upstream antirobot {
    server antirobot.yandex.ru:80 max_fails=0;
    keepalive 2;
}

server {
    # SLB IP
    listen 213.180.193.24:443 ssl default_server backlog=1024;
    listen [2a02:6b8::1:24]:443 ssl default_server backlog=1024;

    # Server IP
    listen [1::2:3:4]:443 ssl default_server backlog=1024;
    listen 127.0.0.1:443 ssl default_server backlog=1024;
    listen [::1]:443 ssl default_server backlog=1024;


    ssl_certificate             /etc/nginx/certs/passport.yandex-team.ru.crt;
    ssl_certificate_key         /etc/nginx/certs/passport.yandex-team.ru.key;
    ssl_session_cache           shared:SSL:256m;
    ssl_session_timeout         28h;
    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers                 kEECDH+AES128:kEECDH:-3DES:kRSA+AES128:DES-CBC3-SHA:!kEDH:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2;
    ssl_prefer_server_ciphers   on;

    access_log /var/log/nginx/passport.access.log main;
    error_log /var/log/nginx/passport.error.log;

    rewrite ^(.*)$ https://passport.yandex-team.ru? permanent;
}


server {
    # SLB IP
    listen 213.180.193.24:443 ssl;
    listen [2a02:6b8::1:24]:443 ssl;

    # Server IP
    listen [1::2:3:4]:443 ssl;
    listen 127.0.0.1:443 ssl;
    listen [::1]:443 ssl;

    server_name pda-passport.yandex-team.ru;

    ssl_certificate             /etc/nginx/certs/passport.yandex-team.ru.crt;
    ssl_certificate_key         /etc/nginx/certs/passport.yandex-team.ru.key;
    ssl_session_cache           shared:SSL:256m;
    ssl_session_timeout         28h;
    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers                 kEECDH+AES128:kEECDH:-3DES:kRSA+AES128:DES-CBC3-SHA:!kEDH:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2;
    ssl_prefer_server_ciphers   on;

    access_log /var/log/nginx/passport.access.log main;
    error_log /var/log/nginx/passport.error.log;

    if ($host ~ pda-(.*)) {
        set $host_without_pda $1;
        return 301 $scheme://$host_without_pda$request_uri;
    }
}


server {
    # SLB IP
    listen 213.180.193.24:443 ssl;
    listen [2a02:6b8::1:24]:443 ssl;

    # Server IP
    listen [1::2:3:4]:443 ssl;
    listen 127.0.0.1:443 ssl;
    listen [::1]:443 ssl;

    server_name passport.yandex-team.ru;

    ssl_certificate             /etc/nginx/certs/passport.yandex-team.ru.crt;
    ssl_certificate_key         /etc/nginx/certs/passport.yandex-team.ru.key;
    ssl_session_cache           shared:SSL:256m;
    ssl_session_timeout         28h;
    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers                 kEECDH+AES128:kEECDH:-3DES:kRSA+AES128:DES-CBC3-SHA:!kEDH:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2;
    ssl_prefer_server_ciphers   on;

    add_header Strict-Transport-Security "max-age=315360000; includeSubDomains";

    access_log /var/log/nginx/passport.access.log main;
    error_log /var/log/nginx/passport.error.log;

    set $global_request_id $request_id;

    if ($request_uri ~ "[\x00-\x20\x7F]") {
        return 400;
    }

    proxy_set_header Host               $host;
    proxy_set_header X-Real-IP          $remote_addr;
    proxy_set_header X-Real-Scheme      $scheme;
    proxy_set_header Ya-Host            $host;
    proxy_set_header X-PyPa             "";
    proxy_set_header X-Request-Id       $global_request_id;
    proxy_set_header X-HTTPS-Req        on;
    proxy_set_header X-YProxy-Header-Ip $http_x_yproxy_header_ip;
    proxy_set_header X-Wh-Cache         "";

    proxy_store       off;
    keepalive_timeout 5 5;
    charset           utf-8;

    error_page 404 https://$http_host/passport?mode=passport;
    error_page 413 =200 /413.html;

    if ($arg_mode) {
        rewrite ^/$ /passport redirect;
    }
    if ($arg_mode = '') {
        rewrite ^/$ /profile    redirect;
    }
    rewrite ^/js/(\d+)/(.*)  /js/$2  break;
    rewrite ^/css/(\d+)/(.*) /css/$2 break;

    if ($arg_mode = 'remember') {
        rewrite ^(.*)$ https://$http_host/passport?mode=restore?;
    }

    if ($arg_mode = 'services') {
        rewrite ^(.*)$ https://$http_host/passport?mode=passport?;
    }

    location ~ "^/(a/|2fa|d31337d|auth|profile|registration|register/link|restoration|redirect|for/[^/]+/(?:finish|profile|migrate)|suggest|support|account|info|closewebview|phoneconfirm|xhr|am|for|passport)" {
        set $antirobot "/antirobot";
        if ( $request_method != "GET" ) {
            set $antirobot "/nocaptcha-antirobot";
        }
        antirobot_request $antirobot;
        proxy_pass http://127.0.0.1:3000;
    }

    location = /push {
        antirobot_request /nocaptcha-antirobot;
        proxy_pass http://127.0.0.1:3030;
    }

    location = /pull {
        antirobot_request /nocaptcha-antirobot;
        proxy_pass http://127.0.0.1:3030;
    }

    location ~ "^/(cspreport|monitoring)" {
        proxy_pass http://127.0.0.1:3020;
    }

    location /st {
        rewrite ^/st(.*)$ $1 break;
        root /usr/lib/yandex/passport-frontend/public;
    }

    location ~ (?:/\.svn|^/fonts) {
        error_page 404 https://$http_host/passport?mode=passport;
    }

    location /bar.txt {
        error_page 404 =404 /bar.txt;
        return 404;
    }

    location = /apple-app-site-association {
        types { }
        default_type application/pkcs7-mime;
        root /usr/lib/yandex/passport-front-web-data/data;
    }

    location = /.well-known/apple-app-site-association {
        rewrite ^/\.well-known/apple-app-site-association$ /apple-app-site-association last;
    }

    location = /.well-known/assetlinks.json {
        alias /usr/lib/yandex/passport-front-web-data/data/assetlinks.json;
    }

    location = /.well-known/change-password {
        rewrite ^/\.well-known/change-password$ /profile/password redirect;
    }

    location = /mc/pixel {
        types { }
        default_type image/gif;
        add_header Strict-Transport-Security "max-age=315360000; includeSubDomains";
        add_header "Access-Control-Allow-Origin" "*";
        root /usr/lib/yandex/passport-front-web-data/data;
    }

    location / {
        expires 7d;
        root /usr/lib/yandex/passport-front-web-data/data;
    }

    location = /ping.html {
        proxy_set_header Host '';
        proxy_pass http://127.0.0.1:6000/ping?check=blackbox,frontend,redis;
        add_header Strict-Transport-Security "max-age=315360000; includeSubDomains";
        add_header RS-Weight 16;
    }

    location = /stub-status {
        allow ::1;
        allow 127.0.0.1;
        deny all;
        stub_status on;
    }

    include /etc/nginx/conf.d/antirobot_locations;
}
