events {}

http {
	gzip on;
	gzip_types *;
	gzip_comp_level 2;
	gzip_min_length 1000;
	gzip_proxied expired no-cache no-store private auth;

	include mime.types;
	upstream server {
		server server:3000;
	}

	map $request_uri $expires {
		default off;
		"~-[0-9a-z]{10}\.js$" 365d;
		"~*(woff|woff2|ttf|eot)$" 365d;
	}

	map $sent_http_content_type $csp {
		default "";
		"~^text/html" "default-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'";
	}

	server {
		listen 80;
		autoindex on;
		root /www/data;
		expires $expires;
		add_header Content-Security-Policy $csp;
		add_header Strict-Transport-Security 'max-age=604800; includeSubDomains';
		add_header Referrer-Policy 'origin-when-cross-origin';
		add_header X-Content-Type-Options 'nosniff';
		add_header X-XSS-Protection '1; mode=block';

		location /api/ {
			proxy_pass http://server;
			proxy_redirect off;
		}

		location /vault/ {
			proxy_pass http://server;
			proxy_redirect off;
		}

		location /auditorium/ {
			proxy_pass http://server;
			proxy_redirect off;
		}

		location /script.js {
			proxy_pass http://server;
			proxy_redirect off;
		}

		location /healthz {
			proxy_pass http://server;
			proxy_redirect off;
		}

		location /versionz {
			proxy_pass http://server;
			proxy_redirect off;
		}

		location /normalize.css {
			proxy_pass http://server;
			proxy_redirect off;
		}

		location /skeleton.css {
			proxy_pass http://server;
			proxy_redirect off;
		}

		location /favicon.ico {
			root /www/data/theme/images;
		}

		error_page 404 /404.html;
		location = /404.html {
			internal;
			root /www/data;
			add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive" always;
		}
	}
}