#
# Copyright 2021 The Kubernetes Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# 

map $http_upgrade $connection_upgrade {
  default upgrade;
  '' close;
}

server {
  listen 9080 default_server;
  listen [::]:9080 default_server;

  root /usr/share/nginx/html;

  location / {
    gzip_static on;
  }

  # serving up the client
  location /index.html {
    add_header Set-Cookie KUI_PROXY_COHOSTED=true;

    # Inject CSP nonce. We use the nginx request_id as our nonce.
    set $cspNonce "$request_id";
    sub_filter_once off;
    sub_filter_types *;
    sub_filter kuiDefaultNonce $cspNonce;

    # ContentSecurityPolicy
    add_header Content-Security-Policy "${CSP}" always;

    # opengraph properties
    # twitter card properties
    sub_filter <head> '<head>${OPENGRAPH}';
  }

  # /exec is sent to the kui proxy; this is websocket initiation
  location /exec {
    proxy_pass http://localhost:3000;
    proxy_http_version 1.1;  
  }

  # /bash is sent to the kui proxy; these are websocket communications
  location /bash {
    proxy_pass http://localhost:3000;
    proxy_http_version 1.1;  
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
  }

  # You may need this to prevent return 404 recursion.
  location = /404.html {
    internal;
  }
}