server {  
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name chat.*;

    include /config/nginx/ssl.conf;
    include /config/nginx/gzip.conf;

    location / {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
        add_header Content-Security-Policy "default-src 'none'; connect-src 'self' https://hackliberty.org; font-src 'self'; img-src 'self' https://hackliberty.org blob: data:; manifest-src 'self'; media-src 'self' https://hackliberty.org; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src 'self'  blob:; frame-ancestors 'self'; block-all-mixed-content; base-uri 'none'";
        add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), bluetooth=(), camera=(), clipboard-read=(), clipboard-write=(), display-capture=(), document-domain=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), idle-detection=(), interest-cohort=(), keyboard-map=(), local-fonts=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), speaker-selection=(), usb=(), xr-spatial-tracking=()" always;
        add_header Referrer-Policy "no-referrer" always;
        add_header Cross-Origin-Opener-Policy "same-origin" always;
        add_header Origin-Agent-Cluster "?1" always;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Frame-Options SAMEORIGIN;
        set $upstream_app chat;
        set $upstream_port 80;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
}