map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name etherpad.zinomedia.de;

    ssl_certificate /etc/letsencrypt/live/etherpad.zinomedia.de/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/etherpad.zinomedia.de/privkey.pem;

    # (optional) basic auth
    auth_basic "Protected";
    auth_basic_user_file /usr/share/nginx/html/etherpad.zinomedia.de/.htpasswd;

    location / {
        rewrite ^/$ / break;
        rewrite ^/locales/(.*) /locales/$1 break;
        rewrite ^/locales.json /locales.json break;
        rewrite ^/admin(.*) /admin$1 break;
        rewrite ^/p/(.*) /p/$1 break;
        rewrite ^/static/(.*) /static/$1 break;
        rewrite ^/pluginfw/(.*) /pluginfw/$1 break;
        rewrite ^/javascripts/(.*) /javascripts/$1 break;
        rewrite ^/socket.io/(.*) /socket.io/$1 break;
        rewrite ^/ep/(.*) /ep/$1 break;
        rewrite ^/minified/(.*) /minified/$1 break;
        rewrite ^/api/(.*) /api/$1 break;
        rewrite ^/ro/(.*) /ro/$1 break;
        rewrite ^/error/(.*) /error/$1 break;
        rewrite ^/jserror(.*) /jserror$1 break;
        rewrite ^/redirect(.*) /redirect$1 break;
        rewrite ^/(.*\.js) /$1 break;
        rewrite /favicon.ico /favicon.ico break;
        rewrite /robots.txt /robots.txt break;
        rewrite /(.*) /p/$1;

        proxy_pass http://etherpad:9001;
        proxy_buffering off;
        proxy_set_header Host $host;
        proxy_pass_header Server;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

server {
    listen 80;
    listen [::]:80;
    server_name etherpad.zinomedia.de;
    return 301 https://$host$request_uri;
}