# Upstream where your authentik server is hosted.
upstream authentik {
	server server:9443;
	# Improve performance by keeping some connections alive.
	keepalive 10;
}

# Upgrade WebSocket if requested, otherwise use keepalive
map $http_upgrade $connection_upgrade_keepalive {
	default upgrade;
	''      '';
}

# Server just for serving a health endpoint
server {
	listen 127.0.0.1:8181;
	server_name localhost;

	# replace with the IP address of your resolver
	resolver ${NGINX_RESOLVER};

	# Handle /health separately without serving any files
	location = /health {
		access_log off;
		default_type text/plain;
		return 200 'OK';
	}
}

# Redirect to HTTPS
server {
	listen ${NGINX_HTTP_PORT};
	listen [::]:${NGINX_HTTP_PORT};
	server_name ${NGINX_SERVERNAME};

	# Exclude Let's Encrypt directory from redirection
	location /.well-known/acme-challenge/ {
		root /var/www/letsencrypt;
	}

	# Redirect all other traffic to HTTPS
	location / {
		return 302 https://$host$request_uri;
	}
}

# HTTPS Server
server {
	listen ${NGINX_HTTPS_PORT} ssl;
	listen [::]:${NGINX_HTTPS_PORT} ssl;
	http2 on;
	server_name ${NGINX_SERVERNAME};

	ssl_certificate /etc/nginx/ssl/certs/sso.base23.de.crt;
	ssl_certificate_key /etc/nginx/ssl/certs/sso.base23.de.key;
	ssl_session_timeout ${NGINX_SSL_SESSION_TIMEOUT};
	ssl_session_cache ${NGINX_SSL_SESSION_CACHE};

	ssl_dhparam /etc/nginx/ssl/dhparams.pem;

	# intermediate configuration
	ssl_protocols ${NGINX_SSL_PROTOCOLS};
	ssl_ciphers ${NGINX_SSL_CIPHERS};
	ssl_prefer_server_ciphers ${NGINX_SSL_PREFER_SERVER_CIPHERS};

	# HSTS (ngx_http_headers_module is required) (63072000 seconds)
	#add_header Strict-Transport-Security ${NGINX_HEADER_STRICT_TRANSPORT_SECURITY};

	# OCSP stapling
	ssl_stapling ${NGINX_SSL_STAPLING};
	ssl_stapling_verify ${NGINX_SSL_STAPLING_VERIFY};

	# verify chain of trust of OCSP response using Root CA and Intermediate certs
	ssl_trusted_certificate /etc/nginx/ssl/certs/sso.base23.de.issuer.crt;

	# replace with the IP address of your resolver
	resolver ${NGINX_RESOLVER};

	client_max_body_size 50m;

	location / {
		proxy_pass https://authentik;
		proxy_http_version 1.1;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header Host $http_host;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection $connection_upgrade_keepalive;
	}
}