server {
    listen 80;
    server_name __QORTAL_SERVER_NAMES__;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name __QORTAL_SERVER_NAMES__;

    ssl_certificate __TLS_CERT_PATH__;
    ssl_certificate_key __TLS_KEY_PATH__;
    ssl_prefer_server_ciphers on;

    client_max_body_size 500M;

    # Block write methods on sensitive endpoints.
    location ~* ^/(lists|admin/(restart|stop|forcesync|apikey/generate|enginestats|orphan|mintingaccounts)|arbitrary/resources/cache/rebuild)$ {
        if ($request_method ~* ^(POST|DELETE)$) {
            return 403;
        }
    }

    # Fully block these endpoints.
    location ~* ^/(admin/repository/|admin/logs|arbitrary/hosted|crosschain/tradebot|bootstrap/create)$ {
        deny all;
    }

    # Optional hard-block for common attack probes.
    location ~* ^/(favicon\.ico|\.env|\.git|cgi-bin|actuator|login|robots\.txt|sitemap\.xml)$ {
        return 404;
    }

    # WebSockets -> API upstream.
    location /websockets/ {
        proxy_pass http://__QORTAL_API_UPSTREAM__/websockets/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
    }

    location /websockets/crosschain/ {
        proxy_pass http://__QORTAL_API_UPSTREAM__/websockets/crosschain/;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header Host $host;
    }

    # API and /render -> API upstream.
    location ~* ^/(addresses|admin|arbitrary|assets|blocks|chat|crosschain|groups|lists|names|payments|peers|polls|render|stats|transactions|utils|at|bootstrap|developer) {
        proxy_pass http://__QORTAL_API_UPSTREAM__;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_read_timeout 3600s;
        proxy_send_timeout 3600s;
        send_timeout 3600s;
        keepalive_timeout 3600s;
        proxy_request_buffering off;
        proxy_buffering off;
    }

    # QDN website fallback -> gateway upstream.
    location / {
        proxy_pass http://__QORTAL_GATEWAY_UPSTREAM__;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
    }
}