## The Chinwag ejabberd setup does not do any HTTP SSL termination in ejabberd
## itself at all. ejabberd uses unencrypted HTTP connections, but only listens
## on the localhost interface. This simplifies the config a great deal.

map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

server {
    ## If using Let's Encrypt domain validation directly through ejabberd,
    ## it might be handy to have a section here as a virtual host definition
    ## for all XMPP-related subdomains that need certificates.
    ##
    ## If using DNS validation, this can all be skipped, but you'll need a 
    ## script run via LE renewal hooks to reload ejabberd when the certificates
    ## are refreshed.
    ##
    ## Note this is in HTTP config only, not HTTPS.

	listen 80;
	listen [::]:80;
	server_name chat.chinwag.org;

	access_log /var/log/nginx/chat.chinwag.org-access.log;
	error_log /var/log/nginx/chat.chinwag.org-error.log;

	location /.well-known/acme-challenge {
		proxy_pass http://[::]:5280/.well-known/acme-challenge;
	}

	## Send everything to HTTPS host
	location / {
		return 301 https://$host$request_uri;
	}
}

server {
	listen 443 ssl;
	listen [::]:443 ssl;

    ## chat.chinwag.org is the only hostname advertised for user-facing services. You
    ## might want to have a catch all redirect for things like pubsub, conference, etc
    ## subdomains that redirect here, or to a general landing page.

    ## "chat" was chosen as a more informative domain option than "xmpp" which I've
    ## deliberately avoided using in any place a user might encounter it.
	server_name chat.chinwag.org;

	index index.html;

	access_log /var/log/nginx/chat.chinwag.org-access.log;
	error_log /var/log/nginx/chat.chinwag.org-error.log;

	ssl_certificate                 /etc/letsencrypt/live/chat.chinwag.org/fullchain.pem;
	ssl_certificate_key             /etc/letsencrypt/live/chat.chinwag.org/privkey.pem;
	ssl_protocols			TLSv1.1 TLSv1.2 TLSv1.3;

	# A minimal index page that loads a ConverseJS client lives here
	location / {
		root /srv/www/chat.chinwag.org/;
	}

	location /logo/conversejs-filled.svg {
		return 301 https://static.chinwag.org/chinwag-logo-simple-mono.svg;
	}

	# Adding IP-based restrictions to access this area might be desirable
	location /admin {
		proxy_pass http://127.0.0.1:5280/admin/;
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
		proxy_set_header Host $host;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}       

	# BOSH endpoint
	location /bosh {
		proxy_pass http://127.0.0.1:5280/bosh/;
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
		proxy_set_header Host $host;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_read_timeout 3600;
	}       

	# All HTTP image etc uploads are handled under https://chat.chinwag.org/files
	# see ejabberd.yml for the other side of this, files are kept in /srv/www/ejabberd
    # which will need write permissions for the ejabberd process user.
    #
    # CORS headers are handled by ejabberd.
	location /files {
		proxy_pass http://127.0.0.1:5280/files/;
		proxy_set_header Host $host;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}       

	# Websocket endpoint
	location /ws {
		proxy_pass http://127.0.0.1:5280/ws/;
		proxy_http_version 1.1;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
		proxy_set_header Host $host;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_read_timeout 3600;
	}       
}