user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    map $http_x_forwarded_for $forwarded_anon {
        ~(?P<ip>\d+\.\d+\.\d+)\.    $ip.0;
        ~(?P<ip>[^:]+:[^:]+):       $ip::;
        default                     0.0.0.0;
    }

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$forwarded_anon"';

    access_log  /logs/access.log  main;

    sendfile        on;

    keepalive_timeout  65;

    server_tokens off;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    add_header Content-Security-Policy "require-sri-for script; default-src 'none'; img-src 'self' https://photos.chameth.com https://a.c5h.io; style-src 'self'; font-src 'self'; frame-ancestors 'none'; frame-src https://contact.chameth.com; form-action 'none'; base-uri 'none';";
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Content-Type-Options "nosniff";
    add_header X-XSS-Protection "1; mode=block";
    add_header Expect-CT "enforce; max-age=3600";
    add_header Referrer-Policy "no-referrer";

    gzip on;
    gzip_vary on;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

    map $http_accept $webp_suffix {
        "~*webp"  ".webp";
    }

    map $request_uri $redirect_uri {
        /res/images/sense/sense.jpg                     /2016/04/10/sense-api/sense.jpg;
        /res/images/wemo/switch.jpg                     /2016/05/02/monitoring-power-with-wemo/switch.jpg;
        /res/images/wemo/desk-1d.png                    /2016/05/02/monitoring-power-with-wemo/desk-1d.png;
        /res/images/wemo/desk-1w.png                    /2016/05/02/monitoring-power-with-wemo/desk-1w.png;
        /res/images/docker/logo.png                     /2016/05/21/docker-automatic-nginx-proxy/logo.png;
        /res/images/docker/reverse-proxy.png            /2016/05/21/docker-automatic-nginx-proxy/reverse-proxy.png;
        /res/images/https/https-everywhere.jpg          /2016/06/17/why-you-should-be-using-https/https-everywhere.jpg;
        /res/images/yubikey/keys.png                    /2016/08/11/offline-gnupg-master-yubikey-subkeys/keys.png;
        /res/images/yubikey/wisdom_of_the_ancients.png  /2016/08/11/offline-gnupg-master-yubikey-subkeys/wisdom_of_the_ancients.png;
        /res/images/ssh/openssh.png                     /2016/10/18/shoring-up-sshd/openssh.png;
        /res/images/ssh/ssh-audit-github.png            /2016/10/18/shoring-up-sshd/ssh-audit-github.png;
        /res/images/android-tests/spoon.png             /2017/05/16/android-tests-espresso-spoon/spoon.png;
        /res/images/android-tests/spoon-espresso.png    /2017/05/16/android-tests-espresso-spoon/spoon-espresso.png;
        /res/images/dns/providers.png                   /2017/08/16/top-sites-dns-providers/providers.png;
        /res/images/dns/provider-pairings.png           /2017/08/16/top-sites-dns-providers/provider-pairings.png;
        /res/images/dns/resilience.png                  /2017/08/16/top-sites-dns-providers/resilience.png;
        /res/images/erl/edgerouter.jpg                  /2017/12/17/dns-over-tls-on-edgerouter-lite/edgerouter.jpg;
        /res/images/aoc/advent-of-code.png              /2018/12/09/over-the-top-optimisations-in-nim/advent-of-code.png;
        /res/images/nim/logo.jpg                        /2018/12/09/over-the-top-optimisations-in-nim/logo.jpg;
        /res/images/debugging/strace.png                /2019/05/08/debugging-beyond-the-debugger/strace.png;
        /res/images/unsplash/tools.jpg                  /2019/05/08/debugging-beyond-the-debugger/tools.jpg;
        /res/images/obfuscation/kotlin-proguard.png     /2019/10/21/obfuscating-kotlin-proguard/kotlin-proguard.png;
        /res/images/obfuscation/obfuscated.png          /2019/10/21/obfuscating-kotlin-proguard/obfuscated.png;
    }

    server {
        listen       80;
        server_name  chameth.com localhost;

        if ( $redirect_uri ) {
            return 301 $redirect_uri;
        }

        location / {
            root   /usr/share/nginx/html;
            index  index.html index.htm;

            location /res {
                expires 1y;
            }

            location ~ \.(png|jpe?g)$ {
                try_files $uri$webp_suffix $uri =404;
                expires 1y;
            }
        }

        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/share/nginx/html;
        }
    }

    server {
        server_name _;
        listen 80 default_server;
        return 301 https://chameth.com$request_uri;
    }

}