#jinja2:lstrip_blocks: True
{% set vhost = item.value %}
{% set vhost_name = item.key %}
{% set vhost_listen = vhost.listen|default({}) %}

server {
	{% if vhost.servername|default([])|length > 0 %}
	server_name {{ vhost.servername|join(' ') }};
	{% endif %}

	{% if vhost_listen.ssl|default(True) %}
	listen {{ vhost_listen.ssl_port|default(443) }} ssl {% if vhost.default_server|default(False) %}default_server{% endif %};
	listen [::]:{{ vhost_listen.ssl_port|default(443) }} ssl {% if vhost.default_server|default(False) %}default_server{% endif %};
	{% endif %}
	{% if vhost_listen.nossl|default(False) %}
	listen {{ vhost_listen.nossl_port|default(80) }} {% if vhost.default_server|default(False) %}default_server{% endif %};
	listen [::]:{{ vhost_listen.nossl_port|default(80) }} {% if vhost.default_server|default(False) %}default_server{% endif %};
	{% endif %}

	{% for header in vhost.add_headers|default([]) %}
	add_header {{ header }} "{{ vhost.add_headers[header] }}";
	{% endfor %}

	{% for c in vhost.custom|default([]) %}
	{{ c }};
	{% endfor %}


	{% if vhost.backend|default(False) %}
	location / {
		proxy_pass {{ vhost.backend }};

		# add proxy headers
		proxy_set_header  Host $host;
		proxy_set_header  X-Real-IP        $remote_addr;
		proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
		proxy_set_header  X-Forwarded-Protocol $scheme;
		proxy_set_header  X-Forwarded-Ssl $https;
		proxy_set_header  X-Url-Scheme $scheme;

		# Websockets
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";

		# hide downstream headers for security reasons
		proxy_hide_header X-Powered-By;
		proxy_hide_header Server;
		proxy_hide_header X-AspNetMvc-Version;
		proxy_hide_header X-AspNet-Version;

		# no double headers
		proxy_hide_header Strict-Transport-Security;
	}
	{% endif %}

	{% for location in vhost.locations|default([]) %}
	location {{ location.match }} {
		{% if location.alias %}alias {{ location.alias }};{% endif %}
	}
	{% endfor %}

	{% if vhost.letsencrypt|d(False) %}
		ssl_certificate /etc/ssl/letsencrypt_{{ vhost_name }}_chained.crt;
		ssl_certificate_key /etc/ssl/private/letsencrypt_{{ vhost_name }}.key;
		ssl_stapling_verify on;
		ssl_stapling on;
	{% endif %}
}