user www-data;
worker_processes 4;
pid /run/nginx.pid;

events {
  worker_connections 768;
  # multi_accept on;
}

http {
  ssl_session_cache   shared:SSL:10m;
  ssl_session_timeout 10m;
  
  upstream aftok-server {
      server aftok-server:8000;
  }

  server {
    listen 80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
  }

  server {
    listen 443 ssl default_server;
    server_name aftok.com;

    ssl_certificate           /etc/letsencrypt/live/aftok.com/fullchain.pem;
    ssl_certificate_key       /etc/letsencrypt/live/aftok.com/privkey.pem;

    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
    ssl_prefer_server_ciphers on;

    access_log            /var/log/nginx/access.log;

    location / {
      include /etc/nginx/mime.types;
      alias /opt/static/site/;
      index index.html;
    }

    location /.well-known/ {
      allow all;
      alias /opt/static/well-known/;
    }

    location /.well-known/acme-challenge/ {
      allow all;
      alias /opt/letsencrypt/;
    }

    location /app/ {
      include /etc/nginx/mime.types;
      alias /opt/static/app/;
      index index.html;
    }

    location /api/ {
      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;

      # Fix the “It appears that your reverse proxy set up is broken" error.
      proxy_pass              http://aftok-server/;
      proxy_read_timeout      90;

      proxy_redirect          http://aftok-server https://$host:$server_port/;
    }
  }
}