geo $msuser_whitelist {
	default 0;
	127.0.0.1 1;{{ whitelist }}
}
map $msuser_whitelist $msuser_allowed {
	0 $secure_link;
	1 1;
}

server {
	listen 80;
	server_name {{ server_name }};

	location /.well-known/acme-challenge {
		default_type "text/plain";
		root /tmp/letsencrypt;
	}
	location / {
		rewrite ^ https://$host$request_uri? permanent;
	}
}

server {
	listen 443 ssl http2;
	server_name {{ server_name }};
	root /var/www/msuser;

	access_log /var/log/nginx/access_msuser.log;
	error_log /var/log/nginx/error_msuser.log;

	location /static {
		expires 30d;
		add_header Pragma public;
		add_header Cache-Control "public";
	}
	location /public {
		expires 30d;
		add_header Pragma public;
		add_header Cache-Control "public";
	}
	location /crossdomain {
		expires 30d;
		add_header Pragma public;
		add_header Cache-Control "public";
	}
	location /robots {
		expires 30d;
		add_header Pragma public;
		add_header Cache-Control "public";
	}
	location /resources {
		location ~ \.ts$ {
		}
		location ~ \.xml$ {
		}
		secure_link $arg_st,$arg_e;
		secure_link_md5 "{{ secret }}$uri$arg_e$remote_addr";
		# link expired
		if ($msuser_allowed = "0") {
			return 410;
		}
		# bad hash
		if ($msuser_allowed = "") {
			return 403;
		}
	}
	location /streaming/ {
		rewrite ^/streaming/(.*)$ /live/$1? break;
		proxy_pass http://localhost:1935;
		proxy_cache livecache;
		# do not consider secure urls as new files
		proxy_cache_key $scheme$proxy_host$uri;
		# only one request at a time will be allowed to populate a new cache element
		proxy_cache_lock on;
		# show if playlist or fragment has been cached from wowza
		add_header X-Cache $upstream_cache_status;
		# wowza is defining expiration headers (m3u8 is 1s, ts is 3600)
	}
	location / {
		uwsgi_pass unix:///home/msuser/mstmp/uwsgi.sock;
		include /etc/nginx/uwsgi_params;
	}
}