worker_processes 4;

events {
  worker_connections 1024;
}

http {
  include mime.types;

  default_type  application/octet-stream;

  set_real_ip_from        0.0.0.0/0;
  real_ip_recursive       on;
  real_ip_header          X-Forward-For;
  limit_req_zone          $binary_remote_addr zone=mylimit:10m rate=10r/s;

  access_log /dev/stdout;
  error_log /dev/stderr;

  server {
    listen 3000;

    # Security headers
    add_header X-Frame-Options "DENY" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-XSS-Protection "1; mode=block" always;

    location = /sw.js {
      root   /usr/share/nginx/html;
      add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0" always;
      try_files $uri =404;
    }

    location = /index.html {
      root   /usr/share/nginx/html;
      add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0" always;
      try_files $uri =404;
    }

    location ~* ^/assets/.+\.mjs$ {
      root   /usr/share/nginx/html;
      types { application/javascript mjs; }
      default_type application/javascript;
      add_header Cache-Control "public, max-age=31536000, immutable" always;
      try_files $uri =404;
    }

    location ~* ^/assets/.+\.(js|css|png|jpg|jpeg|gif|svg|webp|ico|woff|woff2)$ {
      root   /usr/share/nginx/html;
      add_header Cache-Control "public, max-age=31536000, immutable" always;
      try_files $uri =404;
    }

    location / {
      root   /usr/share/nginx/html;
      index  index.html index.htm;
      add_header Cache-Control "no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0" always;
      try_files $uri $uri/ /index.html;
    }
  }
}