server {
    access_log /var/log/nginx/nginx_https_access.log basic;
    error_log /var/log/nginx/nginx_https_error.log warn;

{% if item.external.restricted %}
    if ($external_addr) {
        return 404;
    }
{% endif %}

{% if item.external.password_protect is defined and item.external.password_protect is sameas true %}
    auth_basic           "Administrator’s Area";
    auth_basic_user_file /etc/nginx/.htpasswd;
{% endif %}

    http2 on;

    gzip on;
    gzip_vary on;
    gzip_min_length 10240;
    gzip_proxied expired no-cache no-store private auth;
    gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml;
    gzip_disable "MSIE [1-6]\.";

    listen unix:/var/lib/nginx/tmp/nginx_http.sock proxy_protocol;
    listen unix:/var/lib/nginx/tmp/nginx_https.sock ssl proxy_protocol;

    if ($scheme = "http") {
        return 301 https://$host:443$request_uri;
    }

    set_real_ip_from  unix:;
    real_ip_header    X-Real-IP;
    real_ip_recursive on;

    server_name {{ item.external.domain }}{{ expose_tld }};

    location / {

        proxy_pass {{ item.internal.protocol }}://{{ item.internal.ip }}:{{ item.internal.port }}$request_uri;

        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Accept-Encoding "";

        proxy_set_header Host            $host;
        proxy_set_header X-Real-IP       $proxy_protocol_addr;
        proxy_set_header X-Forwarded-For $proxy_protocol_addr;

        client_body_buffer_size 512k;
        proxy_read_timeout 86400s;
        client_max_body_size 0;

        # Websocket
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }

    ssl_certificate /etc/letsencrypt/live/{{ item.external.domain }}{{ expose_tld }}/fullchain.pem;   # managed by certbot on host machine
    ssl_certificate_key /etc/letsencrypt/live/{{ item.external.domain }}{{ expose_tld }}/privkey.pem;

    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
    ssl_session_tickets off;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate /etc/letsencrypt/live/{{ item.external.domain }}{{ expose_tld }}/fullchain.pem;

    # replace with the IP address of your resolver
    resolver 127.0.0.1;
}