server {
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;

    server_name diday.org;

    # use our router as resolver
    resolver 10.31.208.1;

    # configure the ngx_http_realip_module to set $remote_addr and $remote_port to the
    # information passed through from public-reverse-proxy.hamburg.ccc.de via proxy-protocol
    set_real_ip_from 2a00:14b0:4200:3000:125::1;
    real_ip_header proxy_protocol;

    # configure tls trustchain
    ssl_certificate /dev/null;
    ssl_certificate_key /dev/null;
    ssl_trusted_certificate /dev/null;

    #
    # configure site
    #
    root /var/www/diday.org;
    error_page 404 /404.html;
    index index.html;
    add_header Referrer-Policy "strict-origin-when-cross-origin" always;

    # return a redirect based on the map loaded from the webroot
    if ($did_redirect_target ~ ^301:(.*)$) {
      return 301 $1;
    }
    if ($did_redirect_target ~ ^302:(.*)$) {
      return 302 $1;
    }

    # deny access to the redirects config file
    location = /nginx-redirects.conf {
      deny all;
      return 404;
    }

    # dynamically redirect the user to the language they prefer
    location = / {
      set $lang "de";
      if ($http_accept_language ~* "^en") {
        set $lang "en";
      }
      return 302 /$lang/;
    }

    # configure decap-cms content-type and caching rules
    location = /admin/cms.js {
      expires -1;
      add_header Cache-Control "no-store";
    }
    location = /admin/config.yml {
      expires -1;
      add_header Cache-Control "no-store";
      types { }
      default_type text/yaml;
    }

    # configure asset caching
    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff2?)$ {
        expires 1y;
        add_header Cache-Control "public, immutable";
    }

    # we are using the Astro Image Pipeline, therefore DecapCMS can't access image previews
    location /admin/src/ {
        log_not_found off;
        return 404;
    }

    location / {
      try_files $uri $uri/ =404;
    }
}