server {
    allow ::1/128;
    allow 127.0.0.1/32;
    # Wieske
    allow 172.31.17.128/25;
    allow 212.12.51.128/28;
    allow 2a00:14b0:42:100::/56; #Neues v6 gerouted via neuem Router
    allow 2a00:14b0:4200:3000::/64; #Bei Wieske
    allow 2a00:14b0:f000:23::/64; #CCCHH v6 bei Wieske, geroutet über turing
    # Z9
    allow 2a07:c480:0:100::/56;
    allow 2a07:c481:1::/48;
    # fuxnoc
    allow 2a07:c481:0:1::/64;
    deny all;

    listen [::]:443 ssl;
    listen 172.31.17.145:443 ssl;
    http2 on;

    server_name metrics.hamburg.ccc.de;

    client_body_buffer_size 32k;

    ssl_certificate /etc/letsencrypt/live/metrics.hamburg.ccc.de/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/metrics.hamburg.ccc.de/privkey.pem;
    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/letsencrypt/live/metrics.hamburg.ccc.de/chain.pem;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;

    auth_basic  "metrics";
    auth_basic_user_file metrics.htpasswd;

    location /api/v1/write {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Port 3100;
        # This is https in any case.
        proxy_set_header X-Forwarded-Proto https;

        proxy_pass http://127.0.0.1:9090;
    }

    location /ready {
        rewrite ^ /-/ready break;

        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        # This is https in any case.
        proxy_set_header X-Forwarded-Proto https;

        proxy_pass http://127.0.0.1:9090;
    }
}