server {
    listen 80;
    listen [::]:80;
    server_name <%= @name %> <% @aliases.each do |alias_name| %> <%= alias_name %><%- end -%>;

    rewrite ^/\.well-known/acme-challenge/(.*)$ http://acme.openstreetmap.org/.well-known/acme-challenge/$1 permanent;

    location / {
      return 301 https://$host$request_uri;
    }

    location /za-25cm {
      root "/store/imagery/za";
      expires max;
    }
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name <%= @name %> <% @aliases.each do |alias_name| %> <%= alias_name %><%- end -%>;

    http2_max_concurrent_streams 512;
    keepalive_timeout 30s;

    ssl_certificate /etc/ssl/certs/<%= @name %>.pem;
    ssl_certificate_key /etc/ssl/private/<%= @name %>.key;
<% if node[:ssl][:strict_transport_security] -%>

    add_header Strict-Transport-Security "<%= node[:ssl][:strict_transport_security] %>" always;
<% end -%>

    # Requests sent within early data are subject to replay attacks.
    # See: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_early_data
    ssl_early_data on;

    # root "/srv/<%= @name %>";

    gzip on;
    gzip_types text/plain text/css application/json application/javascript application/x-javascript text/javascript text/xml application/xml application/rss+xml application/atom+xml application/rdf+xml image/svg+xml; # text/html is implicit
    gzip_min_length 512;
    gzip_http_version 1.0;
    gzip_proxied any;
    gzip_comp_level 9;
    gzip_vary on;

    location /za-25cm {
      root "/store/imagery/za";
      expires max;
    }

    location /api/v1/titiler {
      rewrite ^/api/v1/titiler(.*)$ $1 break;
      proxy_pass http://localhost:8080;
      proxy_set_header Host $host;
      proxy_set_header Referer $http_referer;
      proxy_set_header X-Forwarded-For $remote_addr;
      proxy_set_header X-Forwarded-Proto https;
      proxy_set_header X-Forwarded-SSL on;
      proxy_http_version 1.1;
      proxy_set_header Connection "";
      proxy_redirect off;
    }
}