upstream spl_server {
  server 192.168.31.83:8899;
}

upstream itoa_server {
  server 192.168.31.23:38899;
}

upstream alarm_server {
  server 192.168.31.36:8080;
}

server {
  listen 80 default_server;
  listen [::]:80 default_server;
  server_name sharplook.eoitek.local;
  charset utf-8;
  return 301 https://$host$request_uri;
}

server {
  listen 443 ssl http2 fastopen=5 reuseport;
  listen [::]:443 ssl http2 fastopen=5 reuseport;
  server_name sharplook.eoitek.local sharplook.eoitek.com;
  charset utf-8;
  root /home/gitlab-runner/builds/1798bc57/0/EOI/newlook/dist;

  ssl_certificate /root/public.crt;
  ssl_certificate_key /root/private.rsa;

  ssl_session_cache builtin:1000 shared:SSL:10m;
  ssl_session_timeout 60m;
  ssl_session_tickets on;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;

  #ssl_stapling on;
  #ssl_stapling_verify on;

  ssl_ciphers CHACHA20_POLY1305:EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
  ssl_prefer_server_ciphers on;

  gzip on;
  gzip_types text/plain application/javascript text/css image/svg+xml;
  gzip_proxied no-cache no-store private expired auth;

  gzip_static on;
  gunzip on;

  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

  location ~* \.(otf|eot|woff|ttf|woff2)$ {
    types     {font/opentype otf;}
    types     {application/vnd.ms-fontobject eot;}
    types     {font/truetype ttf;}
    types     {application/font-woff woff;}
    types     {font/woff2 woff2;}
  }

  location ~* \.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc|ttf|woff|woff2|css|js|map)$ {
    access_log off;
    expires 1M;
    add_header Cache-Control "public, immutable";
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    break;
  }

  location ^~ /api/itoa {
    rewrite '^/api(.*)' $1;
    expires off;
    proxy_pass http://itoa_server;
    proxy_set_header Host              $host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host  $host:$server_port;
    proxy_set_header X-Forwarded-Proto $scheme;
    break;

  }

  location ^~ /api/spl {
    rewrite '^/api/spl(.*)' $1;
    expires off;
    proxy_pass http://spl_server;
    proxy_set_header Host              $host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host  $host:$server_port;
    proxy_set_header X-Forwarded-Proto $scheme;
    break;
  }

  location ^~ /api/alarm_rule {
    rewrite '^/api(.*)' $1;
    expires off;
    proxy_pass http://alarm_server;
    proxy_set_header Host              $host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host  $host:$server_port;
    proxy_set_header X-Forwarded-Proto $scheme;
    break;
  }

  location /api {
    return 404;
  }

  location / {
    try_files $uri $uri/ /index.html =404;
    expires 0;
    add_header Cache-Control "private, must-revalidate";
    add_header Strict-Transport-Security "max-age=86400; includeSubDomains" always;
  }
}