## Lines starting with two hashes (##) are comments with information.
## Lines starting with one hash (#) are configuration parameters that can be uncommented.
##
###################################
##         configuration         ##
###################################

## Redirects all HTTP traffic to the HTTPS host
server {
  listen *:80;
  server_name  {{GITLAB_REGISTRY_HOST}};
  server_tokens off; ## Don't show the nginx version number, a security best practice
  return 301 https://$http_host:$request_uri;
  access_log  {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_access.log;
  error_log   {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_error.log;
}

server {
  # If a different port is specified in https://gitlab.com/gitlab-org/gitlab-foss/blob/8-8-stable/config/gitlab.yml.example#L182,
  # it should be declared here as well
  listen *:{{GITLAB_REGISTRY_PORT}} ssl http2;
  server_name  {{GITLAB_REGISTRY_HOST}};
  server_tokens off; ## Don't show the nginx version number, a security best practice

  client_max_body_size 0;
  chunked_transfer_encoding on;

  ## Strong SSL Security
  ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
  ssl_certificate {{SSL_REGISTRY_CERT_PATH}};
  ssl_certificate_key {{SSL_REGISTRY_KEY_PATH}};

  ssl_ciphers "{{SSL_REGISTRY_CIPHERS}}";
  ssl_protocols {{SSL_REGISTRY_PROTOCOLS}};
  ssl_prefer_server_ciphers on;
  ssl_session_cache  builtin:1000  shared:SSL:10m;
  ssl_session_timeout  5m;

  access_log  {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_access.log;
  error_log   {{GITLAB_LOG_DIR}}/nginx/gitlab_registry_error.log;

  location / {
    proxy_set_header  Host              $http_host;   # required for docker client's sake
    proxy_set_header  X-Real-IP         $remote_addr; # pass on real client's IP
    proxy_set_header  X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header  X-Forwarded-Proto $scheme;
    proxy_read_timeout                  900;

    proxy_pass          {{GITLAB_REGISTRY_API_URL}};
  }

}