upstream tomcat {
    server tomcat:8080;
}

upstream ghost {
    server ghost:2368;
}

# HTTP
server {
    listen 80                               default_server;
    listen [::]:80                          default_server ipv6only=on;
    server_name                             ${NGINX_HOST};

    error_log                               /var/log/nginx/error.log;
    access_log                              /var/log/nginx/access.log;

    rewrite ^ https://$http_host$request_uri? permanent;
}

# HTTPS
server {
    listen      443                         ssl http2;
    listen [::]:443                         ssl http2;
    server_name                             ${NGINX_HOST};

    error_log                               /var/log/nginx/error.log;
    access_log                              /var/log/nginx/access.log;

    add_header                              Strict-Transport-Security "max-age=31536000" always;
    ssl_session_cache                       shared:SSL:20m;
    ssl_session_timeout                     10m;
    ssl_protocols                           TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers               on;
    ssl_ciphers                             "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!ADH:!AECDH:!MD5;";
    ssl_stapling                            on;
    ssl_stapling_verify                     on;
    resolver                                8.8.8.8 1.1.1.1;
    ssl_certificate                         /etc/letsencrypt/live/openrsc.com/fullchain.pem;
    ssl_certificate_key                     /etc/letsencrypt/live/openrsc.com/privkey.pem;
    ssl_trusted_certificate                 /etc/letsencrypt/live/openrsc.com/chain.pem;

    root /var/www/html/;

    index index.php index.html index.htm index.jsp;

    client_max_body_size                    100M;

    ####### Proxies #######
    # PHP proxy
    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass php:9000;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
    }

    # Ghost proxy
    location /blog {
        proxy_pass                          http://ghost;
        proxy_set_header  Host              $http_host;   # required for docker client's sake
        proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
        proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
        proxy_set_header  X-Forwarded-Proto $scheme;
        proxy_read_timeout                  900;
    }

    # Tomcat proxy
    location ~ \.jsp$ {
        proxy_set_header X-Forwarded-Host   $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
        proxy_pass                          http://tomcat;
    }

    ####### PHPBB #######
    # Deny access to internal phpbb files.
    location ~ /board(config\.php|common\.php|files|images/avatars/upload|includes|(?<!ext/)phpbb|store|vendor) {
    		deny all;
        # deny was ignored before 0.8.40 for connections over IPv6.
        # Use internal directive to prohibit access on older versions.
        internal;
		}

    # Correctly pass scripts for installer
    location /install/ {
        try_files $uri $uri/ @rewrite_installapp;

				location ~ \.php(/|$) {
            try_files $uri =404;
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_pass php:9000;
            fastcgi_index index.php;
            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_path_info;
        }
		}

    location @rewrite_installapp {
        rewrite ^(.*)$ /board/install/app.php/$1 last;
    }

    # Deny access to version control system directories.
    location ~ /\.svn|/\.git {
        deny all;
        internal;
    }
}