upstream rmt {
    server 127.0.0.1:4224;
}

server {
    listen 443   ssl;
    server_name rmt;

    access_log  /var/log/nginx/rmt_https_access.log;
    error_log   /var/log/nginx/rmt_https_error.log;
    root        /usr/share/rmt/public;

    ssl_certificate     /etc/rmt/ssl/rmt-server.crt;
    ssl_certificate_key /etc/rmt/ssl/rmt-server.key;
    ssl_protocols       TLSv1.2 TLSv1.3;

    include /etc/nginx/rmt-auth*.d/auth-location*.conf;

    location / {
        try_files $uri/index.html $uri.html $uri @rmt_app;
        autoindex off;
    }

    location /repo {
        autoindex on;
        include /etc/nginx/rmt-auth*.d/auth-handler*.conf;
    }

    location @rmt_app {
        proxy_pass          http://rmt;
        proxy_redirect      off;
        proxy_read_timeout  600;

        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Ssl on;
        proxy_set_header X-Real-IP $remote_addr;
    }

    # An alias to RMT CA certificate, so that it can be downloaded to client machines.
    location /rmt.crt {
        alias /etc/rmt/ssl/rmt-ca.crt;
    }
}