# @(#)/etc/nginx/sites-available/archive.netbsd.ax

server {
  listen 443 quic;
  listen 443;
  listen [::]:443 quic;
  listen [::]:443;
  listen 80;
  listen [::]:80;
  http2 on;
  http3 on;

  server_name archive.netbsd.ax;

  root /var/www/sites/archive.netbsd.ax/htdocs;
  index index.html;
  autoindex off;

  set $do_http_upgrade "$https$http_upgrade_insecure_requests";

  ssl_certificate ssl/live/archive.netbsd.ax/fullchain.pem;
  ssl_certificate_key ssl/live/archive.netbsd.ax/privkey.pem;
  ssl_trusted_certificate ssl/live/archive.netbsd.ax/chain.pem;

  add_header Referrer-Policy strict-origin-when-cross-origin;
  add_header Strict-Transport-Security "max-age=63072000";
  add_header Alt-Svc 'h3=":443"; ma=86400';
  add_header X-Frame-Options DENY;
  add_header X-Content-Type-Options nosniff;
  add_header X-XSS-Protection "1; mode=block";

  brotli on;
  brotli_min_length 256;
  brotli_types text/plain;

  gzip on;
  gzip_vary on;
  gzip_proxied any;
  gzip_comp_level 5;
  gzip_min_length 256;
  gzip_types text/plain;

  location / {
    if ($qs_error) {
      return 503;
    }

    if ($do_http_upgrade = "1") {
      add_header Vary Upgrade-Insecure-Requests;
      return 307 https://$host$request_uri;
    }

    try_files $uri $uri/ =404;
  }

  location /.well-known/health {
    access_log off;
    default_type text/plain;
    return 200 'OK\n';
  }

  location /.well-known/acme-challenge {
    return 302 http://vipunen.netbsd.ax$request_uri;
  }

  location /pub {
    root /;
    autoindex on;

    # Files without extension
    location ~ /[A-Z][^./]+$ {
      default_type text/plain;
      location ~ /hp300/installation/misc/SYS_[A-Z]+$ {
	default_type application/octet-stream;
      }
      location ~ /hppa/installation/SYSNBSD$ {
	default_type application/octet-stream;
      }
    }

    location ~ /CHANGES(-[0-9][.0-9]+|\.prev)$ {
      default_type text/plain;
    }

    location ~ /README\.[^/]+$ {
      default_type text/plain;
    }

    location ~ \.(README|c|md)$ {
      default_type text/plain;
    }

    try_files $uri $uri/ =404;
  }

  location = /robots.txt {
    try_files $uri =404;
  }

  location ~ /wp-includes/wlwmanifest\.xml$ {
    return 501;
  }

  location ~ \.(cgi|php)$ {
    return 501;
  }

  # Deny access to .htaccess files, in case Apache and nginx are
  # sharing a document root.

  location ~ /\.ht {
    deny all;
  }
}