server {


    listen                      80;

    listen                      443 ssl;
    server_name                 _;

    ssl_certificate             "/opt/wapt/waptserver/ssl/cert.pem";
    ssl_certificate_key         "/opt/wapt/waptserver/ssl/key.pem";
    ssl_protocols               TLSv1.2;
    ssl_dhparam                 /etc/ssl/certs/dhparam.pem;
    ssl_prefer_server_ciphers   on;
    ssl_ciphers                 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_stapling                on;
    ssl_stapling_verify         on;
    ssl_session_cache           none;
    ssl_session_tickets         off;


    #ssl_client_certificate "/opt/wapt/conf/ca-wapt.mairie.maxime.crt";
    #ssl_crl "None";
    #ssl_verify_client optional;


    gzip_min_length     1000;
    gzip_buffers        4 8k;
    gzip_http_version   1.0;
    gzip_disable        "msie6";
    gzip_types          text/plain text/css application/json;
    gzip_vary           on;

    index index.html;


    location / {
        proxy_set_header X-Real-IP  $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        # be sure these headers are not forwarded
        proxy_set_header X-Ssl-Client-Dn  "";
        proxy_set_header X-Ssl-Authenticated  "";

        client_max_body_size 4096m;
        client_body_timeout 1800;

        location /static {
            alias "/opt/wapt/waptserver/static";
        }


        location /ssl {
            alias "/var/www/ssl";
        }


        location ~ ^/(wapt/waptsetup-tis.exe|wapt/waptagent.exe|wapt/waptdeploy.exe|sync.json|rules.json)$ {
            add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
            add_header Pragma "no-cache";
            root "/var/www";
        }

        location ~ ^/(wapt/.*|waptwua/.*|wapt-diff-repos/.*)$ {
            add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
            add_header Pragma "no-cache";

            root "/var/www";
        }

        location ~ ^/(wapt-host/.*)$ {
            log_not_found off;
            add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
            add_header Pragma "no-cache";

            root "/var/www";
        }

        location ~ ^/(api/v3/upload_packages|api/v3/upload_hosts/|upload_waptsetup) {
            proxy_pass http://127.0.0.1:8080;
            client_max_body_size 4096m;
            client_body_timeout 1800;
            }

        location / {
            add_header Cache-Control "store, no-cache, must-revalidate, post-check=0, pre-check=0";
            add_header Pragma "no-cache";
            proxy_set_header X-Real-IP  $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;

            client_max_body_size 4096m;
            client_body_timeout 1800;


            location /add_host_kerberos {
                auth_gss on;
                auth_gss_keytab  /etc/nginx/http-krb5.keytab;
                proxy_pass http://127.0.0.1:8080;
            }


            location /wapt-host/Packages {
                    return 403;
            }

            location / {

                add_header X-Forwarded-List $http_x_forwarded_for;
                add_header X-Remote-IP $remote_addr;
                proxy_pass http://127.0.0.1:8080;
            }

            location /socket.io {
                proxy_http_version 1.1;
                proxy_buffering off;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "Upgrade";
                proxy_pass http://127.0.0.1:8080/socket.io;
            }
        }
    }
}