map $http_user_agent $log_ua {
  ~Monit 0;
  default 1;
}

server {
  listen 80;
  listen [::]:80;
  server_name {{ app_domain | mandatory }};
  # enforce https
  return 301 https://$server_name$request_uri;
}

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name {{ app_domain }};

  ssl_certificate /etc/letsencrypt/live/{{ app_domain }}/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/{{ app_domain }}/privkey.pem;

  # Add headers to serve security related headers
  # Before enabling Strict-Transport-Security headers please read into this
  # topic first.
  # add_header Strict-Transport-Security "max-age=15768000;
  # includeSubDomains; preload;";
  #
  # WARNING: Only add the preload option once you read about
  # the consequences in https://hstspreload.org/. This option
  # will add the domain to a hardcoded list that is shipped
  # in all major browsers and getting removed from this list
  # could take several months.

  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Robots-Tag all; # https://developers.google.com/search/docs/advanced/robots/robots_meta_tag
  add_header X-Download-Options noopen;
  add_header X-Permitted-Cross-Domain-Policies none;
  add_header Strict-Transport-Security "max-age=15768000";

  # Enable gzip but do not remove ETag headers
  gzip on;
  gzip_vary on;
  gzip_comp_level 4;
  gzip_min_length 256;
  gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
  gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;


  access_log {{ www_log }}/{{ app_instance_id }}/access.log combined if=$log_ua;
  error_log {{ www_log }}/{{ app_instance_id }}/error.log;

  # set max upload size
  client_max_body_size 512M;
  fastcgi_buffers 64 4K;


  location / {
      proxy_set_header HOST $host;
      proxy_set_header X-Forwarded-Proto https;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Host $server_name;
      proxy_pass http://localhost:{{ app_main_port }};
  }

}