worker_processes 1;
user nginx;

error_log /dev/stderr warn;
pid /var/run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    log_format main '$remote_addr -> $request [$status] - '
                    'referer: $http_referer $http_x_forwarded_for';
    access_log /dev/stdout main;

    server_tokens off;
    keepalive_timeout 65;

    proxy_cache_path /tmp/nginx-cache
                     levels=1:2
                     keys_zone=spa_cache:4m
                     max_size=50m
                     inactive=60m
                     use_temp_path=off;

    upstream backend {
        server __BACKEND__:6666;
    }

    server {
        listen 80 default_server;

        location ~ ^/api$ {
            return 302 /api/;
        }

        location ~ ^/api/(.*)$ {
            tcp_nodelay on;

            add_header 'Access-Control-Allow-Origin' '*';
            if ($request_method = 'OPTIONS') {
                add_header 'Access-Control-Allow-Methods'
                    'GET, POST, PUT, DELETE, OPTIONS';
                add_header 'Access-Control-Allow-Headers'
                    'Authorization, Content-Type';
                return 200;
            }

            client_max_body_size 1073741824;

            gzip on;
            gzip_comp_level 3;
            gzip_min_length 20;
            gzip_proxied expired no-cache no-store private auth;
            gzip_types text/plain application/json;

            if ($request_uri ~* "/api/(.*)") {
                proxy_pass http://backend/$1;
            }

            error_page 500 502 503 504 @badproxy;
        }

        location /data/ {
            rewrite ^/data/(.*) /$1 break;
            root /data;

            sendfile on;
            tcp_nopush on;
            tcp_nodelay on;

            error_page 403 @unauthorized;
            error_page 404 @notfound;
        }

        location ~ ^/(js|css|img|fonts)/.*$ {
            root /var/www;

            sendfile on;
            tcp_nopush on;
            tcp_nodelay on;

            gzip_static on;
            gzip_proxied expired no-cache no-store private auth;

            error_page 404 @notfound;
        }

        location / {
            tcp_nodelay on;

            # remove unneeded auth headers to improve caching
            proxy_set_header Authorization "";

            proxy_cache spa_cache;
            proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
            proxy_cache_background_update on;
            proxy_cache_lock on;

            gzip on;
            gzip_comp_level 3;
            gzip_min_length 20;
            gzip_proxied any;
            gzip_types text/plain application/json;

            if ( $http_accept ~ "application/json" ) {
                return 406 "API requests should be sent to the /api prefix";
            }

            if ($request_uri ~* "/(.*)") {
                proxy_pass http://backend/html/$1;
            }

            error_page 500 502 503 504 @badproxy;
        }

        location @unauthorized {
            return 403 "Unauthorized";
            default_type text/plain;
        }

        location @notfound {
            return 404 "Not Found";
            default_type text/plain;
        }

        location @badproxy {
            return 502 "Failed to connect to szurubooru REST API";
            default_type text/plain;
        }
    }
}

daemon off;