# this section is needed to proxy web-socket connections
map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

# HTTP
server {
    if ($host = brmkan.malanius.net) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    #listen 80; # if this is not a default server, remove "default_server"
    listen [::]:80;

    server_name brmkan.malanius.net;

    # redirect non-SSL to SSL
    location / {
        rewrite     ^ https://brmkan.malanius.net$request_uri? permanent;
    }


}

# HTTPS server
server {
    listen 443 ssl http2; # we enable HTTP/2 here (previously SPDY)
    server_name brmkan.malanius.net; # this domain must match Common Name (CN) in the SSL certificate
    ssl_certificate /etc/letsencrypt/live/brmkan.malanius.net/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/brmkan.malanius.net/privkey.pem; # managed by Certbot

    # If your application is not compatible with IE <= 10, this will redirect visitors to a page advising a browser update
    # This works because IE 11 does not present itself as MSIE anymore
    if ($http_user_agent ~ "MSIE" ) {
        return 303 https://browser-update.org/update.html;
    }

    # Pass requests to Wekan.
    # If you have Wekan at https://example.com/wekan , change location to:
    # location /wekan {
     location / {
         proxy_pass http://127.0.0.1:3000; # has to be same port as wekan service is exposing
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade; # allow websockets
         proxy_set_header Connection $connection_upgrade;
         proxy_set_header X-Forwarded-For $remote_addr; # preserve client IP

        # this setting allows the browser to cache the application in a way compatible with Meteor
        # on every applicaiton update the name of CSS and JS file is different, so they can be cache infinitely (here: 30 days)
        # the root path (/) MUST NOT be cached
        #if ($uri != '/wekan') {
        #    expires 30d;
     }

}