server {
  listen 80;
  listen 443 ssl http2;
  server_name {{ jitsi_domain }};

  ssl_certificate_key {{ jitsi_key_path }};
  ssl_certificate     {{ jitsi_cert_path }};

  include /etc/nginx/ansible_conf.d/perf.inc;
  include /etc/nginx/ansible_conf.d/force_ssl.inc;
  include /etc/nginx/ansible_conf.d/acme.inc;

  if ($request_method !~ ^(GET|POST|HEAD)$ ) {
    return 405;
  }

  add_header Strict-Transport-Security "$hsts_header";

  root {{ jitsi_root_dir }}/meet;
  index index.html;
  location ~ ^/([a-zA-Z0-9=\?]+)$ {
    rewrite ^/(.*)$ / break;
  }
  location / {
    ssi on;
  }

  # BOSH endpoint
  location /http-bind {
    proxy_socket_keepalive on;
    proxy_pass http://localhost:5280/http-bind;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header Host $http_host;
  }

  # Websocket endpoint
  location /xmpp-websocket {
    proxy_pass http://localhost:5280/xmpp-websocket?$args;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;
    proxy_set_header X-Forwarded-For $remote_addr;
    tcp_nodelay on;
  }
{% if jitsi_auth == 'sso' %}

  # SSO endpoint
  location /login {
    proxy_pass http://127.0.0.1:8888;
    proxy_set_header mail $http_mail;
    proxy_set_header displayName $http_displayname;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header Host $http_host;

    # jicofo doesn't add the Content-Type for the redirection page
    add_header Content-Type 'text/html';
  }
{% endif %}
}