# HTTP -> HTTPS
server {
  listen 80;
  server_name {{ immich_domain }};

  return 301 https://$host$request_uri;
}

# Immich HTTPS reverse proxy
server {
  listen 443 ssl http2;
  server_name {{ immich_domain }};

  client_max_body_size {{ immich_nginx_client_max_body_size | default('10G') }};

  ssl_certificate /etc/letsencrypt/live/{{ immich_domain }}/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/{{ immich_domain }}/privkey.pem;

  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers off;
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 1d;

  location / {
    proxy_pass http://127.0.0.1:{{ immich_host_http_port }};

    proxy_http_version 1.1;
    proxy_set_header Host              $host;
    proxy_set_header X-Real-IP         $remote_addr;
    proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;

    proxy_set_header Upgrade           $http_upgrade;
    proxy_set_header Connection        "upgrade";

    proxy_read_timeout 3600;
    proxy_send_timeout 3600;
    proxy_request_buffering off;
    proxy_buffering off;
  }
}