{{- if and (ne .Values.expose.type "ingress") .Values.expose.tls.enabled }}
{{- $scheme := (include "harbor.component.scheme" .) -}}
apiVersion: v1
kind: ConfigMap
metadata:
  name: {{ template "harbor.nginx" . }}
  labels:
{{ include "harbor.labels" . | indent 4 }}
data:
  nginx.conf: |+
    worker_processes auto;
    pid /tmp/nginx.pid;

    events {
      worker_connections 1024;
      use epoll;
      multi_accept on;
    }

    http {
      client_body_temp_path /tmp/client_body_temp;
      proxy_temp_path /tmp/proxy_temp;
      fastcgi_temp_path /tmp/fastcgi_temp;
      uwsgi_temp_path /tmp/uwsgi_temp;
      scgi_temp_path /tmp/scgi_temp;
      tcp_nodelay on;

      # this is necessary for us to be able to disable request buffering in all cases
      proxy_http_version 1.1;

      upstream core {
        server "{{ template "harbor.core" . }}:{{ template "harbor.core.servicePort" . }}";
      }

      upstream portal {
        server "{{ template "harbor.portal" . }}:{{ template "harbor.portal.servicePort" . }}";
      }

      {{- if .Values.notary.enabled }}
      upstream notary-server {
        server {{ template "harbor.notary-server" . }}:4443;
      }
      {{- end }}

      log_format timed_combined '[$time_local]:$remote_addr - '
        '"$request" $status $body_bytes_sent '
        '"$http_referer" "$http_user_agent" '
        '$request_time $upstream_response_time $pipe';

      access_log /dev/stdout timed_combined;

      {{- if .Values.notary.enabled }}
      server {
        listen 4443 ssl;
        server_tokens off;
        # ssl
        ssl_certificate /etc/nginx/cert/tls.crt;
        ssl_certificate_key /etc/nginx/cert/tls.key;

        # recommendations from https://raymii.org/s/tutorials/strong_ssl_security_on_nginx.html
        ssl_protocols tlsv1.1 tlsv1.2;
        ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:ssl:10m;

        # disable any limits to avoid http 413 for large image uploads
        client_max_body_size 0;

        # required to avoid http 411: see issue #1486 (https://github.com/docker/docker/issues/1486)
        chunked_transfer_encoding on;

        location /v2/ {
          proxy_pass http://notary-server/v2/;
          proxy_set_header Host $http_host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;

          proxy_buffering off;
          proxy_request_buffering off;
        }
      }
      {{- end }}

      server {
        listen 8443 ssl;
    #    server_name harbordomain.com;
        server_tokens off;
        # SSL
        ssl_certificate /etc/nginx/cert/tls.crt;
        ssl_certificate_key /etc/nginx/cert/tls.key;

        # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
        ssl_protocols TLSv1.1 TLSv1.2;
        ssl_ciphers '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES:';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;

        # disable any limits to avoid HTTP 413 for large image uploads
        client_max_body_size 0;

        # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
        chunked_transfer_encoding on;

        # Add extra headers
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
        add_header X-Frame-Options DENY;
        add_header Content-Security-Policy "frame-ancestors 'none'";

        location / {
          proxy_pass {{ $scheme }}://portal/;
          proxy_set_header Host $http_host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;

          proxy_cookie_path / "/; HttpOnly; Secure";

          proxy_buffering off;
          proxy_request_buffering off;
        }

        location /api/ {
          proxy_pass {{ $scheme }}://core/api/;
        {{- if and .Values.internalTLS.enabled }}
          proxy_ssl_verify        off;
          proxy_ssl_session_reuse on;
        {{- end }}
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;

          proxy_cookie_path / "/; Secure";

          proxy_buffering off;
          proxy_request_buffering off;
        }

        location /chartrepo/ {
          proxy_pass {{ $scheme }}://core/chartrepo/;
        {{- if and .Values.internalTLS.enabled }}
          proxy_ssl_verify        off;
          proxy_ssl_session_reuse on;
        {{- end }}
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;

          proxy_cookie_path / "/; Secure";

          proxy_buffering off;
          proxy_request_buffering off;
        }

        location /c/ {
          proxy_pass {{ $scheme }}://core/c/;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;

          proxy_cookie_path / "/; Secure";

          proxy_buffering off;
          proxy_request_buffering off;
        }

        location /v1/ {
          return 404;
        }

        location /v2/ {
          proxy_pass {{ $scheme }}://core/v2/;
          proxy_set_header Host $http_host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;
          proxy_buffering off;
          proxy_request_buffering off;
        }

        location /service/ {
          proxy_pass {{ $scheme }}://core/service/;
          proxy_set_header Host $http_host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

          # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
          proxy_set_header X-Forwarded-Proto $scheme;

          proxy_cookie_path / "/; Secure";

          proxy_buffering off;
          proxy_request_buffering off;
        }

      location /service/notifications {
          return 404;
        }
      }
        server {
          listen 8080;
          #server_name harbordomain.com;
          return 301 https://$host$request_uri;
      }
    }
{{- end }}