worker_processes  1;
pid /var/run/nginx.pid;
error_log /dev/stdout info;
daemon off;

events {
    worker_connections 1024;
}

http {
    include             mime.types;
    default_type        application/octet-stream;
    sendfile            on;
    keepalive_timeout   65;
    proxy_read_timeout  1200;
    gzip                on;
    gzip_disable        "msie6";

    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }

    # Ingress
    server {
        listen 8099 default_server;

        allow   172.30.32.2;
        deny    all;

        server_name _;
        access_log /dev/stdout combined;

        client_max_body_size 4G;
        keepalive_timeout 5;

        root /dev/null;

        location /websocket {
            proxy_pass http://127.0.0.1:8081;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
        }

        location / {
            proxy_pass http://127.0.0.1:40850;
            proxy_redirect default;

            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;

            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;

            sub_filter_once off;
            sub_filter_types *;
            
            # Disable Discovery from Dresden
            sub_filter 'phoscon.de/discover' 'phoscon.de/discover_disable';
            sub_filter 'dresden-light.appspot.com/discover' 'dresden-light.appspot.com/discover_disable';
            sub_filter 'queryDresdenDiscovery(url){' 'queryDresdenDiscovery(url){ return Promise.resolve([]);';

            # Do not probe our subnets from Ingress
            sub_filter 'probeSubnet(ip) {' 'probeSubnet(ip) { throw new Error(\'avail\');';

            # Prevent unauthenticated requests to go to Home Assistant, triggering IP bans
            sub_filter '/api/config?_=\' + Date.now()' '%%ingress_entry%%/api/config?_=\' + Date.now()';

            # Stop guessing URL's
            sub_filter 'if (err === \'avail\')' 'if (err === \'avail\' && false)';

            # Correctly handle redirect to login
            sub_filter 'window.location.href = \'/pwa/login.html\';' 'window.location.href = \'%%ingress_entry%%/pwa/login.html\';';

            # Patch Websocket support
            sub_filter 'WebSocket(prot+host+":"+port)' 'WebSocket(prot+window.location.host+\'%%ingress_entry%%/websocket\')';

            # The Manifest is useless and causes unneeded failing requests @ the Home Assistant server
            sub_filter '<link rel="manifest" href="/pwa/manifest.json">' '';
        }
    }
}