#reroute all traffic from port 80 to ssl
server {
	listen 80;
	server_name mal2.ait.ac.at;
	return 301 https://$host$request_uri;
}

#upstream backend_fakeshop_detector {
	#server mal2-fakeshop-plugin_rest-api_server:8081 max_conns=30;
	#queue 10 timeout=30s;
#}

#see: https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus/
#limit rate of requests to 30 requests per minute per client IP address
limit_req_zone $binary_remote_addr zone=one:10m rate=30r/m;
#limit number of active connections per client IP address 
limit_conn_zone $binary_remote_addr zone=addr:10m;

server {
	listen 443 ssl;
	server_name mal2.ait.ac.at;
	
	#see: https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus/
	client_body_timeout 15s;
    client_header_timeout 15s;
	
	#serving static content from frontend-static/www dir on mal2.ait.ac.at root dir
	root ./frontend-static/www;
    	index index.html;
	
	#keys loaded from mapped volume
	ssl_certificate     /etc/letsencrypt/live/mal2.ait.ac.at/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/mal2.ait.ac.at/privkey.pem;
	#ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;	

	error_log  /var/log/nginx/mal2.error_log  debug;

	#location /fake-shop-detector/api/1.1/ {
		#header fields that NGINX sends to the upstream server
      	#proxy_set_header Host $host;
		#proxy_set_header X-Real-IP $remote_addr;
		#proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		#proxy_set_header X-Forwarded-Host $server_name;
		#proxy_set_header X-Scheme $scheme;
		#proxy_set_header X-Forwarded-Proto $scheme;
		#proxy_buffering off;
		#proxy_buffer_size 16k;
		#proxy_busy_buffers_size 24k;
		#proxy_buffers 64 4k;
		
		#proxy_pass http://local_server_8081/malzwei/ecommerce/1.1/;
	#}
	
	location /fake-shop-detector/api/1.1/ {
		#denylisting IP addresses 
		#deny 123.123.123.1;
		#limit requests per client IP per minute. allow bursts for swagger ui
		limit_req zone=one burst=20 nodelay;
		#limit number of 10 active connections per client IP address 
		limit_conn addr 10;
		
		#make sure to use docker container name here (and not 127.0.0.1 as not reachable in docker network)
		proxy_pass http://mal2-fakeshop-plugin_rest-api_server:8081/malzwei/ecommerce/1.1/;
	}

	#re-mapping routes of internal service
	location /malzwei/ecommerce/1.1/ {
		#denylisting IP addresses 
		#deny 123.123.123.0/28;
		#limit requests per client IP per minute. allow bursts for swagger ui
		limit_req zone=one burst=20 nodelay;
		#limit number of 10 active connections per client IP address 
		limit_conn addr 10;
		
        proxy_pass http://mal2-fakeshop-plugin_rest-api_server:8081/malzwei/ecommerce/1.1/;
    }
}