map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

upstream wekan {
 server wekan-service-dockerbunker:80;
}

server {
    listen 80;
	server_name ${SERVICE_DOMAIN};
    return 301 https://$host$request_uri;
	add_header X-Content-Type-Options "nosniff" always;
	add_header X-XSS-Protection "1; mode=block" always;
	add_header X-Frame-Options "DENY" always;
	add_header Referrer-Policy "strict-origin" always;
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
	server_tokens off;
}

server {
    listen 443;
	server_name ${SERVICE_DOMAIN};
    ssl on;
	ssl_certificate /etc/nginx/ssl/${SERVICE_DOMAIN}/cert.pem;
	ssl_certificate_key /etc/nginx/ssl/${SERVICE_DOMAIN}/key.pem;
	include /etc/nginx/includes/ssl.conf;

	add_header X-Content-Type-Options "nosniff" always;
	add_header X-XSS-Protection "1; mode=block" always;
	add_header X-Frame-Options "DENY" always;
	add_header Referrer-Policy "strict-origin" always;
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
	server_tokens off;

	include /etc/nginx/includes/gzip.conf;

location / {
        proxy_pass http://wekan/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade; # allow websockets
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header X-Forwarded-For $remote_addr; # preserve client IP

        # this setting allows the browser to cache the application in a way compatible with Meteor
        # on every applicaiton update the name of CSS and JS file is different, so they can be cache infinitely (here: 30 days)
        # the root path (/) MUST NOT be cached
        #if ($uri != '/wekan') {
        #    expires 30d;
        #}
    }

	location ~ /.well-known {
        allow all;
		root /var/www/html;
	}
}