle/) {
        rewrite ^/(.*)/$ /$1;
        rewrite ^/(.*)$ /mobileproxy/$1/ break;
        proxy_set_header    Host                        passport-internal.yandex.ru;
        proxy_set_header    Ya-Consumer-Client-Ip       $ya_consumer_client_ip;
        proxy_set_header    X-Request-Id                $request_id;
        proxy_set_header    X-YProxy-Header-Ip          $http_x_yproxy_header_ip;

        antirobot_request /nocaptcha-antirobot;

        proxy_pass https://passport-internal.yandex.ru;
    }

    location ~ ^/1/user_info/intranet/?$ {
        rewrite ^/(.*)$ /mobileproxy/1/user_info/ break;
        proxy_set_header    Host                        passport-internal.yandex-team.ru;
        proxy_set_header    Ya-Consumer-Client-Ip       $ya_consumer_client_ip;
        proxy_set_header    X-Request-Id                $request_id;
        proxy_set_header    X-YProxy-Header-Ip          $http_x_yproxy_header_ip;

        antirobot_request /nocaptcha-antirobot;

        proxy_pass https://passport-internal.yandex-team.ru;
    }

    location ~ ^/2/change_avatar/?$ {
        client_max_body_size 10m;
        rewrite ^/(.*)/$ /$1;
        rewrite ^/(.*)$ /mobileproxy/$1/ break;
        proxy_set_header    Host                        passport-internal.yandex.ru;
        proxy_set_header    Ya-Consumer-Client-Ip       $ya_consumer_client_ip;
        proxy_set_header    X-Request-Id                $request_id;
        proxy_set_header    X-YProxy-Header-Ip          $http_x_yproxy_header_ip;

        antirobot_request /nocaptcha-antirobot;

        proxy_pass https://passport-internal.yandex.ru;
    }

    location ~ ^/1/external_auth_by_login/?$ {
        # support for deprecated api method name
        rewrite ^/.*$ /1/external_auth_by_password;
    }

    location ~ ^/1/external_auth_by_(oauth|external_token|password|password_ex)/?$ {
        if ($request_method != POST) {
            return 403;
        }
        rewrite /1/external_(.*) /api/mobile/v1/$1 break;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;

        antirobot_request /nocaptcha-antirobot;

        proxy_pass https://xeno.mail.yandex.net;
    }

    location ~ ^/1/authz_in_app/entrust_to_account/?$ {
        rewrite ^/(.*)/$ /$1;
        rewrite ^/1/(.*)$ /broker2/$1 break;
        proxy_set_header    Host                        social.yandex.ru;
        proxy_set_header    Ya-Consumer-Client-Ip       $ya_consumer_client_ip;
        proxy_set_header    X-Request-Id                $request_id;
        proxy_set_header    X-YProxy-Header-Ip          $http_x_yproxy_header_ip;

        antirobot_request /nocaptcha-antirobot;

        proxy_pass https://social.yandex.ru;
    }

    location ~ ^/1/(?:bind_yandex_by_token|does_profile_exist_by_token)/?$ {
        rewrite ^/(.*)/$ /$1;
        rewrite ^/1/(.*)$ /brokerapi/$1?consumer=mobileproxy&$args break;
        proxy_set_header Ya-Consumer-Authorization $http_authorization;
        proxy_set_header    Host                        api.social.yandex.ru;
        proxy_set_header    Ya-Consumer-Client-Ip       $ya_consumer_client_ip;
        proxy_set_header    X-Request-Id                $request_id;
        proxy_set_header    X-YProxy-Header-Ip          $http_x_yproxy_header_ip;

        antirobot_request /nocaptcha-antirobot;

        proxy_pass https://api.social.yandex.ru;
    }

    location ~ ^/api/v1/pins/?$ {
        access_log /var/log/nginx/mobileproxy-pins.access.log.gz mobileproxy buffer=1024k flush=5s gzip=9;

        if ($arg_app_id = '') {
            return 400;
        }
        if ($arg_app_version = '') {
            return 400;
        }
        if ($arg_app_platform = '') {
            return 400;
        }
        if ($arg_manufacturer = '') {
            return 400;
        }
        if ($arg_model = '') {
            return 400;
        }

        root /usr/lib/yandex/mobileproxy-nginx/pins;
        try_files /pins.json =404;
    }

    location ~ ^/api/v1/desktop_pins/?$ {
        access_log /var/log/nginx/mobileproxy-pins.access.log.gz mobileproxy buffer=1024k flush=5s gzip=9;

        if ($arg_app_id = '') {
            return 400;
        }
        if ($arg_app_version = '') {
            return 400;
        }
        if ($arg_app_platform = '') {
            return 400;
        }
        if ($arg_os_version = '') {
            return 400;
        }

        root /usr/lib/yandex/mobileproxy-nginx/pins;
        try_files /desktop_pins.json =404;
    }

    location /legal/rules {
        set $var_lang $arg_lang;

        antirobot_request /antirobot;

        if ($lang_host = yandex.ru) {
            proxy_pass https://yandex.ru;
        }
        if ($lang_host = yandex.by) {
            proxy_pass https://yandex.by;
        }
        if ($lang_host = yandex.com) {
            proxy_pass https://yandex.com;
        }
        if ($lang_host = yandex.kz) {
            proxy_pass https://yandex.kz;
        }
        if ($lang_host = yandex.com.tr) {
            proxy_pass https://yandex.com.tr;
        }
        if ($lang_host = yandex.ua) {
            proxy_pass https://yandex.ua;
        }
        if ($lang_host = legal.yandex.com) {
            proxy_pass https://legal.yandex.com;
        }

        rewrite ^(.*)$ $lang_url?$lang_param break;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $lang_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-For-Y $remote_addr;
        proxy_set_header Cache-Control no-cache;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-NginX-Proxy true;
        proxy_intercept_errors off;
        proxy_redirect off;
    }

    location = /ysa_mirror {
        internal;

        access_log /var/log/nginx/mobileproxy-ysa.access.log mobileproxy buffer=128k flush=5s;
        error_log /var/log/nginx/mobileproxy-ysa.error.log warn;
        log_subrequest on;

        proxy_read_timeout    3ms;
        proxy_send_timeout    1ms;
        proxy_connect_timeout 1ms;
        proxy_http_version    1.1;
        proxy_set_header      Connection "";
        proxy_set_header      X-Request-Id   $request_id;
        proxy_set_header      X-Real-IP      $remote_addr;
        proxy_set_header      X-Real-Port    $remote_port;
        proxy_set_header      X-Server-IP    $server_addr;
        proxy_set_header      X-Server-Port  $server_port;
        proxy_pass http://ysa$request_uri;
    }

    include /etc/nginx/conf.d/antirobot_locations;

    location / {
        return 404;
    }
}
