server {
    listen 8442 ssl http2;
    listen [::]:8442 ssl http2;
    server_name montana.quest www.montana.quest *.montana.quest;

    ssl_certificate /etc/montana-site/fullchain.pem;
    ssl_certificate_key /etc/montana-site/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;

    root /var/www/montana_quest;
    index index.html;

    add_header X-Robots-Tag "all" always;
    add_header Access-Control-Allow-Origin "*" always;

    # Gitea-paths redirect to hub
    location ~ ^/efir369999/ { return 301 https://hub.montana.quest$request_uri; }

    # Montana messenger API → local backend
    location /messenger/api/ {
        proxy_pass http://127.0.0.1:5010/api/;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        add_header Access-Control-Allow-Origin "*" always;
        add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
        add_header Access-Control-Allow-Headers "Content-Type, Authorization" always;
        if ($request_method = OPTIONS) { return 204; }
    }

    location = / {
        try_files /index.html =404;
        add_header Cache-Control "public, max-age=60";
    }
    location /messenger/ {
        try_files $uri $uri/ /messenger/index.html =404;
    }
    location /vpn/ { try_files $uri $uri/ =404; }
    location /net/ { try_files $uri $uri/ /net/index.html =404; }
    location / { try_files $uri $uri/ =404; add_header Cache-Control "public, max-age=60"; }
}