server {
    server_name __LOCAL__ __DOMAIN__;

    # ssl: https://ssl-config.mozilla.org / intermediate config

    listen 80;
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;

    ssl_certificate /data/nginx/certs/ofm_roundrobin.cert;
    ssl_certificate_key /data/nginx/certs/ofm_roundrobin.key;

    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
    ssl_session_tickets off;

    ssl_dhparam /etc/nginx/ffdhe2048.txt;

    # intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
    ssl_prefer_server_ciphers off;

    # access log doesn't contain IP address
    #access_log off;
    access_log /data/ofm/http_host/logs_nginx/roundrobin-access.jsonl access_json buffer=128k;

    error_log /data/ofm/http_host/logs_nginx/roundrobin-error.log;

    __LOCATION_BLOCKS__

    location /styles/ {
        # trailing slash

        alias /data/ofm/http_host/assets/styles/ofm/; # trailing slash
        try_files $uri.json =404;

        expires 1d;
        default_type application/json;

        # substitute the domain in the TileJSON
        sub_filter '__TILEJSON_DOMAIN__' '__DOMAIN__';
        sub_filter_once off;
        sub_filter_types '*';

        add_header 'Access-Control-Allow-Origin' '*' always;
        add_header Cache-Control public;
    }

    # catch-all block to deny all other requests
    location / {
        deny all;
        error_log /data/ofm/http_host/logs_nginx/roundrobin-deny.log error;
    }
}