# Create a map of known attack locations
map $request_uri $block_uri {
    default 0;
    ~*/wp-.* 1;
    ~*\.env 1;
    /etc 1;
}

# m5p3nc3r webserver
server {
    listen 80;
    listen [::]:80;
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name m5p3nc3r.co.uk www.m5p3nc3r.co.uk;

    ssl_certificate /etc/letsencrypt/live/apptabulous.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/apptabulous.co.uk/privkey.pem;

    if ($block_uri = 1) {
        return 403;
    }

    location / {
        proxy_pass http://rpi4-2:3000;
    }
}


# apptabulous webserver
server {
    listen 80;
    listen [::]:80;
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name apptabulous.co.uk www.apptabulous.co.uk;

    ssl_certificate /etc/letsencrypt/live/apptabulous.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/apptabulous.co.uk/privkey.pem;

    if ($block_uri = 1) {
        return 403;
    }

    location / {
        proxy_pass http://rpi4-2:3001;
    }
}

# Container registry
server {
    listen 80;
    listen [::]:80;
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name hub.apptabulous.co.uk;

    ssl_certificate /etc/letsencrypt/live/apptabulous.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/apptabulous.co.uk/privkey.pem;

    # disable any limits to avoid HTTP 413 for large image uploads
    client_max_body_size 0;
    
    # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
    chunked_transfer_encoding on;

    location / {
        proxy_pass http://rpi4-2:5000;
    }
}

# my-aiva.apptabulous.co.uk
# server {
#     listen 80;
#     listen [::]:80;
#     listen 443 ssl;
#     listen [::]:443 ssl;
#     server_name my-aiva.apptabulous.co.uk;

#     ssl_certificate /etc/letsencrypt/live/apptabulous.co.uk/fullchain.pem;
#     ssl_certificate_key /etc/letsencrypt/live/apptabulous.co.uk/privkey.pem;

#     if ($block_uri = 1) {
#         return 403;
#     }

#     # This must come before the / endpoint so as not to be masked
#     location /webhook {
#         proxy_pass http://my-aiva:5000;
#     }

#     location / {
#         proxy_pass http://my-aiva:3000;
#     }

# }

# Watchtower
server {
    listen 80;
    listen [::]:80;
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name watchtower.apptabulous.co.uk;

    ssl_certificate /etc/letsencrypt/live/apptabulous.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/apptabulous.co.uk/privkey.pem;

    location / {
        proxy_pass http://rpi4-2:8080;
    }
}