
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!3DES';
ssl_dhparam /etc/nginx/ssl/dh_params.pem;
ssl_session_cache shared:SSL:10m;

ssl_certificate         /etc/nginx/ssl/skia_org.pem;
ssl_certificate_key     /etc/nginx/ssl/skia_org.key;

# Keep these marginally longer than the 600s we keep the GCE HTTPS Load Balancer.
proxy_connect_timeout       620s;
proxy_send_timeout          620s;
proxy_read_timeout          620s;
send_timeout                620s;

# Include the proxied host into the combined log format.
log_format combined_proxy '$remote_addr - $remote_user [$time_local] '
                          '"$request" $status $body_bytes_sent '
                          '"$http_referer" "$http_user_agent" '
                          'upstream=$upstream_response_time '
                          '"$proxy_host"';

##
# Global Headers
##
# Enable HSTS.
add_header Strict-Transport-Security "max-age=31536000; preload;";
# Enforce browser XSS protection
add_header X-XSS-Protection "1; mode=block";
# Disable content sniffing
add_header X-Content-Type-Options "nosniff";

# Prevent clickjacking.
# add_header X-Frame-Options "SAMEORIGIN" always;

#####   skia.org   ################################
server {
    listen      443 default_server;
    server_name skia.org www.skia.org;

    ssl on;

    access_log /var/log/nginx/skia.access.log;
    error_log /var/log/nginx/skia.error.log error;

    if ( $host != 'skia.org' ) {
        rewrite ^/(.*)$ https://skia.org/$1 permanent;
    }

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}

server {
    listen      80 default_server;
    server_name skia.org www.skia.org "";
    return 301 https://skia.org$request_uri;
}

#####   contest.skia.org   ###########################
server {
    listen      443;
    server_name contest.skia.org;

    ssl on;

    access_log /var/log/nginx/contest.access.log;
    error_log /var/log/nginx/contest.error.log error;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name contest.skia.org;
    return 301 https://contest.skia.org$request_uri;
}

#####   gallery.skia.org   ###########################
server {
    listen      443;
    server_name gallery.skia.org;

    ssl on;

    access_log /var/log/nginx/gallery.access.log;
    error_log /var/log/nginx/gallery.error.log error;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name gallery.skia.org;
    return 301 https://gallery.skia.org$request_uri;
}

#####   perf.skia.org   ###########################
server {
    listen      443;
    server_name perf.skia.org;

    ssl on;

    access_log /var/log/nginx/perf.access.log;
    error_log /var/log/nginx/perf.error.log error;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name perf.skia.org;
    return 301 https://perf.skia.org$request_uri;
}

#####   android-perf.skia.org (REDIRECT)   ###########################
server {
    listen 80;
    listen 443 ssl;

    server_name android-perf.skia.org;

    return 301 https://android-master-perf.skia.org$request_uri;

    access_log /var/log/nginx/android-perf.access.log;
    error_log /var/log/nginx/android-perf.error.log error;
}

#####   android-master-ingest.skia.org   ###########################
server {
    listen      443;
    server_name android-master-ingest.skia.org;

    ssl on;

    access_log /var/log/nginx/android-master-ingest.access.log;
    error_log /var/log/nginx/android-master-ingest.error.log error;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name android-master-ingest.skia.org;
    return 301 https://android-master-ingest.skia.org$request_uri;
}

#####   android-master-perf.skia.org   ###########################
server {
    listen      443;
    server_name android-master-perf.skia.org;

    ssl on;

    access_log /var/log/nginx/android-master-perf.access.log;
    error_log /var/log/nginx/android-master-perf.error.log error;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name android-master-perf.skia.org;
    return 301 https://android-master-perf.skia.org$request_uri;
}

#####   androidx-perf.skia.org   ###########################
server {
    listen      443;
    server_name androidx-perf.skia.org;

    ssl on;

    access_log /var/log/nginx/androidx-perf.access.log;
    error_log /var/log/nginx/androidx-perf.error.log error;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name androidx-perf.skia.org;
    return 301 https://androidx-perf.skia.org$request_uri;
}

#####   gold.skia.org   ###########################
server {
    listen      443;
    server_name gold.skia.org;

    ssl on;

    access_log /var/log/nginx/gold.access.log combined_proxy;
    error_log /var/log/nginx/gold.error.log error;

    client_max_body_size 100M;

    # serve hashes directly to avoid bot outages if gold.skia.org goes down
    # TODO(kjlubick): spin up a baseliner and replace this rule with that
    # (although I don't think our bots directly look at this link anyway.)
    location /_/hashes {
      proxy_pass https://storage.googleapis.com/skia-infra-gm/hash_files/gold-prod-hashes.txt;
    }

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name gold.skia.org;
    return 301 https://gold.skia.org$request_uri;
}

#####   public-gold.skia.org   ###########################
server {
    listen      443;
    server_name public-gold.skia.org;

    ssl on;

    access_log /var/log/nginx/public-gold.access.log combined_proxy;
    error_log /var/log/nginx/public-gold.error.log error;

    client_max_body_size 100M;

    # Serve images directly from the diff server.
    location /img/ {
      proxy_pass http://skia-diffserver-prod:8001;
      proxy_set_header Host $host;
    }

    location / {
        proxy_pass http://skia-gold-public:8001;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name public-gold.skia.org;
    return 301 https://public-gold.skia.org$request_uri;
}

#####   pdfium-gold.skia.org   #####################
server {
    listen      443;
    server_name pdfium-gold.skia.org;

    ssl on;

    access_log /var/log/nginx/pdfium-gold.access.log;
    error_log /var/log/nginx/pdfium-gold.error.log error;

    client_max_body_size 100M;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name pdfium-gold.skia.org;
    return 301 https://pdfium-gold.skia.org$request_uri;
}

#####   chrome-vr-gold.skia.org   #####################
server {
    listen      443;
    server_name chrome-vr-gold.skia.org;

    ssl on;

    access_log /var/log/nginx/chromevr-gold.access.log;
    error_log /var/log/nginx/chromevr-gold.error.log error;

    client_max_body_size 100M;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name chrome-vr-gold.skia.org;
    return 301 https://chrome-vr-gold.skia.org$request_uri;
}

#####   afdo-chromium-roll.skia.org   ###########################
server {
    listen      443;
    server_name afdo-chromium-roll.skia.org;
    return 301 https://autoroll.skia.org/r/afdo-chromium-autoroll;
}
server {
    listen      80;
    server_name afdo-chromium-roll.skia.org;
    return 301 https://autoroll.skia.org/r/afdo-chromium-autoroll;
}

#####   autoroll.skia.org   ###########################
server {
    listen      443;
    server_name autoroll.skia.org;

    ssl on;

    access_log /var/log/nginx/autoroll.access.log;
    error_log /var/log/nginx/autoroll.error.log error;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name autoroll.skia.org;
    return 301 https://autoroll.skia.org$request_uri;
}

#####   autoroll-internal.skia.org   ###########################
server {
    listen      443;
    server_name autoroll-internal.skia.org;

    ssl on;

    access_log /var/log/nginx/autoroll-internal.access.log;
    error_log /var/log/nginx/autoroll-internal.error.log error;

    rewrite ^ https://skia-autoroll.corp.goog redirect;
}

server {
    listen      80;
    server_name autoroll-internal.skia.org;
    rewrite ^ https://skia-autoroll.corp.goog redirect;
}

#####   android-master-roll.skia.org   ###########################
server {
    listen      443;
    server_name android-master-roll.skia.org;
    return 301 https://skia-autoroll.corp.goog/r/android-master-autoroll;
}
server {
    listen      80;
    server_name android-master-roll.skia.org;
    return 301 https://skia-autoroll.corp.goog/r/android-master-autoroll;
}

#####   android-next-roll.skia.org   ###########################
server {
    listen      443;
    server_name android-next-roll.skia.org;
    return 301 https://skia-autoroll.corp.goog/r/android-next-autoroll;
}
server {
    listen      80;
    server_name android-next-roll.skia.org;
    return 301 https://skia-autoroll.corp.goog/r/android-next-autoroll;
}


#####   android-o-roll.skia.org   ###########################
server {
    listen      443;
    server_name android-o-roll.skia.org;
    return 301 https://skia-autoroll.corp.goog/r/android-o-autoroll;
}
server {
    listen      80;
    server_name android-o-roll.skia.org;
    return 301 https://skia-autoroll.corp.goog/r/android-o-autoroll;
}


#####   angle-chromium-roll.skia.org   ###########################
server {
    listen      443;
    server_name angle-chromium-roll.skia.org;
    return 301 https://autoroll.skia.org/r/angle-chromium-autoroll;
}
server {
    listen      80;
    server_name angle-chromium-roll.skia.org;
    return 301 https://autoroll.skia.org/r/angle-chromium-autoroll;
}


#####   angle-skia-roll.skia.org   ###########################
server {
    listen      443;
    server_name angle-skia-roll.skia.org;
    return 301 https://autoroll.skia.org/r/angle-skia-autoroll;
}
server {
    listen      80;
    server_name angle-skia-roll.skia.org;
    return 301 https://autoroll.skia.org/r/angle-skia-autoroll;
}

#####   catapult-roll.skia.org   ###########################
server {
    listen      443;
    server_name catapult-roll.skia.org;
    return 301 https://autoroll.skia.org/r/catapult-autoroll;
}
server {
    listen      80;
    server_name catapult-roll.skia.org;
    return 301 https://autoroll.skia.org/r/catapult-autoroll;
}

#####   chromite-chromium-roll.skia.org   ###########################
server {
    listen      443;
    server_name chromite-chromium-roll.skia.org;
    return 301 https://autoroll.skia.org/r/chromite-chromium-autoroll;
}
server {
    listen      80;
    server_name chromite-chromium-roll.skia.org;
    return 301 https://autoroll.skia.org/r/chromite-chromium-autoroll;
}

#####   chromium-skia-roll.skia.org   ###########################
server {
    listen      443;
    server_name chromium-skia-roll.skia.org;
    return 301 https://autoroll.skia.org/r/chromium-skia-autoroll;
}
server {
    listen      80;
    server_name chromium-skia-roll.skia.org;
    return 301 https://autoroll.skia.org/r/chromium-skia-autoroll;
}

#####   depot-tools-chromium-roll.skia.org   ###########################
server {
    listen      443;
    server_name depot-tools-chromium-roll.skia.org;
    return 301 https://autoroll.skia.org/r/depot-tools-chromium-autoroll;
}
server {
    listen      80;
    server_name depot-tools-chromium-roll.skia.org;
    return 301 https://autoroll.skia.org/r/depot-tools-chromium-autoroll;
}

#####   flutter-engine-flutter-roll.skia.org   ###########################
server {
    listen      443;
    server_name flutter-engine-flutter-roll.skia.org;
    return 301 https://autoroll.skia.org/r/flutter-engine-flutter-autoroll;
}
server {
    listen      80;
    server_name flutter-engine-flutter-roll.skia.org;
    return 301 https://autoroll.skia.org/r/flutter-engine-flutter-autoroll;
}

#####   google3-roll.skia.org   ###########################
server {
    listen      443;
    server_name google3-roll.skia.org;

    ssl on;

    access_log /var/log/nginx/google3-roll.access.log;
    error_log /var/log/nginx/google3-roll.error.log error;

    # Enforce browser XSS protection
    add_header X-XSS-Protection "1; mode=block";
    # Disable content sniffing
    add_header X-Content-Type-Options nosniff;

    location /json/roll {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
    location / {
        return 301 https://skia-autoroll.corp.goog/r/google3-autoroll;
    }
}
server {
    listen      80;
    server_name google3-roll.skia.org;
    return 301 https://skia-autoroll.corp.goog/r/google3-autoroll;
}

#####   lottie-web-lottie-ci-roll.skia.org   ###########################
server {
    listen      443;
    server_name lottie-web-lottie-ci-roll.skia.org;
    return 301 https://autoroll.skia.org/r/lottie-web-lottie-ci-autoroll;
}
server {
    listen      80;
    server_name lottie-web-lottie-ci-roll.skia.org;
    return 301 https://autoroll.skia.org/r/lottie-web-lottie-ci-autoroll;
}

#####   nacl-roll.skia.org   ###########################
server {
    listen      443;
    server_name nacl-roll.skia.org;
    return 301 https://autoroll.skia.org/r/nacl-autoroll;
}
server {
    listen      80;
    server_name nacl-roll.skia.org;
    return 301 https://autoroll.skia.org/r/nacl-autoroll;
}

#####   pdfium-roll.skia.org   ###########################
server {
    listen      443;
    server_name pdfium-roll.skia.org;
    return 301 https://autoroll.skia.org/r/pdfium-autoroll;
}
server {
    listen      80;
    server_name pdfium-roll.skia.org;
    return 301 https://autoroll.skia.org/r/pdfium-autoroll;
}

#####   perfetto-chromium-roll.skia.org   ###########################
server {
    listen      443;
    server_name perfetto-chromium-roll.skia.org;
    return 301 https://autoroll.skia.org/r/perfetto-chromium-autoroll;
}
server {
    listen      80;
    server_name perfetto-chromium-roll.skia.org;
    return 301 https://autoroll.skia.org/r/perfetto-chromium-autoroll;
}

#####   fuchsia-roll.skia.org   ###########################
server {
    listen      443;
    server_name fuchsia-roll.skia.org;
    return 301 https://autoroll.skia.org/r/fuchsia-autoroll;
}
server {
    listen      80;
    server_name fuchsia-roll.skia.org;
    return 301 https://autoroll.skia.org/r/fuchsia-autoroll;
}

#####   fuchsia-sdk-chromium-roll.skia.org   ###########################
server {
    listen      443;
    server_name fuchsia-sdk-chromium-roll.skia.org;
    return 301 https://autoroll.skia.org/r/fuchsia-sdk-chromium-autoroll;
}
server {
    listen      80;
    server_name fuchsia-sdk-chromium-roll.skia.org;
    return 301 https://autoroll.skia.org/r/fuchsia-sdk-chromium-autoroll;
}

#####   skcms-skia-roll.skia.org   ###########################
server {
    listen      443;
    server_name skcms-skia-roll.skia.org;
    return 301 https://autoroll.skia.org/r/skcms-skia-autoroll;
}
server {
    listen      80;
    server_name skcms-skia-roll.skia.org;
    return 301 https://autoroll.skia.org/r/skcms-skia-autoroll;
}

#####   skia-flutter-roll.skia.org   ###########################
server {
    listen      443;
    server_name skia-flutter-roll.skia.org;
    return 301 https://autoroll.skia.org/r/skia-flutter-autoroll;
}
server {
    listen      80;
    server_name skia-flutter-roll.skia.org;
    return 301 https://autoroll.skia.org/r/skia-flutter-autoroll;
}

#####   skia-lottie-ci-roll.skia.org   ###########################
server {
    listen      443;
    server_name skia-lottie-ci-roll.skia.org;
    return 301 https://autoroll.skia.org/r/skia-lottie-ci-autoroll;
}
server {
    listen      80;
    server_name skia-lottie-ci-roll.skia.org;
    return 301 https://autoroll.skia.org/r/skia-lottie-ci-autoroll;
}

#####   spirv-headers-chromium-roll.skia.org   ###########################
server {
    listen      443;
    server_name spirv-headers-chromium-roll.skia.org;
    return 301 https://autoroll.skia.org/r/spirv-headers-chromium-autoroll;
}
server {
    listen      80;
    server_name spirv-headers-chromium-roll.skia.org;
    return 301 https://autoroll.skia.org/r/spirv-headers-chromium-autoroll;
}

#####   spirv-tools-chromium-roll.skia.org   ###########################
server {
    listen      443;
    server_name spirv-tools-chromium-roll.skia.org;
    return 301 https://autoroll.skia.org/r/spirv-tools-chromium-autoroll;
}
server {
    listen      80;
    server_name spirv-tools-chromium-roll.skia.org;
    return 301 https://autoroll.skia.org/r/spirv-tools-chromium-autoroll;
}

#####   src-internal-chromium-roll.skia.org   ###########################
server {
    listen      443;
    server_name src-internal-chromium-roll.skia.org;
    return 301 https://skia-autoroll.corp.goog/r/src-internal-chromium-autoroll;
}
server {
    listen      80;
    server_name src-internal-chromium-roll.skia.org;
    return 301 https://skia-autoroll.corp.goog/r/src-internal-chromium-autoroll;
}

#####   swiftshader-skia-roll.skia.org   ###########################
server {
    listen      443;
    server_name swiftshader-skia-roll.skia.org;
    return 301 https://autoroll.skia.org/r/swiftshader-skia-autoroll;
}
server {
    listen      80;
    server_name swiftshader-skia-roll.skia.org;
    return 301 https://autoroll.skia.org/r/swiftshader-skia-autoroll;
}

#####   webrtc-chromium-roll.skia.org   ###########################
server {
    listen      443;
    server_name webrtc-chromium-roll.skia.org;
    return 301 https://autoroll.skia.org/r/webrtc-chromium-autoroll;
}
server {
    listen      80;
    server_name webrtc-chromium-roll.skia.org;
    return 301 https://autoroll.skia.org/r/webrtc-chromium-autoroll;
}

#####   mon.skia.org   ###########################
server {
    listen      443;
    server_name mon.skia.org;

    ssl on;

    access_log /var/log/nginx/mon.access.log;
    error_log /var/log/nginx/mon.error.log error;

    location / {
        proxy_pass http://skia-monitoring:8000;
        proxy_set_header Host $host;
    }
}

server {
    listen      80;
    server_name mon.skia.org;
    return 301 https://mon.skia.org$request_uri;
}

#####   metrics.skia.org   ###########################
# This rule allows Skolo and Golo bots to report graphite metrics over https.
server {
    listen      443;
    server_name metrics.skia.org;

    ssl on;

    access_log /var/log/nginx/metrics.access.log;
    error_log /var/log/nginx/metrics.error.log error;

    location / {
        proxy_pass http://skia-monitoring:10117;
        proxy_set_header Host $host;
        # Skolo primary public IP TODO(kjlubick) Remove after transition
        allow 216.239.33.118/32;
        # Skolo secondary public IP TODO(kjlubick) Remove after transition
        allow 216.239.33.70/32;
        # Skolo new primary public IP
        allow 104.132.164.0/24;
         # Golo public IP
        allow 74.125.248.64/27;
        deny  all;
    }
}


#####   push.skia.org   ###########################
server {
    listen      443;
    server_name push.skia.org;

    ssl on;

    access_log /var/log/nginx/push.access.log;
    error_log /var/log/nginx/push.error.log error;

    location / {
        proxy_pass http://skia-push:8000;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name push.skia.org;
    return 301 https://push.skia.org$request_uri;
}

#####   fiddle.skia.org   ###########################
server {
    listen      443;
    server_name fiddle.skia.org;

    ssl on;

    access_log /var/log/nginx/fiddle.access.log;
    error_log /var/log/nginx/fiddle.error.log error;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name fiddle.skia.org;
    return 301 https://fiddle.skia.org$request_uri;
}

#####   fuzzer.skia.org   ###########################
server {
    listen      443;
    server_name fuzzer.skia.org;

    ssl on;

    access_log /var/log/nginx/fuzzer.access.log;
    error_log /var/log/nginx/fuzzer.error.log error;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name fuzzer.skia.org;
    return 301 https://fuzzer.skia.org$request_uri;
}

####   health.skia.org   ################
# Just return empty 200 responses for network load balancing health checks.
# See https://cloud.google.com/compute/docs/load-balancing/health-checks
server {
    listen      80;
    server_name health.skia.org;

    access_log /var/log/nginx/health.access.log;
    error_log /var/log/nginx/health.error.log error;

    location / {
      return 200;
    }
}

#####   status.skia.org   ###########################
server {
    listen      443;
    server_name status.skia.org;

    ssl on;

    access_log /var/log/nginx/status.access.log;
    error_log /var/log/nginx/status.error.log error;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name status.skia.org;
    return 301 https://status.skia.org$request_uri;
}

#####   status-internal.skia.org   ###########################
server {
    listen      443;
    server_name status-internal.skia.org;

    ssl on;

    access_log /var/log/nginx/status-internal.access.log;
    error_log /var/log/nginx/status-internal.error.log error;

    rewrite ^ https://skia-status.corp.goog redirect;
}

server {
    listen      80;
    server_name status-internal.skia.org;
    rewrite ^ https://skia-status.corp.goog redirect;
}

#####   status-staging.skia.org   ###########################
server {
    listen      443;
    server_name status-staging.skia.org;

    ssl on;

    access_log /var/log/nginx/status-staging.access.log;
    error_log /var/log/nginx/status-staging.error.log error;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name status-staging.skia.org;
    return 301 https://status-staging.skia.org$request_uri;
}

#####   go.skia.org   ###########################
server {
    listen      443;
    server_name go.skia.org;

    ssl on;

    access_log /var/log/nginx/go.access.log;
    error_log /var/log/nginx/go.error.log error;

    location / {
        add_header Content-Type text/html;
        return 200 '<meta name="go-import" content="go.skia.org/infra git https://skia.googlesource.com/buildbot"><meta name="go-import" content="go.skia.org/skia git https://skia.googlesource.com/skia">';
    }
}

#####   ct.skia.org   ###########################
server {
    listen      443;
    server_name ct.skia.org;

    ssl on;

    access_log /var/log/nginx/ct.access.log;
    error_log /var/log/nginx/ct.error.log error;

    client_max_body_size 50M;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name ct.skia.org;
    return 301 https://ct.skia.org$request_uri;
}

#####   skbug.com (REDIRECT)   ###########################
server {
    listen 80;
    server_name skbug.com;

    # Remove since we don't have a cert for skbug.com.
    add_header Strict-Transport-Security "";

    access_log /var/log/nginx/sk-bug.access.log;
    error_log /var/log/nginx/sk-bug.error.log error;

    rewrite ^/([0-9]+)$ https://bugs.chromium.org/p/skia/issues/detail?id=$1 redirect;
    rewrite ^ https://bugs.chromium.org/p/skia/issues/list redirect;
}

#####   bug.skia.org (REDIRECT)   ###########################
server {
    listen 443;
    server_name bug.skia.org;

    ssl on;

    access_log /var/log/nginx/bug.access.log;
    error_log /var/log/nginx/bug.error.log error;

    # Note: nginx automatically appends the incoming query parameters to the redirect URL.
    rewrite ^/p/skia/issues/detail(/?)$ https://bugs.chromium.org/p/skia/issues/detail redirect;
    rewrite ^/p/skia/issues/list(/?)$ https://bugs.chromium.org/p/skia/issues/list redirect;
    rewrite ^/p/skia(.*) https://skia.org? redirect;
    rewrite ^/([0-9]+)$ https://bugs.chromium.org/p/skia/issues/detail?id=$1 redirect;
    rewrite ^ https://bugs.chromium.org/p/skia/issues/list redirect;
}

server {
    listen 80;
    server_name bug.skia.org;
    return 301 https://bug.skia.org$request_uri;
}

#####   bugs.skia.org (REDIRECT)   ##########################
# (People have trouble remembering if they should type "bug" or "bugs.")
server {
    listen 443;
    server_name bugs.skia.org;

    ssl on;

    access_log /var/log/nginx/bugs.access.log;
    error_log /var/log/nginx/bugs.error.log error;

    # Note: nginx automatically appends the incoming query parameters to the redirect URL.
    rewrite ^/p/skia/issues/detail(/?)$ https://bugs.chromium.org/p/skia/issues/detail redirect;
    rewrite ^/p/skia/issues/list(/?)$ https://bugs.chromium.org/p/skia/issues/list redirect;
    rewrite ^/p/skia(.*) https://skia.org? redirect;
    rewrite ^/([0-9]+)$ https://bugs.chromium.org/p/skia/issues/detail?id=$1 redirect;
    rewrite ^ https://bugs.chromium.org/p/skia/issues/list redirect;
}

server {
    listen 80;
    server_name bugs.skia.org;
    return 301 https://bugs.skia.org$request_uri;
}

#####   code.skia.org (REDIRECT)   ###########################
server {
    listen 443;

    ssl on;

    access_log /var/log/nginx/code.access.log;
    error_log /var/log/nginx/code.error.log error;

    server_name code.skia.org;
    rewrite ^ https://skia.googlesource.com/skia redirect;
}

server {
    listen 80;
    server_name code.skia.org;
    rewrite ^ https://skia.googlesource.com/skia redirect;
}

#####   review.skia.org (REDIRECT)   ###########################
server {
    listen 443;
    server_name review.skia.org;

    ssl on;

    access_log /var/log/nginx/review.access.log;
    error_log /var/log/nginx/review.error.log error;

    # Note: nginx automatically appends the incoming query parameters to the redirect URL.
    rewrite ^/([0-9]+)$ https://skia-review.googlesource.com/c/$1/ redirect;
    rewrite ^ https://skia-review.googlesource.com redirect;
}

server {
    listen 80;
    server_name review.skia.org;
    return 301 https://review.skia.org$request_uri;
}

#####   reviews.skia.org (REDIRECT)   ##########################
# (People have trouble remembering if they should type "review" or "reviews.")
server {
    listen 443;
    server_name reviews.skia.org;

    ssl on;

    access_log /var/log/nginx/reviews.access.log;
    error_log /var/log/nginx/reviews.error.log error;

    # Note: nginx automatically appends the incoming query parameters to the redirect URL.
    rewrite ^/([0-9]+)$ https://skia-review.googlesource.com/c/$1/ redirect;
    rewrite ^ https://skia-review.googlesource.com redirect;
}

server {
    listen 80;
    server_name reviews.skia.org;
    return 301 https://reviews.skia.org$request_uri;
}


#####   cs.skia.org (REDIRECT)   ###########################
server {
    listen 443;
    server_name cs.skia.org;

    ssl on;

    access_log /var/log/nginx/cs.access.log;
    error_log /var/log/nginx/cs.error.log error;

    rewrite ^/(.+)$ https://code.google.com/p/chromium/codesearch#search/&q=$1%20file:%5Esrc/third_party/skia/&sq=package:chromium redirect;
    rewrite ^ https://code.google.com/p/chromium/codesearch#chromium/src/third_party/skia/ redirect;
}
server {
    listen 80;
    server_name cs.skia.org;
    rewrite ^/(.+)$ https://code.google.com/p/chromium/codesearch#search/&q=$1%20file:%5Esrc/third_party/skia/&sq=package:chromium redirect;
    rewrite ^ https://code.google.com/p/chromium/codesearch#chromium/src/third_party/skia/ redirect;
}

#####   task-scheduler.skia.org   ###########################
server {
    listen      443;
    server_name task-scheduler.skia.org;

    ssl on;

    access_log /var/log/nginx/task-scheduler.access.log;
    error_log /var/log/nginx/task-scheduler.error.log error;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name task-scheduler.skia.org;
    return 301 https://task-scheduler.skia.org$request_uri;
}

#####   task-scheduler-internal.skia.org   ###########################
server {
    listen      443;
    server_name task-scheduler-internal.skia.org;

    ssl on;

    access_log /var/log/nginx/task-scheduler-internal.access.log;
    error_log /var/log/nginx/task-scheduler-internal.error.log error;

    rewrite ^ https://skia-task-scheduler.corp.goog redirect;
}

server {
    listen      80;
    server_name task-scheduler-internal.skia.org;
    rewrite ^ https://skia-task-scheduler.corp.goog redirect;
}

#####   task-scheduler-staging.skia.org   ###########################
server {
    listen      443;
    server_name task-scheduler-staging.skia.org;

    ssl on;

    access_log /var/log/nginx/task-scheduler-staging.access.log;
    error_log /var/log/nginx/task-scheduler-staging.error.log error;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name task-scheduler-staging.skia.org;
    return 301 https://task-scheduler-staging.skia.org$request_uri;
}

#####   prom.skia.org   ###########################
server {
    listen      443;
    server_name prom.skia.org;

    ssl on;

    access_log /var/log/nginx/prom.access.log;
    error_log /var/log/nginx/prom.error.log error;

    client_max_body_size 500M;

    location / {
        proxy_pass http://skia-prom:8002;
        proxy_set_header Host $host;
    }
}

server {
    listen      80;
    server_name prom.skia.org;
    return 301 https://prom.skia.org$request_uri;
}

#####   webhooks.skia.org   ###########################
server {
    listen      443;
    server_name webhooks.skia.org;

    ssl on;

    access_log /var/log/nginx/webhooks.access.log;
    error_log /var/log/nginx/webhooks.error.log error;

    client_max_body_size 500M;

    location / {
        proxy_pass http://skia-prom:8005;
        proxy_set_header Host $host;
    }
}

server {
    listen      80;
    server_name webhooks.skia.org;
    return 301 https://webhooks.skia.org$request_uri;
}

#####   proxy.skia.org   ###########################
#
# proxy.skia.org is different than most other rules because it matches regexs
# on the first part of the host.
#
server {
    listen      443;
    server_name ~^[a-zA-Z0-9-]+proxy\.skia\.org$;

    ssl on;

    access_log /var/log/nginx/proxy.access.log;
    error_log /var/log/nginx/proxy.error.log error;

    client_max_body_size 500M;

    location / {
        # If there are substantial changes the following 2 lines, be sure to
        # duplicate those changes to the other places where we do
        # a proxy_pass to skia-proxy.
        proxy_pass http://skia-proxy:8000;
        proxy_set_header Host $host;
    }
}

server {
    listen      80;
    server_name ~^[a-zA-Z0-9-]+proxy\.skia\.org$;
    return 301 https://$server_name$request_uri;
}

#####   power.skia.org   ###########################
server {
    listen      443;
    server_name power.skia.org;

    ssl on;

    access_log /var/log/nginx/power-controller.access.log;
    error_log /var/log/nginx/power-controller.error.log error;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name power.skia.org;
    return 301 https://power.skia.org$request_uri;
}

#####   leasing.skia.org   ###########################
server {
    listen      443;
    server_name leasing.skia.org;

    ssl on;

    access_log /var/log/nginx/leasing.access.log;
    error_log /var/log/nginx/leasing.error.log error;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name leasing.skia.org;
    return 301 https://leasing.skia.org$request_uri;
}

#####   jsdoc.skia.org   ###########################
server {
    listen      443;
    server_name jsdoc.skia.org;

    ssl on;

    access_log /var/log/nginx/jsdoc.access.log;
    error_log /var/log/nginx/jsdoc.error.log error;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name jsdoc.skia.org;
    return 301 https://jsdoc.skia.org$request_uri;
}

#
#
#
# Entries below here are running on skia-public
#
#
#

#####   prom2.skia.org   ###########################
server {
    listen      443;
    server_name prom2.skia.org;

    ssl on;

    access_log /var/log/nginx/prom2.access.log;
    error_log /var/log/nginx/prom2.error.log error;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name prom2.skia.org;
    return 301 https://prom2.skia.org$request_uri;
}

#####   grafana2.skia.org   ###########################
server {
    listen      443;
    server_name grafana2.skia.org;

    ssl on;

    access_log /var/log/nginx/grafana2.access.log;
    error_log /var/log/nginx/grafana2.error.log error;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name grafana2.skia.org;
    return 301 https://grafana2.skia.org$request_uri;
}

#####   debugger.skia.org   ###########################
server {
    listen      443;
    server_name debugger.skia.org;

    ssl on;

    access_log /var/log/nginx/debugger.access.log;
    error_log /var/log/nginx/debugger.error.log error;

    client_max_body_size 500M;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name debugger.skia.org;
    return 301 https://debugger.skia.org$request_uri;
}
#####   debugger-assets.skia.org   ###########################
server {
    listen      443;
    server_name debugger-assets.skia.org;

    ssl on;

    access_log /var/log/nginx/debugger-assets.access.log;
    error_log /var/log/nginx/debugger-assets.error.log error;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name debugger-assets.skia.org;
    return 301 https://debugger-assets.skia.org$request_uri;
}

#####   legacy-debugger.skia.org   ###########################
server {
    listen      443;
    server_name legacy-debugger.skia.org;

    ssl on;

    access_log /var/log/nginx/legacy-debugger.access.log;
    error_log /var/log/nginx/legacy-debugger.error.log error;

    client_max_body_size 500M;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name legacy-debugger.skia.org;
    return 301 https://legacy-debugger.skia.org$request_uri;
}

#####   skottie.skia.org   ###########################
server {
    listen      443;
    server_name skottie.skia.org;

    ssl on;

    client_max_body_size 20M;

    access_log /var/log/nginx/skottie.access.log;
    error_log /var/log/nginx/skottie.error.log error;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name skottie.skia.org;
    return 301 https://skottie.skia.org$request_uri;
}
#####   skottie-internal.skia.org   ###########################
server {
    listen      443;
    server_name skottie-internal.skia.org;

    ssl on;

    client_max_body_size 200M;

    access_log /var/log/nginx/skottie-internal.access.log;
    error_log /var/log/nginx/skottie-internal.error.log error;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name skottie-internal.skia.org;
    return 301 https://skottie-internal.skia.org$request_uri;
}
#####   named-fiddles.skia.org   ###########################
server {
    listen      443;
    server_name named-fiddles.skia.org;

    ssl on;

    access_log /var/log/nginx/named-fiddles.access.log;
    error_log /var/log/nginx/named-fiddles.error.log error;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name named-fiddles.skia.org;
    return 301 https://named-fiddles.skia.org$request_uri;
}
#####   am.skia.org   ###########################
server {
    listen      443;
    server_name am.skia.org;

    ssl on;

    access_log /var/log/nginx/am.access.log;
    error_log /var/log/nginx/am.error.log error;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name am.skia.org;
    return 301 https://am.skia.org$request_uri;
}

#####   lottie-gold.skia.org   ###########################
server {
    listen      443;
    server_name lottie-gold.skia.org;
    ssl on;
    access_log /var/log/nginx/lottie-gold.access.log;
    error_log /var/log/nginx/lottie-gold.error.log error;
    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name lottie-gold.skia.org;
    return 301 https://lottie-gold.skia.org$request_uri;
}

#####   chrome-gpu-gold.skia.org   ###########################
server {
    listen      443;
    server_name chrome-gpu-gold.skia.org;
    ssl on;
    access_log /var/log/nginx/chrome-gpu-gold.access.log;
    error_log /var/log/nginx/chrome-gpu-gold.error.log error;
    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name chrome-gpu-gold.skia.org;
    return 301 https://chrome-gpu-gold.skia.org$request_uri;
}

#####   staging-gold.skia.org   ###########################
server {
    listen      443;
    server_name staging-gold.skia.org;
    ssl on;
    access_log /var/log/nginx/staging-gold.access.log;
    error_log /var/log/nginx/staging-gold.error.log error;
    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name staging-gold.skia.org;
    return 301 https://staging-gold.skia.org$request_uri;
}

#####   flutter-gold.skia.org   ###########################
server {
    listen      443;
    server_name flutter-gold.skia.org;
    ssl on;
    access_log /var/log/nginx/flutter-gold.access.log;
    error_log /var/log/nginx/flutter-gold.error.log error;
    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name flutter-gold.skia.org;
    return 301 https://flutter-gold.skia.org$request_uri;
}


#####   jsfiddle.skia.org   ###########################
server {
    listen      443;
    server_name jsfiddle.skia.org;

    ssl on;

    access_log /var/log/nginx/jsfiddle.access.log;
    error_log /var/log/nginx/jsfiddle.error.log error;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name jsfiddle.skia.org;
    return 301 https://jsfiddle.skia.org$request_uri;
}

#####   task-driver.skia.org   ###########################
server {
    listen      443;
    server_name task-driver.skia.org;

    ssl on;

    access_log /var/log/nginx/task-driver.access.log;
    error_log /var/log/nginx/task-driver.error.log error;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name task-driver.skia.org;
    return 301 https://task-driver.skia.org$request_uri;
}

#####   ct-perf.skia.org   ###########################
server {
    listen      443;
    server_name ct-perf.skia.org;

    ssl on;

    access_log /var/log/nginx/ct-perf.access.log;
    error_log /var/log/nginx/ct-perf.error.log error;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name ct-perf.skia.org;
    return 301 https://ct-perf.skia.org$request_uri;
}

#####   collectd.skia.org   ###########################
# This rule allows Skolo and Golo bots to report write_http collectd info over https.
server {
    listen      443;
    server_name collectd.skia.org;

    ssl on;

    access_log /var/log/nginx/collectd.access.log;
    error_log /var/log/nginx/collectd.error.log error;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
        # Skolo new primary public IP
        allow 104.132.164.0/24;
         # Golo public IP
        allow 74.125.248.64/27;
        deny  all;
    }
}

#####   api.skia.org   ###########################
server {
    listen      443;
    server_name api.skia.org;

    ssl on;

    access_log /var/log/nginx/api.access.log;
    error_log /var/log/nginx/api.error.log error;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name api.skia.org;
    return 301 https://api.skia.org$request_uri;
}

#####   particles.skia.org   ###########################
server {
    listen      443;
    server_name particles.skia.org;

    ssl on;

    access_log /var/log/nginx/particles.access.log;
    error_log /var/log/nginx/particles.error.log error;

    location / {
        proxy_pass https://35.201.76.220;
        proxy_set_header Host $host;
    }
}
server {
    listen      80;
    server_name particles.skia.org;
    return 301 https://particles.skia.org$request_uri;
}