lua_ssl_verify_depth        2;
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;

ssl_certificate_by_lua_file lua/ssl.lua;

set $cpanel_protection 0;

set $proxy_part '';
if ($append_port) {
    set $proxy_part :$destination_port;
}

set $trust_ezoic 0;

rewrite_by_lua_file lua/accesscheck.lua;

set $backend_dest $server_addr;

if ($backend_dest ~ "^[a-fA-F0-9:]+$") {
    set $backend_dest [$backend_dest];
}

location = /selfcheck {
    allow 127.0.0.1;
    allow ::1;
    deny all;
    access_log off;
    add_header "Content-Type" "text/plain";
    return 200 "healthy:${msec}\n";
}

location @to_static {
    root                html/captcha;
    try_files $uri /a9bc224bd710f56d27affffddc764239b58c3faa0/shield.png;
}

location @by_default {
    proxy_http_version 1.1;
    proxy_set_header Host $host$proxy_part;
    proxy_set_header Connection $connection_upgrade;
    proxy_set_header Upgrade $http_upgrade;
    # Wafd is responsible for setting this header after it became hidden
    proxy_hide_header Upgrade;
    proxy_bind $bind_target;
    proxy_pass $scheme://$backend_dest:$destination_port;
}

location / {
     access_by_lua_file  lua/reqrouter.lua;
}

location @to_backend {
    access_by_lua_block {
        local xff = ngx.var.http_x_forwarded_for
        if not xff or ngx.var.remote_proxy == "0" then
            ngx.req.set_header("X-Forwarded-For", ngx.var.wsuserip)
        else
            ngx.req.set_header("X-Forwarded-For", xff .. ", " .. ngx.var.remote_addr)
        end
    }
    header_filter_by_lua_block {
        local upgrade_hdr = ngx.var.http_upgrade
        if upgrade_hdr == "websocket" then
            ngx.header["Upgrade"] = upgrade_hdr
        else
            ngx.header["Upgrade"] = nil
        end
    }
    proxy_set_header   Host $host$proxy_part;
    proxy_set_header   X-Real-IP $wsuserip;
    proxy_set_header   X-Remote-IP $remote_addr;
    proxy_set_header   Upgrade $http_upgrade;
    expires            off;
    proxy_http_version 1.1;
    proxy_set_header   Connection $connection_upgrade;
    include            /etc/imunify360-webshield/webshield-backend.conf.d/*.conf;
    proxy_bind         $bind_target;
    proxy_pass         $scheme://catchall;
}

location @to_captcha {
    include             /etc/imunify360-webshield/invisible-captcha.conf;
    root                html/captcha;
    default_type        text/html;
    add_header Last-Modified $date_gmt;
    add_header Cache-Control 'private, no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0, s-maxage=0';
    add_header cf-edge-cache no-cache;
    add_header Expires 'Thu, 01 Jan 1970 00:00:01 GMT';
    if_modified_since   off;
    expires             off;
    etag                off;
    keepalive_timeout   0;
    include             /etc/imunify360-webshield/webshield-captcha.conf.d/*.conf;
    content_by_lua_file lua/captcha.lua;
}

location @to_splashscreen {
    root                html/splashscreen;
    default_type        text/html;
    add_header Last-Modified $date_gmt;
    add_header Cache-Control 'private, no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0, s-maxage=0';
    add_header cf-edge-cache no-cache;
    if_modified_since   off;
    expires             off;
    etag                off;
    keepalive_timeout   0;
    include             /etc/imunify360-webshield/webshield-splashscreen.conf.d/*.conf;
    content_by_lua_file lua/splashscreen.lua;
}

location @to_wsidchk {
    content_by_lua_file lua/wsidchk.lua;
}