log_format relution '$remote_addr - $remote_user [$time_local] '
            '"$request" $status $body_bytes_sent '
            '"$http_referer" "$http_user_agent" "$http_x_forwarded_for" '
            '$request_time $upstream_response_time $pipe';
error_log	stderr debug;

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

# Maps IPs to $post_limit if request type is POST
map $request_method $post_limit {
    default "";
    POST    $binary_remote_addr;
}

# Create a 10mb zone in memory for IPs, limited to 2 requests per minute
limit_req_zone $post_limit zone=post_limit_very_slow:10m rate=2r/m;

server {
    listen 0.0.0.0:80 default_server;
    listen [::]:80;
    server_name ${NGINX_HOST}; ## Replace this with something like mdm.example.com
    server_tokens off; ## Don't show the nginx version number, a security best practice
    # Redirect to HTTPS
    return 301 https://$host$request_uri;
}

server {
    listen 0.0.0.0:443 ssl default_server;
    listen [::]:443 ssl;
    server_name ${NGINX_HOST}; ## Replace this with something like mdm.example.com
    server_tokens off; ## Don't show the nginx version number, a security best practice

#    ssl_dhparam          /etc/nginx/dhparams.pem;
    ssl_certificate      /etc/nginx/server.pem;
    ssl_certificate_key  /etc/nginx/server.key;

#    ssl_stapling on;
#    ssl_stapling_verify on;
#    ssl_trusted_certificate PATH_TO_YOUR_SSL_CHAIN;

    ssl_prefer_server_ciphers   on;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_protocols TLSv1.2 TLSv1.3;

    client_max_body_size 1024M;
    large_client_header_buffers 8 32k;

    proxy_http_version 1.1;
    proxy_read_timeout 90;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    
    proxy_busy_buffers_size   512k;
    proxy_buffers   4 512k;
    proxy_buffer_size   256k;
 
    location / {
        gzip on;
        gzip_proxied any;
        gzip_min_length  1100;
        gzip_buffers 4 32k;
        gzip_types text/plain application/javascript text/xml text/css;
        gzip_vary on;
        
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://relution-docker:8080;
        proxy_read_timeout 300;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }

    # Limit POST requests to complianceViolations to 2 r/m
    location ~ ^/api/v1/devices/[a-zA-Z0-9-]*/complianceViolations$ {
        limit_req zone=post_limit_very_slow burst=5;
        
        gzip on;
        gzip_proxied any;
        gzip_min_length  1100;
        gzip_buffers 4 32k;
        gzip_types text/plain application/javascript text/xml text/css;
        gzip_vary on;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://relution-docker:8080;
        proxy_read_timeout 300;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }

    location ~ ^/relution/api/v1/devices/[a-zA-Z0-9-]*/complianceViolations$ {
        limit_req zone=post_limit_very_slow burst=5;

        gzip on;
        gzip_proxied any;
        gzip_min_length  1100;
        gzip_buffers 4 32k;
        gzip_types text/plain application/javascript text/xml text/css;
        gzip_vary on;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://relution-docker:8080;
        proxy_read_timeout 300;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }

    location ~ /Microsoft-Server-ActiveSync {
        proxy_read_timeout 2100;
        proxy_pass http://relution-docker:8080;
    }

    error_page 502 /502.html;
    error_page 503 /502.html;
    error_page 504 /502.html;
    location /502.html {
        root /etc/nginx/errors;
    }
}