server {
    server_name ofm tiles.openfreemap.org;

    # ssl: https://ssl-config.mozilla.org / modern config
    # to be used with the Cloudflare proxied endpoint

    listen 80;
    listen 443 ssl;
    listen [::]:443 ssl;
    http2 on;

    ssl_certificate /data/nginx/certs/openfreemap.org.cert;
    ssl_certificate_key /data/nginx/certs/openfreemap.org.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
    ssl_session_tickets off;
    ssl_protocols TLSv1.3;
    ssl_prefer_server_ciphers off;

    # access log disabled by default
    #access_log /data/ofm/http_host/logs_nginx/tiles-org-access.log access_json buffer=32k;
    access_log off;

    error_log /data/ofm/http_host/logs_nginx/tiles-org-error.log;

    ___LOCATION_BLOCKS___

    location /styles/ {
        # trailing slash

        alias /data/ofm/http_host/assets/styles/ofm/; # trailing slash
        try_files $uri.json =404;

        expires 1d;
        default_type application/json;

        add_header 'Access-Control-Allow-Origin' '*' always;
        add_header Cache-Control public;
    }

    location /fonts/ {
        # trailing slash

        alias /data/ofm/http_host/assets/fonts/; # trailing slash
        try_files $uri =404;

        expires 1d; # target 1w

        add_header 'Access-Control-Allow-Origin' '*' always;
        add_header Cache-Control public;
    }

    location /sprites/ {
        # trailing slash

        alias /data/ofm/http_host/assets/sprites/; # trailing slash
        try_files $uri =404;

        expires 1d; # target 10y

        add_header 'Access-Control-Allow-Origin' '*' always;
        add_header Cache-Control public;
    }

    location /ne2_shaded/ {
        # trailing slash

        alias /data/ofm/http_host/assets/natural_earth/tiles/natural_earth_2_shaded_relief.raster/; # trailing slash
        try_files $uri =404;

        expires 1d; # target 10y

        add_header 'Access-Control-Allow-Origin' '*' always;
        add_header Cache-Control public;
    }

    # we need to handle missing tiles as valid request returning empty string
    location @empty_tile {
        return 200 '';

        expires 10y;
        default_type application/vnd.mapbox-vector-tile;

        add_header 'Access-Control-Allow-Origin' '*' always;
        add_header Cache-Control public;
    }

    location = / {
        return 302 https://openfreemap.org;
    }

    # catch-all block to deny all other requests
    location / {
        deny all;

        error_log /data/ofm/http_host/logs_nginx/tiles-org-error.log error;
    }
}