# CSP headers for Nextcloud - scoped to /cloud/ only
location ^~ /cloud {
    proxy_pass http://nextcloud:80;
    proxy_hide_header Content-Security-Policy;
    proxy_hide_header X-Content-Security-Policy;
    proxy_hide_header X-WebKit-CSP;
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://localdev.unboundedpress.org https://localdev.unboundedpress.org/collab; img-src 'self' data: blob:; font-src 'self' data:; connect-src 'self' https://localdev.unboundedpress.org wss://localdev.unboundedpress.org; form-action 'self'; object-src 'none'; base-uri 'self'" always;
}

# Collabora routing for localdev.unboundedpress.org

# Redirect /collab to Collabora
location ^~ /collab {
    proxy_pass http://collabora:9980;
    proxy_set_header Host $http_host;
}

# static files
location ^~ /browser {
    proxy_pass http://collabora:9980;
    proxy_set_header Host $http_host;
}

# WOPI discovery URL
location ^~ /hosting/discovery {
    proxy_pass http://collabora:9980;
    proxy_set_header Host $http_host;
}

# Capabilities
location ^~ /hosting/capabilities {
    proxy_pass http://collabora:9980;
    proxy_set_header Host $http_host;
}

# main websocket
location ~ ^/cool/(.*)/ws$ {
    proxy_pass http://collabora:9980;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header Host $http_host;
    proxy_read_timeout 36000s;
}

# download, presentation and image upload
location ~ ^/(c|l)ool {
    proxy_pass http://collabora:9980;
    proxy_set_header Host $http_host;
}

# Admin Console websocket
location ^~ /cool/adminws {
    proxy_pass http://collabora:9980;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
    proxy_set_header Host $http_host;
    proxy_read_timeout 36000s;
}