proxy_cache_path /www/cache levels=1:2 keys_zone=takahe:20m inactive=14d max_size=1g;

upstream neodb {
    server ${NEODB_WEB_SERVER};
}

upstream takahe {
    server ${TAKAHE_WEB_SERVER};
}

server {
    listen         8000;

    charset utf-8;
    ignore_invalid_headers on;
    client_max_body_size 100M;
    client_body_buffer_size 128k;
    proxy_connect_timeout 900;
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-Proto https;
    proxy_http_version 1.1;
    proxy_hide_header X-Takahe-User;
    proxy_hide_header X-Takahe-Identity;

    # make jsdelivr available locally
    location /jsdelivr/ {
        rewrite /jsdelivr/(.*) /$1;
        set $takahe_realuri https://cdn.jsdelivr.net$uri;
        rewrite ^/(.+) /__takahe_accel__/real/;
    }
    # allow admin to serv their own robots.txt/favicon.ico/...
    location ~ ^/\w+\.\w+$ {
        root /www/root;
        access_log off;
        log_not_found off;
    }
    location /m/ {
        alias /www/m/;
        add_header Cache-Control "public, max-age=604800, immutable";
    }
    # backwards compatibility with versions before 2023.11
    location ~* ^/media/(album|book|game|item|movie)/(.+)$ {
        return 302 https://$host/m/$1/$2;
    }
    # Proxies media and remote media with caching
    location ~* ^/(media|proxy) {
        # Cache media and proxied resources
        proxy_cache takahe;
        proxy_cache_key $host$uri;
        proxy_cache_valid 200 304 4h;
        proxy_cache_valid 301 307 4h;
        proxy_cache_valid 500 502 503 504 0s;
        proxy_cache_valid any 1h;
        add_header X-Cache $upstream_cache_status;

        # Signal to Takahē that we support full URI accel proxying
        proxy_set_header X-Takahe-Accel true;
        proxy_pass http://takahe;
    }
    # Internal target for X-Accel redirects that stashes the URI in a var
    location /__takahe_accel__/ {
        internal;
        set $takahe_realuri $upstream_http_x_takahe_realuri;
        rewrite ^/(.+) /__takahe_accel__/real/;
    }
    # Real internal-only target for X-Accel redirects
    location /__takahe_accel__/real/ {
        # Only allow internal redirects
        internal;

        # Reconstruct the remote URL
        resolver 9.9.9.9 8.8.8.8 valid=300s;

        # Unset Authorization and Cookie for security reasons.
        proxy_set_header Authorization '';
        proxy_set_header Cookie '';
        proxy_set_header User-Agent 'takahe/nginx';
        proxy_set_header Host $proxy_host;
        proxy_set_header X-Forwarded-For '';
        proxy_set_header X-Forwarded-Host '';
        proxy_set_header X-Forwarded-Server '';
        proxy_set_header X-Real-Ip '';

        # Stops the local disk from being written to (just forwards data through)
        proxy_max_temp_file_size 0;

        # Proxy the remote file through to the client
        proxy_pass $takahe_realuri;
        proxy_ssl_server_name on;
        add_header X-Takahe-Accel "HIT";

        # Cache these responses too
        proxy_cache takahe;
        # Cache after a single request
        proxy_cache_min_uses 1;
        proxy_cache_key $takahe_realuri;
        proxy_cache_valid 200 304 720h;
        proxy_cache_valid 301 307 12h;
        proxy_cache_valid 500 502 503 504 0s;
        proxy_cache_valid any 72h;
        add_header X-Cache $upstream_cache_status;
    }
    location ~* ^/(static|@|\.well-known|actor|inbox|api/v1|api/v2|oauth|tags|settings|media|proxy|admin|djadmin|pages|about|impressum) {
        proxy_pass  http://takahe;
    }
    location / {
        proxy_pass  http://neodb;
    }
}