upstream ausweis { server 127.0.0.1:8099; }
server {
    server_name MYDOMAIN;
    listen 80;
    listen [::]:80;
    return 301 https://$host$request_uri;
}
server {
    server_name MYDOMAIN;
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    access_log /var/log/nginx/ausweis.access.log;
    error_log /var/log/nginx/ausweis.error.log warn;

    # make sure everything under / is in a sub-folder
    root /srv/http/my-domain/frontend/;

    add_header Permissions-Policy "interest-cohort=()";
    add_header Cache-Control must-revalidate;
    expires 300;

    location /data/ {
        alias /srv/http/my-domain/backend_data/;
        try_files $uri =404; # disable index, prevent attacks on finding a valid slug
        expires 30;
    }

    location /static/ {
        alias /srv/http/my-domain/backend_static/;
        try_files $uri =404; # disable index
        access_log off;
    }

    location / {
        try_files $uri $uri/ @app_server;
    }

    location @app_server {
        proxy_pass http://ausweis;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_redirect off;
        proxy_buffering off;
    }

    ssl_certificate fullchain.pem; # managed by Certbot
    ssl_certificate_key privkey.pem; # managed by Certbot
}