user                    nginx;
error_log               /var/log/nginx/error.log debug;
pid                     /var/run/nginx.pid;
worker_processes        auto;
worker_rlimit_nofile    33282;

events {
  worker_connections  1024;
}

http {
  # rate limiting
  limit_req_status 429;
  limit_req_zone $binary_remote_addr zone=ratelimit:10m rate=${PROXY_RATE_LIMIT_API_PER_SECOND}r/s;
  limit_req_zone $binary_remote_addr zone=webhooks:10m rate=${PROXY_RATE_LIMIT_WEBHOOKS_PER_SECOND}r/s;

  include       /etc/nginx/mime.types;
  default_type  application/octet-stream;
  proxy_set_header Host $host;
  charset utf-8;
  sendfile on;
  tcp_nopush on;
  tcp_nodelay on;
  server_tokens off;
  types_hash_max_size 2048;
  resolver ${RESOLVER} valid=10s ipv6=off;

  # buffering
  client_header_buffer_size 1k;
  client_max_body_size 20M;
  ignore_invalid_headers off;
  proxy_buffering off;

  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for" '
                    'response_time=$upstream_response_time proxy_host=$proxy_host upstream_addr=$upstream_addr';

  access_log /var/log/nginx/access.log main;

  map $http_upgrade $connection_upgrade {
    default     "upgrade";
  }

  server {
    listen       10000 default_server;
    listen  [::]:10000 default_server;
    server_name  _;
    client_max_body_size 1000m;
    ignore_invalid_headers off;
    proxy_buffering off;

    set $csp_default "default-src 'self'";
    set $csp_script "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://*.budibase.net https://cdn.budi.live https://js.intercomcdn.com https://widget.intercom.io";
    set $csp_style "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net https://fonts.googleapis.com https://rsms.me https://maxcdn.bootstrapcdn.com";
    set $csp_object "object-src 'none'";
    set $csp_base_uri "base-uri 'self'";
    set $csp_connect "connect-src 'self' https://*.budibase.app https://*.budibaseqa.app https://*.budibase.net https://api-iam.intercom.io https://api-iam.intercom.io  https://api-ping.intercom.io https://app.posthog.com wss://nexus-websocket-a.intercom.io  wss://nexus-websocket-b.intercom.io https://nexus-websocket-a.intercom.io https://nexus-websocket-b.intercom.io  https://uploads.intercomcdn.com  https://uploads.intercomusercontent.com https://*.amazonaws.com https://*.s3.amazonaws.com https://*.s3.us-east-2.amazonaws.com https://*.s3.us-east-1.amazonaws.com https://*.s3.us-west-1.amazonaws.com https://*.s3.us-west-2.amazonaws.com https://*.s3.af-south-1.amazonaws.com https://*.s3.ap-east-1.amazonaws.com https://*.s3.ap-southeast-3.amazonaws.com https://*.s3.ap-south-1.amazonaws.com https://*.s3.ap-northeast-3.amazonaws.com https://*.s3.ap-northeast-2.amazonaws.com https://*.s3.ap-southeast-1.amazonaws.com https://*.s3.ap-southeast-2.amazonaws.com https://*.s3.ap-northeast-1.amazonaws.com https://*.s3.ca-central-1.amazonaws.com https://*.s3.cn-north-1.amazonaws.com https://*.s3.cn-northwest-1.amazonaws.com https://*.s3.eu-central-1.amazonaws.com https://*.s3.eu-west-1.amazonaws.com https://*.s3.eu-west-2.amazonaws.com https://*.s3.eu-south-1.amazonaws.com https://*.s3.eu-west-3.amazonaws.com https://*.s3.eu-north-1.amazonaws.com https://*.s3.sa-east-1.amazonaws.com https://*.s3.me-south-1.amazonaws.com https://*.s3.us-gov-east-1.amazonaws.com https://*.s3.us-gov-west-1.amazonaws.com https://api.github.com";    
    set $csp_font "font-src 'self' data: https://cdn.jsdelivr.net https://fonts.gstatic.com https://rsms.me https://maxcdn.bootstrapcdn.com  https://js.intercomcdn.com  https://fonts.intercomcdn.com";
    set $csp_frame "frame-src 'self' https:";
    set $csp_img "img-src http: https: data: blob:";
    set $csp_manifest "manifest-src 'self'";
    set $csp_media "media-src 'self' https://js.intercomcdn.com https://cdn.budi.live"; 
    set $csp_worker "worker-src 'none'";

    error_page 502 503 504 /error.html;
    location = /error.html {
      root /usr/share/nginx/html;
      internal;
    }

    # Security Headers
    add_header X-Frame-Options SAMEORIGIN always;
    add_header X-Content-Type-Options nosniff always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Content-Security-Policy "${csp_default}; ${csp_script}; ${csp_style}; ${csp_object}; ${csp_base_uri}; ${csp_connect}; ${csp_font}; ${csp_frame}; ${csp_img}; ${csp_manifest}; ${csp_media}; ${csp_worker};" always;

    # upstreams
    set $apps ${APPS_UPSTREAM_URL};
    set $worker ${WORKER_UPSTREAM_URL};
    set $minio ${MINIO_UPSTREAM_URL};
    set $couchdb ${COUCHDB_UPSTREAM_URL};
    set $watchtower ${WATCHTOWER_UPSTREAM_URL};

    location /health {
      access_log off;
      add_header 'Content-Type' 'application/json';
      return 200 '{ "status": "OK" }';
    }

    location /app {
      proxy_pass      $apps;
    }

    location /embed {
      rewrite /embed/(.*) /app/$1  break;
      proxy_pass         $apps;
      proxy_redirect     off;
      proxy_set_header   Host $host;
      proxy_set_header   x-budibase-embed "true";
      add_header x-budibase-embed "true";
      add_header Content-Security-Policy "frame-ancestors *";
    }

    location = / {
      proxy_pass      $apps;
    }

    location = /v1/update {
      proxy_pass      $watchtower;
    }

    location ~ ^/(builder|app_) {
      proxy_http_version  1.1;

      proxy_set_header    Connection          $connection_upgrade;
      proxy_set_header    Upgrade             $http_upgrade;
      proxy_set_header    X-Real-IP           $remote_addr;
      proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
      proxy_set_header    Host                $host;

      proxy_pass      $apps;
    }

    location ~ ^/api/(system|admin|global)/ {
      proxy_set_header    Host                $host;
      proxy_pass      $worker;
    }

    location /worker/ {
      proxy_set_header    Host                $host;
      proxy_pass      $worker;
      rewrite ^/worker/(.*)$ /$1 break;
    }

    location /api/backups/ {
      # calls to export apps are limited
      limit_req zone=ratelimit burst=20 nodelay;

      # 1800s timeout for app export requests
      proxy_read_timeout 1800s;
      proxy_connect_timeout 1800s;
      proxy_send_timeout 1800s;

      proxy_http_version 1.1;
      proxy_set_header    Connection          $connection_upgrade;
      proxy_set_header    Upgrade             $http_upgrade;
      proxy_set_header    X-Real-IP           $remote_addr;
      proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;

      proxy_pass      $apps;
    }

    location /api/ {
      # calls to the API are rate limited with bursting
      limit_req zone=ratelimit burst=20 nodelay;

      # 120s timeout on API requests
      proxy_read_timeout 120s;
      proxy_connect_timeout 120s;
      proxy_send_timeout 120s;

      proxy_http_version  1.1;
      proxy_set_header    Connection          $connection_upgrade;
      proxy_set_header    Upgrade             $http_upgrade;
      proxy_set_header    X-Real-IP           $remote_addr;
      proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
      proxy_set_header    Host                $host;

      proxy_pass      $apps;
    }

    location /api/webhooks/ {
      # calls to webhooks are rate limited
      limit_req zone=webhooks nodelay;

      # Rest of configuration copied from /api/ location above
      # 120s timeout on API requests
      proxy_read_timeout 120s;
      proxy_connect_timeout 120s;
      proxy_send_timeout 120s;

      proxy_http_version  1.1;
      proxy_set_header    Connection          $connection_upgrade;
      proxy_set_header    Upgrade             $http_upgrade;
      proxy_set_header    X-Real-IP           $remote_addr;
      proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
      proxy_set_header    Host                $host;

      proxy_pass      $apps;
    }

    location /db/ {
      proxy_pass      $couchdb;
      rewrite ^/db/(.*)$ /$1 break;
    }

    location /socket/ {
      proxy_http_version  1.1;
      proxy_set_header    Upgrade     $http_upgrade;
      proxy_set_header    Connection  'upgrade';
      proxy_set_header    Host        $host;
      proxy_cache_bypass  $http_upgrade;
      proxy_pass      $apps;
    }

    location / {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header Host $http_host;

      proxy_connect_timeout 300;
      proxy_http_version 1.1;
      proxy_set_header Connection "";
      chunked_transfer_encoding off;

      proxy_pass      $minio;
    }

    location /files/signed/ {
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      # IMPORTANT: Signed urls will inspect the host header of the request.
      # Normally a signed url will need to be generated with a specified client host in mind.
      # To support dynamic hosts, e.g. some unknown self-hosted installation url,
      # use a predefined host header. The host 'minio-service' is also used at the time of url signing.
      proxy_set_header Host minio-service;

      proxy_connect_timeout 300;
      proxy_http_version 1.1;
      proxy_set_header Connection "";
      chunked_transfer_encoding off;

      proxy_pass      $minio;
      rewrite ^/files/signed/(.*)$ /$1 break;
    }

    client_header_timeout 120;
    client_body_timeout   120;
    keepalive_timeout     120;

    # gzip
    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_types text/plain text/css text/xml application/json application/javascript application/rss+xml application/atom+xml image/svg+xml;
  }
}