# Copyright (c) Mainflux
# SPDX-License-Identifier: Apache-2.0

# This is the Mainflux NGINX configuration for mututal authentication based on X.509 certifiactes.

user nginx;
worker_processes auto;
worker_cpu_affinity auto;
pid /run/nginx.pid;
load_module /etc/nginx/modules/ngx_stream_js_module.so;
load_module /etc/nginx/modules/ngx_http_js_module.so;
include /etc/nginx/modules-enabled/*.conf;

events {
    # Explanation: https://serverfault.com/questions/787919/optimal-value-for-nginx-worker-connections
    # We'll keep 10k connections per core (assuming one worker per core)
    worker_connections 10000;
}

http {
    include snippets/http_access_log.conf;

    js_include authorization.js;
    js_set $auth_key setKey;

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;

    # Include single-node or multiple-node (cluster) upstream
    include snippets/mqtt-ws-upstream.conf;

    server {
        listen 80 default_server;
        listen [::]:80 default_server;
        listen 443 ssl http2 default_server;
        listen [::]:443 ssl http2 default_server;
        ssl_verify_client optional;
        include snippets/ssl.conf;
        include snippets/ssl-client.conf;

        add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
        add_header X-Frame-Options DENY;
        add_header X-Content-Type-Options nosniff;
        add_header Access-Control-Allow-Origin '*';
        add_header Access-Control-Allow-Methods '*';
        add_header Access-Control-Allow-Headers '*';

        server_name localhost;

        # Proxy pass to users service
        location ~ ^/(users|tokens) {
            include snippets/proxy-headers.conf;
            proxy_pass http://users:${MF_USERS_HTTP_PORT};
        }

        # Proxy pass to things service
        location ~ ^/(things|channels|connect) {
            include snippets/proxy-headers.conf;
            add_header Access-Control-Expose-Headers Location;
            proxy_pass http://things:${MF_THINGS_HTTP_PORT};
        }

        location /version {
            include snippets/proxy-headers.conf;
            proxy_pass http://things:${MF_THINGS_HTTP_PORT};
        }

        # Proxy pass to mainflux-http-adapter
        location /http/ {
            include snippets/verify-ssl-client.conf;
            include snippets/proxy-headers.conf;
            proxy_set_header Authorization $auth_key;

            # Trailing `/` is mandatory. Refer to the http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
            # If the proxy_pass directive is specified with a URI, then when a request is passed to the server,
            # the part of a normalized request URI matching the location is replaced by a URI specified in the directive
            proxy_pass http://http-adapter:${MF_HTTP_ADAPTER_PORT}/;
        }

        # Proxy pass to mainflux-mqtt-adapter over WS
        location /mqtt {
            include snippets/verify-ssl-client.conf;
            include snippets/proxy-headers.conf;
            include snippets/ws-upgrade.conf;
            proxy_pass http://mqtt_ws_cluster;
        }
    }
}

# MQTT
stream {
   include snippets/stream_access_log.conf;

    # Include JS script for mTLS
    js_include authorization.js;

    # Include single-node or multiple-node (cluster) upstream
    include snippets/mqtt-upstream.conf;
    ssl_verify_client on;
    include snippets/ssl-client.conf;

    server {
        listen ${MF_NGINX_MQTT_PORT};
        listen [::]:${MF_NGINX_MQTT_PORT};
        listen ${MF_NGINX_MQTTS_PORT} ssl;
        listen [::]:${MF_NGINX_MQTTS_PORT} ssl;

        include snippets/ssl.conf;
        js_preread authenticate;

        proxy_pass mqtt_cluster;
    }
}

error_log  info.log info;