listen      80;
charset     utf-8;
access_log  /var/log/nginx/enketo.access.log;
error_log   /var/log/nginx/enketo.error.log;

# max upload size
client_max_body_size 75M;

# Serve locations containing 'submission' or 'formList' via HTTP without
# further ado, since ODK Collect makes requests containing those terms and
# does not support any kind of redirection.
location ~ (submission|formList) {
   uwsgi_pass enketo;
   include /etc/nginx/uwsgi_params;
}

# Redirect all other requests to HTTPS
location / {
   return 301 https://$server_name$request_uri;
}

# or comment block above and uncomment line below if you cant use http-to-https redirection
#include /etc/nginx/kc_include.conf;

listen      443 ssl;
charset     utf-8;
access_log  /var/log/nginx/enketo.access.log;
error_log   /var/log/nginx/enketo.error.log;

# max upload size
client_max_body_size 75M;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ssl_ciphers prevents Forward Secrecy; requires >ie6/winxp
# DHE-RSA-AES128-SHA provides Android 2.3 compatibility. No need
# to add it again to the kf.kobotoolbox.org configuration;
# old Android doesn't support SNI and would never see it there.
ssl_ciphers 'AES256+EECDH:AES256+EDH:DHE-RSA-AES128-SHA';

include /etc/nginx/enketo_include.conf;

location /static {
   alias /srv/www/enketo;
}

location / {
    if ($maintenance = "yes") {
        rewrite .* http://enketo.unhcr.dev;
    }
    proxy_pass http://enketo;
    include /etc/nginx/proxy_params;
}

upstream enketo {
    server 172.17.42.1:8005;
}

server {
    include /etc/nginx/enketo_http.conf;
    server_name enketo.unhcr.dev;
}

server {
    include /etc/nginx/enketo_https.conf;
    server_name enketo.unhcr.dev;
    ssl_certificate /etc/nginx/ssl.crt;
    ssl_certificate_key /etc/nginx/ssl.key;
}