include ${NGX_CONF_DIR}/common-includes/server_filters;
include ${NGX_CONF_DIR}/components/${NGX_COMP_DIR_NAME}/ssl_config;
include ${NGX_CONF_DIR}/components/${NGX_COMP_DIR_NAME}/config_override;
include ${NGX_CONF_DIR}/components/${NGX_COMP_DIR_NAME}/proxy_headers;

# Allowed methods
if ($request_method !~ ^(GET|OPTIONS|POST)$) {
	# 405: Method not allowed
	return 405;
}

# Deny all access by default
location / {
	# 421: Misdirected Request
	return 421;
}

#
# To differentiate specific request for determining for IM&P home and backup node for an agent,
# the binding url needs to contain query/arg param '?request=onboard'
#
# In case request arg is onboard, then change the location block to internal block and perform substitution.
#

# IM&P HTTP Bind interface endpoint. This is configurable in IM&P.
# Change here if changed on IM&P.
location ~ ^/${NGX_CHAT_BIND_PATH}(/)?$ {
	
	# CORS Preflighted/OPTIONS requests - Handle from nginx itself
	# Don't let the request hit upstream to reduce load
	if ($request_method = OPTIONS) {
		add_header "Access-Control-Allow-Origin" *;
		add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS";
		add_header "Access-Control-Allow-Headers" "Content-Type, Authorization";
		add_header 'Access-Control-Max-Age' 86400;
		return 200;
	}

	# Handle GET from nginx itself to resolve cors issue for certificate acceptance
	# and to reduce load on upstream
	if ($request_method = GET) {
		add_header "Access-Control-Allow-Origin" *;
		add_header "Access-Control-Allow-Methods" "GET, POST, OPTIONS";
		add_header "Access-Control-Allow-Headers" "Content-Type, Authorization";
		add_header 'Access-Control-Max-Age' 86400;
		return 200 '<html><head><title>XMPP Over BOSH</title><style type="text/css">p{font-family:Arial}</style></head><body><p>This URI is for XMPP communication via the BOSH protocol.</p><p>Please reference the following protocols:<ul><li><a href="http://xmpp.org/rfcs/rfc3920.html">RFC 3920</a>:  Extensible Messaging and Presence Protocol (XMPP): Core</li><li><a href="http://xmpp.org/rfcs/rfc3921.html">RFC 3921</a>:  Extensible Messaging and Presence Protocol (XMPP): Instant Messaging and Presence</li><li><a href="http://xmpp.org/extensions/xep-0124.html">XEP-0124</a>:  Bidirectional-streams Over Synchronous HTTP (BOSH)</li><li><a href="http://xmpp.org/extensions/xep-0206.html">XEP-0206</a>:  XMPP Over BOSH</li></ul></p></body></html>';
	}
	set $authorization_url ${NGX_AUTH_URL};
	
	# check for request query param with onboard and perform internal direct to internal request.
	# all substitution will be done within internal request with respect to home and backup nodes for the agent
	if ($arg_request = onboard) {
		# If request arg contains onboard, change location block to internal
		# Note: request uri changes to /internal/httpbinding if /httpbinding is the original request 
		rewrite ^ /internal$uri last;
	}
	
	# logic to block unauthorized user, checks if the user requesting the finesse api is present in the system.
 	# if user is present, rewrites the url to internal/finesse/api which does the authorization through 
  	# UserAuth API, else 401 unauthorized is returned.
  	rewrite_by_lua_file ${NGX_LUA_DIR}/block_unauthorized_users.lua;
	proxy_set_header Authorization "";


	# if request arg doesn't contain onboard, pass request to backend server specified
	
	proxy_pass $scheme://$backend:$port;
	proxy_no_cache 1;
	proxy_cache_bypass 1;
	# debug with below response header
	# add_header X-Client-Request "normal";
}

# below internal request is used specifically for simulating response as per reverse proxy
location ~ ^/internal {
    internal;
    # change request uri /internal/httpbinding back to /httpbinding oringal request
    rewrite ^/internal(?<realurl>/.*)$ $realurl break;

	# logic to block unauthorized user, checks if the user requesting the finesse api is present in the system.
    # if user is present, rewrites the url to internal/finesse/api which does the authorization through 
    # UserAuth API, else 401 unauthorized is returned.
    rewrite_by_lua_file ${NGX_LUA_DIR}/block_unauthorized_users.lua;
    # remove the authorization header since the cup server returns cors error if it is sent.
   	proxy_set_header Authorization "";

    proxy_pass $scheme://$backend:$port;
    proxy_no_cache 1;
    proxy_cache_bypass 1;

    # Perform substitution of home and back node as per reverse proxy
    sub_filter_types text/xml;
    sub_filter "<hostname xmlns='urn:xmpp:domain-based-name:0'>${NGX_CHAT_HOST1}</hostname>" "<hostname xmlns='urn:xmpp:domain-based-name:0'>${NGX_CHAT_HOST1_PROXY}</hostname>";
    sub_filter "<hostname xmlns='urn:xmpp:domain-based-name:0'>${NGX_CHAT_HOST2}</hostname>" "<hostname xmlns='urn:xmpp:domain-based-name:0'>${NGX_CHAT_HOST2_PROXY}</hostname>";
    sub_filter "<hostname xmlns='urn:xmpp:domain-based-name:0'>${NGX_CHAT_HOST3}</hostname>" "<hostname xmlns='urn:xmpp:domain-based-name:0'>${NGX_CHAT_HOST3_PROXY}</hostname>";
	sub_filter "<hostname xmlns='urn:xmpp:domain-based-name:0'>${NGX_CHAT_HOST4}</hostname>" "<hostname xmlns='urn:xmpp:domain-based-name:0'>${NGX_CHAT_HOST4_PROXY}</hostname>";
	sub_filter "<hostname xmlns='urn:xmpp:domain-based-name:0'>${NGX_CHAT_HOST5}</hostname>" "<hostname xmlns='urn:xmpp:domain-based-name:0'>${NGX_CHAT_HOST5_PROXY}</hostname>";
    sub_filter "<hostname xmlns='urn:xmpp:domain-based-name:0'>${NGX_CHAT_HOST6}</hostname>" "<hostname xmlns='urn:xmpp:domain-based-name:0'>${NGX_CHAT_HOST6_PROXY}</hostname>";
    sub_filter "<hostname xmlns='urn:xmpp:domain-based-name:0'>${NGX_CHAT_HOST7}</hostname>" "<hostname xmlns='urn:xmpp:domain-based-name:0'>${NGX_CHAT_HOST7_PROXY}</hostname>";
	sub_filter "<hostname xmlns='urn:xmpp:domain-based-name:0'>${NGX_CHAT_HOST8}</hostname>" "<hostname xmlns='urn:xmpp:domain-based-name:0'>${NGX_CHAT_HOST8_PROXY}</hostname>";
    # debug with below response header
    add_header X-Client-Request "onboard";
}