# Redirect http://app.humbughq.com and other unsupported
# hostnames to https://humbughq.com
#
# We don't have a redirect for HTTPS, however.
server {
    listen 80 default_server;
    server_name app.humbughq.com;
    return 301 https://humbughq.com;
}

server {
    listen 80;
    server_name humbughq.com zephyr.humbughq.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443;

    ssl on;

    # The zephyr.humbughq.com cert uses the app.humbughq.com key.
    # It's good for https://humbughq.com too.
    ssl_certificate /etc/ssl/certs/zephyr.humbughq.com.combined-chain.crt;
    ssl_certificate_key /etc/ssl/private/app.humbughq.com.key;

    server_name humbughq.com zephyr.humbughq.com;
    access_log /var/log/nginx/humbug.access.log;
    error_log /var/log/nginx/humbug.error.log;

    # Enable HSTS: tell browsers to always use HTTPS
    add_header Strict-Transport-Security max-age=15768000;

    # Avoid clickjacking attacks
    add_header X-Frame-Options DENY;

    # Serve a custom error page when the app is down
    error_page 502 503 504 /static/public/html/5xx.html;

    # Serve static files directly
    location /static/ {
        alias /home/humbug/humbug/zephyr/static-access-control/;
        expires 30d;
        error_page 404 /static/public/html/404.html;
    }

    # Send longpoll requests to Tornado
    location ~ /json/get_updates|/api/v1/get_messages {
        proxy_pass       http://localhost:9993;
        proxy_redirect   off;

        # Needed for longpolling
        proxy_buffering  off;
        proxy_read_timeout 1200;

        proxy_set_header Host            $host;
        proxy_set_header X-Real-IP       $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    # Send everything else to Django via FastCGI
    location / {
        include fastcgi_params;
        fastcgi_pass unix:/home/humbug/humbug/fastcgi-socket;
        fastcgi_split_path_info ^()(.*)$;
    }
}