map $http_upgrade $connection_upgrade {
  default upgrade;
  '' close;
}
upstream websocket {
    server espocrm.container.ip:8080;
}

server {
        listen 8080;

        location / {
            proxy_pass http://websocket;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $remote_addr;
        }
    }

server {
    listen 80;
    server_name espocrm.mydns.com;
    set $upstream espocrm.container.ip;
    server_tokens off;

    location / {
      server_tokens off;
      proxy_hide_header X-Powered-By;
      proxy_hide_header access-control-allow-methods;

      proxy_pass_header Authorization;
      proxy_pass http://$upstream;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-For $remote_addr;
      proxy_set_header X-Frame-Options deny;

      proxy_set_header X-XSS-Protection "1; mode=block";
      proxy_set_header X-Frame-Options "SAMEORIGIN always";
      proxy_set_header X-Content-Type-Options "nosniff";
      proxy_set_header Referrer-Policy "no-referrer-when-downgrade";
      proxy_set_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
      proxy_set_header Content-Security-Policy "frame-ancestors http://*.mydns.com";
      
      proxy_http_version 1.1;
      proxy_set_header Connection "";
      proxy_buffering off;
      client_max_body_size 0;
      proxy_read_timeout 36000s;
      proxy_redirect off;

      #proxy_intercept_errors on;
      #include /etc/nginx/error_page.conf;

     # allow localIP/24; only allow local IP
     # include /etc/nginx/ip4-belgium.conf; only allow belgium IP
     # deny all;

    }

    location /wss {
        proxy_pass http://websocket;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_read_timeout 12h;
    }
    location /ws {
        proxy_pass http://websocket;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_read_timeout 12h;
    }

    location ^~ /data/ {
        deny all;
    }

    location ^~ /install/ {
        deny all;
    }

    location ^~ /application/ {
        deny all;
    }
    location ^~ /custom/ {
        deny all;
    }
    location ^~ /favicon.ico { access_log off; log_not_found off; }
    location ^~ /robots.txt  { access_log off; log_not_found off; }

}