upstream diode-ingester {
  server diode-ingester:8081;
}

upstream diode-reconciler {
  server diode-reconciler:8081;
}

upstream diode-auth {
  server diode-auth:8080;
}

server {
  listen 8080;
  listen [::]:8080;
  http2 on;
  server_name localhost;
  client_max_body_size 25m;

  location /auth/introspect {
    internal;
    proxy_method POST;
    proxy_pass http://diode-auth/introspect;
    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
    proxy_set_header X-Original-URI $request_uri;
  }

  location /diode/auth {
    rewrite /diode/auth/(.*) /$1 break;
    proxy_pass http://diode-auth;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }

  location /diode/diode.v1.IngesterService {
    auth_request /auth/introspect;
    auth_request_set $auth_status $upstream_status;
    error_page 401 = @error401;
    error_page 403 = @error403;

    rewrite /diode/(.*) /$1 break;
    grpc_pass grpc://diode-ingester;
    grpc_set_header Host $host;
    grpc_set_header X-Real-IP $remote_addr;
    grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    grpc_set_header X-Forwarded-Proto $scheme;
  }

  location /diode/diode.v1.ReconcilerService {
    auth_request /auth/introspect;
    auth_request_set $auth_status $upstream_status;
    error_page 401 = @error401;
    error_page 403 = @error403;

    rewrite /diode/(.*) /$1 break;
    grpc_pass grpc://diode-reconciler;
    grpc_set_header Host $host;
    grpc_set_header X-Real-IP $remote_addr;
    grpc_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    grpc_set_header X-Forwarded-Proto $scheme;
  }

  location /health {
    return 200 'OK';
    add_header Content-Type text/plain;
  }

  location @error401 {
    return 401 '{"error":"unauthorized","error_description":"Authentication required"}';
  }

  location @error403 {
    return 403 '{"error":"forbidden","error_description":"Access denied"}';
  }
}