server {
    listen 80;
    listen [::]:80;

    server_name karta.klimatanalysnorr.se hel01.guilhem.se;

    include /etc/lacme/nginx.conf;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log warn;

    location / {
        return 301 https://$host$request_uri;
    }
}

server {
    listen 443;
    listen [::]:443;

    server_name hel01.guilhem.se;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log warn;

    ssl_certificate /etc/nginx/ssl/webmap.rsa.pem;
    ssl_certificate_key /etc/nginx/ssl/webmap.rsa.key;
    include snippets/ssl.conf;

    location / {
        return 303 https://karta.klimatanalysnorr.se$request_uri;
    }
}

server {
    listen      443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    server_name karta.klimatanalysnorr.se;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log warn;

    ssl_certificate /etc/nginx/ssl/webmap.rsa.pem;
    ssl_certificate_key /etc/nginx/ssl/webmap.rsa.key;
    include snippets/ssl.conf;

    root /var/www/webmap;
    index index.html;

    add_header Referrer-Policy "no-referrer";
    add_header X-Frame-Options "DENY";
    add_header X-Content-Type-Options "nosniff";
    add_header X-XSS-Protection "1; mode=block";
    add_header Strict-Transport-Security "max-age=31557600; includeSubDomains" always;
    add_header Content-Security-Policy "default-src 'none'; frame-ancestors 'none'; form-action 'none'; base-uri 'self'";
    #add_header Access-Control-Allow-Origin $http_origin always;

    include mime.types;
    types {
        # application/protobuf and application/vnd.google.protobuf might be valid types too, cf.
        # https://stackoverflow.com/questions/30505408/what-is-the-correct-protobuf-content-type
        application/x-protobuf pbf;
    }

    location ^~ /assets/ {
        expires 7d;
        brotli_static on;
        try_files $uri =404;
    }
    location ^~ /tiles/ {
        expires 30m;
        brotli_static on;
        try_files $uri =404;
        # service an empty payload to save bandwidth
        error_page 404 /_.txt;
    }
    location = /q {
        expires epoch;
        limit_except POST { deny all; }
        #if ($request_method = OPTIONS) {
        #    add_header Strict-Transport-Security "max-age=31557600; includeSubDomains";
        #    add_header Access-Control-Allow-Origin $http_origin;
        #    add_header Access-Control-Allow-Methods "POST, GET, OPTIONS";
        #    add_header Access-Control-Allow-Headers "Accept, Content-Type";
        #    add_header Access-Control-Max-Age 28800;
        #    return 204;
        #}
        client_max_body_size 64k;
        gzip on;
        gzip_types application/json text/plain;
        include uwsgi_params;
        uwsgi_buffering off;
        uwsgi_pass unix:/run/webmap-cgi.socket;
    }
    location = /tiles/metadata.json {
        expires epoch;
        brotli_static on;
        try_files $uri =404;
    }

    location = /_.txt {
        # cache 404 responses for 30m like for valid tiles
        add_header Strict-Transport-Security "max-age=31557600; includeSubDomains" always;
        add_header Cache-Control "public; max-age=1800" always;
        #add_header Access-Control-Allow-Origin $http_origin always;
        internal;
    }

    location / {
        add_header Referrer-Policy "no-referrer";
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-Content-Type-Options "nosniff";
        add_header X-XSS-Protection "1; mode=block";
        add_header Strict-Transport-Security "max-age=31557600; includeSubDomains" always;
        add_header Content-Security-Policy "default-src 'none'; connect-src 'self'; font-src 'self'; frame-src 'self'; img-src 'self' data: https://minkarta.lantmateriet.se/map/; script-src 'self'; style-src 'self'; frame-ancestors 'self'; form-action 'none'; base-uri 'self'";

        try_files $uri $uri/ =404;
    }
}