upstream cve {
        server unix:///tmp/cve_tracker.sock;
}
server {
    listen [::]:80;
    listen 80;
    server_name cve.lineageos.org;

    location /.well-known/ {
        alias /var/www/cve.lineageos.org/.well-known/;
    }

    location / {
        rewrite     ^   https://$http_host$request_uri? permanent;

    }
}

server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name  cve.lineageos.org;

    access_log /var/log/nginx/cve.access.log;
    error_log /var/log/nginx/cve.error.log;

    ssl_certificate /etc/letsencrypt/live/cve.lineageos.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/cve.lineageos.org/privkey.pem;

    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers                 EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers   on;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload;";
    add_header X-Clacks-Overhead "GNU Terry Pratchett";

    location / {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_pass http://cve;

    }

    location ~* /api/v1/.*/unofficial/.* {
        return 404;
    }

    location /static {
        alias /srv/cve_tracker/app/static/;
    }

}