From b620834f202fbf84cce4901da8f8286e10f67919 Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Wed, 2 Jun 2021 21:30:56 -0400
Subject: [PATCH] reorder nginx location blocks

---
 nginx/nginx.conf | 58 ++++++++++++++++++++++++------------------------
 1 file changed, 29 insertions(+), 29 deletions(-)

diff --git a/nginx/nginx.conf b/nginx/nginx.conf
index 3ba8c8fd..7ca1add1 100644
--- a/nginx/nginx.conf
+++ b/nginx/nginx.conf
@@ -242,6 +242,16 @@ http {
             default_type application/json;
         }
 
+        location = /install/web {
+            include snippets/security-headers-base.conf;
+            add_header Content-Security-Policy "default-src 'none'; child-src 'self'; connect-src 'self' https://releases.grapheneos.org/; font-src 'self'; img-src 'self'; manifest-src 'self'; script-src 'self'; style-src 'self'; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'" always;
+            add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), clipboard-write=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), sync-xhr=(), xr-spatial-tracking=()" always;
+            add_header Cross-Origin-Resource-Policy "same-origin" always;
+            add_header Cache-Control "public, no-cache";
+            include snippets/preload.conf;
+            try_files $uri.html =404;
+        }
+
         location ^~ /fonts/ {
             include snippets/security-headers.conf;
             add_header Cross-Origin-Resource-Policy "same-origin" always;
@@ -250,10 +260,21 @@ http {
             brotli_static off;
         }
 
-        location ~ "\.webmanifest$" {
+        location ~ "/$" {
             include snippets/security-headers.conf;
             add_header Cross-Origin-Resource-Policy "same-origin" always;
-            add_header Cache-Control "public, max-age=604800";
+            add_header Cache-Control "public, no-cache";
+            include snippets/preload.conf;
+            try_files ${uri}index.html @noslash;
+        }
+
+        # redirect /path/ to /path if /path.html exists
+        location @noslash {
+            rewrite ^(.*)/$ $1;
+            if (-f $request_filename.html) {
+                rewrite ^(.*) $1 permanent;
+            }
+            return 404;
         }
 
         location ~ "\.(css|js|map|mjs)$" {
@@ -262,6 +283,12 @@ http {
             add_header Cache-Control "public, max-age=31536000, immutable";
         }
 
+        location ~ "\.webmanifest$" {
+            include snippets/security-headers.conf;
+            add_header Cross-Origin-Resource-Policy "same-origin" always;
+            add_header Cache-Control "public, max-age=604800";
+        }
+
         location ~ "\.png$" {
             include snippets/security-headers.conf;
             # avoid breaking image hotlinking such as https://github.com/TryGhost/Ghost/issues/12880
@@ -289,33 +316,6 @@ http {
             internal;
         }
 
-        location ~ "/$" {
-            include snippets/security-headers.conf;
-            add_header Cross-Origin-Resource-Policy "same-origin" always;
-            add_header Cache-Control "public, no-cache";
-            include snippets/preload.conf;
-            try_files ${uri}index.html @noslash;
-        }
-
-        # redirect /path/ to /path if /path.html exists
-        location @noslash {
-            rewrite ^(.*)/$ $1;
-            if (-f $request_filename.html) {
-                rewrite ^(.*) $1 permanent;
-            }
-            return 404;
-        }
-
-        location = /install/web {
-            include snippets/security-headers-base.conf;
-            add_header Content-Security-Policy "default-src 'none'; child-src 'self'; connect-src 'self' https://releases.grapheneos.org/; font-src 'self'; img-src 'self'; manifest-src 'self'; script-src 'self'; style-src 'self'; form-action 'none'; frame-ancestors 'none'; block-all-mixed-content; base-uri 'none'" always;
-            add_header Permissions-Policy "accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), clipboard-read=(), clipboard-write=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), hid=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), serial=(), sync-xhr=(), xr-spatial-tracking=()" always;
-            add_header Cross-Origin-Resource-Policy "same-origin" always;
-            add_header Cache-Control "public, no-cache";
-            include snippets/preload.conf;
-            try_files $uri.html =404;
-        }
-
         location / {
             include snippets/security-headers.conf;
             add_header Cross-Origin-Resource-Policy "same-origin" always;