pid {{ param_headless_chromium['nginx-pid-path'] }};
error_log {{ param_headless_chromium['nginx-error-log'] }};

events {
  worker_connections 1024;
}

http {
  access_log {{ param_headless_chromium['nginx-access-log'] }};

  include {{ param_headless_chromium['nginx-mime-types'] }};
  default_type application/octet-stream;

  types {
    text/html html;
    text/css css;
    application/javascript js;
  }

  server {
    listen {{ param_headless_chromium['proxy-address'] }} ssl;

    # Require username/password to access remote debugging port.
    auth_basic "Remote Debugging";
    auth_basic_user_file {{ param_headless_chromium['nginx-htpasswd-file'] }};

    # Use self-signed SSL certificate.
    ssl_certificate {{ param_headless_chromium['nginx-cert-file'] }};
    ssl_certificate_key {{ param_headless_chromium['nginx-key-file'] }};

    client_body_temp_path {{ param_headless_chromium['nginx-temp-path'] }};
    proxy_temp_path {{ param_headless_chromium['nginx-temp-path'] }};
    fastcgi_temp_path {{ param_headless_chromium['nginx-temp-path'] }};
    uwsgi_temp_path {{ param_headless_chromium['nginx-temp-path'] }};
    scgi_temp_path {{ param_headless_chromium['nginx-temp-path'] }};

    # All websocket connections are served from /devtools.
    location /devtools {
      proxy_http_version 1.1;
      proxy_set_header Host {{ param_headless_chromium['remote-debugging-address'] }};
      proxy_pass http://{{ param_headless_chromium['remote-debugging-address'] }};
      proxy_set_header Upgrade "websocket";
      proxy_set_header Connection "Upgrade";
    }

    # The DevTools frontend is served from /serve_file/@{version_hash}.
    location ~ "^\/serve_file\/@[0-9a-f]{5,40}\/(.*)" {
      alias {{ param_headless_chromium['devtools-frontend-root'] }}/$1;
    }

    location / {
      proxy_http_version 1.1;

      # The proxy must set the Host header to an IP address, since the
      # headless Chromium shell refuses to run otherwise, for security
      # reasons.
      # See https://bugs.chromium.org/p/chromium/issues/detail?id=813540.
      proxy_set_header Host {{ param_headless_chromium['remote-debugging-address'] }};
      proxy_pass http://{{ param_headless_chromium['remote-debugging-address'] }};

      # The browser security policy will prevent us from loading the
      # Websocket connection without TLS, so we have to go through the
      # frontend CDN URL. The tricky thing is that the frontend URL is
      # not available yet when this file is built; what we do instead is
      # use the given Host header.
      sub_filter "ws={{ param_headless_chromium['remote-debugging-address'] }}" "wss=$host";
      sub_filter_once on;
      sub_filter_types application/json;

      sub_filter "ws://{{ param_headless_chromium['remote-debugging-address'] }}" "wss://$host";
      sub_filter_types application/json;

      # We want to use our own DevTools frontend rather than
      # https://chrome-devtools-frontend.appspot.com. There should be a
      # --custom-devtools-frontend flag for Chromium, but it doesn't
      # seem to work with the remote debugging port.
      sub_filter "chrome-devtools-frontend.appspot.com" "$host";
      sub_filter_types *;
    }
  }
}