proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=STATIC:10m inactive=24h max_size=1g; proxy_connect_timeout 1s; server_tokens off; server { listen 80 default; rewrite ^ https://$host$request_uri permanent; } server { listen 443 default ssl http2; ssl_protocols TLSv1.2 TLSv1.3; ssl_dhparam /etc/nginx/ssl/dhparams-4096.pem; ssl_prefer_server_ciphers on; ssl_certificate /etc/nginx/ssl/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/privkey.pem; ssl_client_certificate /srv/PKI/shared/ca.pem; ssl_trusted_certificate /srv/PKI/shared/ca.pem; ssl_verify_client optional; root /srv/htdocs-frontend/; error_page 401 /welcome.html; error_page 403 404 /e404.html; error_page 413 /e413.html; error_page 500 502 504 /e500.html; add_header Strict-Transport-Security max-age=31536000; add_header X-Frame-Options deny; add_header Content-Security-Policy "script-src 'unsafe-inline' 'self' 'unsafe-eval'; img-src 'self' data:; style-src 'unsafe-inline' 'self'; font-src 'self'; default-src 'self'"; add_header X-Xss-Protection "1; mode=block"; add_header X-Content-Type-Options nosniff; add_header Referrer-Policy strict-origin; add_header Feature-Policy "accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; fullscreen 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'none'; speaker 'none'; sync-xhr 'none'; usb 'none'; vr 'none'; wake-lock 'none'; xr-spatial-tracking 'none'"; location = / { include fic-auth.conf; } location = /index.html { include fic-auth.conf; } location = /welcome.html { internal; if ($http_accept ~ "^application/json") { rewrite ^/(.*).html$ /$1.json; } } location = /e404.html { internal; if ($http_accept ~ "^application/json") { rewrite ^/(.*).html$ /$1.json; } } location = /e413.html { internal; if ($http_accept ~ "^application/json") { rewrite ^/(.*).html$ /$1.json; } } location = /e500.html { internal; if ($http_accept ~ "^application/json") { rewrite ^/(.*).html$ /$1.json; } } location ~ ^/[A-Z] { include fic-auth.conf; rewrite ^/.*$ /index.html; } location /edit { include fic-auth.conf; rewrite ^/.*$ /index.html; } location /issues { include fic-auth.conf; rewrite ^/.*$ /index.html; } location /rank { include fic-auth.conf; rewrite ^/.*$ /index.html; } location /tags/ { include fic-auth.conf; rewrite ^/.*$ /index.html; } location /register { include fic-auth.conf; rewrite ^/.*$ /index.html; } location /rules { include fic-auth.conf; rewrite ^/.*$ /index.html; } location /files/ { alias /srv/FILES/; sendfile on; tcp_nodelay on; } location /wait.json { include fic-auth.conf; root /srv/TEAMS/$team/; expires epoch; add_header Cache-Control no-cache; } location /stats.json { root /srv/TEAMS/; expires epoch; add_header Cache-Control no-cache; } location /my.json { include fic-auth.conf; root /srv/TEAMS/$team/; expires epoch; add_header Cache-Control no-cache; if (!-f /srv/startingblock/started) { rewrite ^/.* /wait.json; } } location /issues.json { include fic-auth.conf; root /srv/TEAMS/$team/; expires epoch; add_header Cache-Control no-cache; } location = /events.json { root /srv/TEAMS/; expires epoch; add_header Cache-Control no-cache; } location = /teams.json { root /srv/TEAMS/; expires epoch; add_header Cache-Control no-cache; } location = /themes.json { root /srv/TEAMS/; expires epoch; add_header Cache-Control no-cache; } location = /settings.json { root /srv/SETTINGSDIST/; expires epoch; add_header X-FIC-time $msec; add_header Cache-Control no-cache; } location /submit/ { include fic-auth.conf; proxy_pass http://frontend:8080/submission/; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-FIC-Team $team; proxy_redirect off; } location /issue { include fic-auth.conf; proxy_pass http://frontend:8080; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-FIC-Team $team; proxy_redirect off; } location /chname { include fic-auth.conf; proxy_pass http://frontend:8080; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-FIC-Team $team; proxy_redirect off; } location /registration { include fic-auth.conf; proxy_pass http://frontend:8080; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-FIC-Team $team; proxy_redirect off; } location /openhint/ { include fic-auth.conf; proxy_pass http://frontend:8080; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-FIC-Team $team; proxy_redirect off; } location /wantchoices/ { include fic-auth.conf; proxy_pass http://frontend:8080; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-FIC-Team $team; proxy_redirect off; } }