nginx.conf

worker_processes auto;

error_log stderr warn;

events {
    multi_accept on;
    use epoll;
    worker_connections 20000;
}

http {

    upstream legacy-member-gateway {
        server legacy-member-gateway:8080;
        keepalive 32;
    }

    upstream member-gateway {
        server member-gateway:8080;
        keepalive 32;
    }

    upstream authorization-service {
        server authorization-service:8080;
        keepalive 32;
    }

    upstream legacy-web-ui {
        server legacy-web-ui:80;
        keepalive 32;
    }

    upstream web-ui {
        server web-ui:80;
        keepalive 32;
    }

    upstream device-gateway {
        server device-gateway:8080;
        keepalive 32;
    }

    upstream subscription-service {
        server subscription-service:8080;
        keepalive 32;
    }

    upstream messaging-service {
        server messaging-service:8080;
        keepalive 32;
    }

    upstream event-dispatcher {
        server event-dispatcher:8080;
        keepalive 32;
    }

    sendfile on;
    server_tokens off;
    tcp_nodelay on;
    tcp_nopush on;
    client_max_body_size 2048M;
    client_header_timeout 5s;
    client_body_timeout 5m;

    keepalive_timeout 650;
    keepalive_requests 10000;

    ssl_certificate /etc/nginx/tls/barracks.ddns.net.crt;
    ssl_certificate_key /etc/nginx/tls/barracks.ddns.net.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    
    gzip on;
    gzip_comp_level 3;
    gzip_proxied any;
    gzip_types text/plain text/css application/json image/svg+xml application/x-javascript text/xml application/xml application/xml+rss text/javascript application/hal+json;

    proxy_http_version 1.1;

    proxy_cache_path /tmp/nginx levels=1:2 keys_zone=web_ui:50m inactive=60m;
    proxy_cache_key "$scheme$request_method$host$request_uri";

    server {
        listen 80;
        server_name _;
        return 301 https://$http_host$request_uri;
    }

    server {

        listen 443 ssl http2;
        server_name _;

        location / {
            if ($http_x_forwarded_proto = "http") {
                return 301 https://$host$request_uri;
            }
            proxy_cache web_ui;
            add_header X-Proxy-Cache $upstream_cache_status;
            include /etc/nginx/proxy_headers.conf;
            proxy_pass http://legacy-web-ui/;
        }

        location /v2/ {
            if ($http_x_forwarded_proto = "http") {
                return 301 https://$host$request_uri;
            }
            proxy_cache web_ui;
            add_header X-Proxy-Cache $upstream_cache_status;
            include /etc/nginx/proxy_headers.conf;
            proxy_pass http://web-ui/;
        }

        location /api/member/ {
            include /etc/nginx/proxy_headers.conf;
            proxy_set_header X-Forwarded-Prefix /api/member;
            proxy_pass http://legacy-member-gateway/;
        }

        location /v2/api/member/ {
            include /etc/nginx/proxy_headers.conf;
            proxy_set_header X-Forwarded-Prefix /v2/api/member;
            proxy_pass http://member-gateway/;
        }

        location /api/device/ {
            include /etc/nginx/proxy_headers.conf;
            proxy_set_header X-Forwarded-Prefix /api/device;
            proxy_pass http://device-gateway/;
            include /etc/nginx/cors_headers.conf;
        }

        location /api/auth/users/ {
            return 404;
        }

        location /api/auth/ {
            include /etc/nginx/proxy_headers.conf;
            proxy_set_header X-Forwarded-Prefix /api/auth;
            proxy_pass http://authorization-service/;
        }

        location /api/subscription/ {
            include /etc/nginx/proxy_headers.conf;
            proxy_set_header X-Forwarded-Prefix /api/subscription;
            proxy_pass http://subscription-service/;
        }

        location /api/messaging/ {
            include /etc/nginx/proxy_headers.conf;
            proxy_set_header X-Forwarded-Prefix /api/messaging;
            proxy_pass http://messaging-service/;
        }

        location /api/dispatcher/ {
            include /etc/nginx/proxy_headers.conf;
            proxy_set_header X-Forwarded-Prefix /api/dispatcher;
            proxy_pass http://event-dispatcher/;
        }

        location /nginx_status {
            stub_status on;
            access_log off;
            allow 172.0.0.0/8;
            allow 127.0.0.1;
            deny all;
        }

        add_header "X-UA-Compatible" "IE=Edge";

    }

}