server {
    listen 8080 default_server;
    server_name _;

    # Note that regex location matches take priority over non-regex "prefix" matches. Use regexes so that
    # our deny all rule does not squelch the other locations. 
    location ~ ^/health/nginx$ {
        return 200;
    }

    location ~ ^/robots.txt$ {
        add_header Content-Type text/plain;
        return 200 "User-agent: *\nDisallow: /\n";
    }

    location ~ ^/accounts/create.* {
        return 302 https://datatracker.ietf.org/accounts/create;
    }

    # n.b. (?!...) is a negative lookahead group
    location ~ ^(/(?!(api/openid/|accounts/login/|accounts/logout/|accounts/reset/|person/.*/photo|group/groupmenu.json)).*) {
        deny all;
    }

    location / {
        add_header Content-Security-Policy "default-src 'self' 'unsafe-inline' data: https://datatracker.ietf.org/ https://www.ietf.org/ http://ietf.org/ https://analytics.ietf.org https://static.ietf.org; frame-ancestors 'self' ietf.org *.ietf.org meetecho.com *.meetecho.com gather.town *.gather.town";
        proxy_set_header Host $${keepempty}host;
        proxy_set_header Connection close;
        proxy_set_header X-Request-Start "t=${msec}";
        proxy_set_header X-Forwarded-For $${keepempty}proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $${keepempty}remote_addr;
        proxy_pass http://localhost:8000;
    }
}