server {
  server_name  dym.sh;
  listen       80;
  listen       [::]:80;

  location ~ /\.well-known/acme-challenge {
    root       /var/lib/letsencrypt/;
  }
  location / {
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
    return     301 https://$server_name$request_uri;
  }
}

server {
  server_name dym.sh;
  listen                    443 ssl http2;
  listen                    [::]:443 ssl http2;

  ssl_trusted_certificate   /etc/letsencrypt/live/dym.sh/chain.pem;
  ssl_certificate           /etc/letsencrypt/live/dym.sh/fullchain.pem;
  ssl_certificate_key       /etc/letsencrypt/live/dym.sh/privkey.pem;

  location /favicon.ico {
    return     302 https://$server_name/assets/favicon.ico;
  }
  location /icon.png {
    return     302 https://$server_name/assets/logo.png;
  }
  location /th.png {
    return     302 https://$server_name/assets/th.png;
  }
  location /rss {
    return     302 https://$server_name/assets/rss;
  }

  location / {
    # set to 127.0.0.1 instead of localhost to work around https://stackoverflow.com/a/52550758
    proxy_pass http://127.0.0.1:10099;
    proxy_set_header Host $host;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
  }
  client_max_body_size 100M;
}