# This example file shows how to configure Nginx to proxy requests to EmailEngine
# NB! Replace all occurences of emailengine.example.com in this file with your actual domain name.

# To setup Nginx, if not installed: `apt-get update && apt-get install nginx`

# Copy this file to /etc/nginx/sites-enabled/emailengine.example.com.conf

# Once set up run `nginx -t` as root to check for configuration errors
# If no errors were found run `systemctl reload nginx` as root to enable the updated configuration

server {
    # Set up an HTTPS site with HTTP redirect
    listen 80;
    listen [::]:80;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    # --- Domain name ---
    # Make sure to change the domain name
    server_name emailengine.example.com;

    # --- HTTP ---
    # Redirect all requests against HTTP to HTTPS
    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    }

    # --- HTTPS ---
    # Make sure to use valid SSL certificates here, these must exist or Nginx would not start

    # To bootstrap you can generate self signed certificates using the following commands:
    #     sudo openssl req -subj "/CN=emailengine.example.com/O=My Company Name LTD./C=US" -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout privkey.pem -out fullchain.pem
    #     sudo chmod 0600 privkey.pem
    #     sudo mv privkey.pem /etc/ssl/private/emailengine-privkey.pem
    #     sudo mv fullchain.pem /etc/ssl/certs/emailengine-fullchain.pem

    # Once you have the server running with self signed certs, install https://achme.sh as root and run the following
    # to provision a valid and auto-renewing Let's Encrypt certificate that replaces self-signed certs:
    #     /root/.acme.sh/acme.sh --issue --nginx \
    #         -d emailengine.example.com \
    #         --key-file       /etc/ssl/private/emailengine-privkey.pem  \
    #         --fullchain-file /etc/ssl/certs/emailengine-fullchain.pem \
    #         --reloadcmd     "/bin/systemctl reload nginx"

    ssl_certificate_key /etc/ssl/private/emailengine-privkey.pem;
    ssl_certificate /etc/ssl/certs/emailengine-fullchain.pem;

    # --- PROXY ---
    location / {
        client_max_body_size 50M;
        proxy_http_version 1.1;
        proxy_redirect off;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Scheme $scheme;
        proxy_set_header Host $http_host;
        proxy_pass http://127.0.0.1:3000;

        # --- IP whitelist ---
        # Uncomment to allow access from specific IP addresses only.
        # Addresses not enabled by 'allow' will get a 403 error.
        #allow  18.194.223.2/32;
        #deny   all;

        # --- Basic Auth ---
        # Use basic auth to protect from outside access
        auth_basic "Restricted Content";
        auth_basic_user_file /etc/nginx/.htpasswd-emailengine;

        # To add users to htpasswd file:
        # This command creates an incomplete user entry row. Replace 'username' with the user name you want to use
        #    sudo sh -c "echo -n 'username:' >> /etc/nginx/.htpasswd-emailengine"
        # This command appends hashed password to the previously inserted user entry row
        #    sudo sh -c "openssl passwd -apr1 >> /etc/nginx/.htpasswd-emailengine"
    }
}