#jinja2:lstrip_blocks: True
{% set vhost = {}|combine(nginx_vhosts_defaults, item.value, recursive=True) %}
{% set vhost_name = item.key %}
{% set vhost_headers = {}|combine(nginx.add_headers, vhost.add_headers) %}
{% set vhost_proxy_location = [ {}|combine(nginx_proxy_location, {'backend': vhost.backend }) ] if vhost.backend|d(False) else [] %}

{% macro nginx_listen(ips, port, options) %}
	{% for ip in ips %}
	listen {{ ip }}:{{ port }} {{ options|join(' ') }}{% if vhost.default_server %} default_server{% endif %};
	{% endfor %}
{% endmacro %}

server {
	{% if vhost.servername|length > 0 %}
	server_name {{ vhost.servername|join(' ') }};
	{% endif %}

	{% if vhost.listen.ssl %}
	{% if vhost.listen.v4 %}{{ nginx_listen(vhost.listen.v4_ip, vhost.listen.ssl_port, ["ssl", "http2"]) }}{% endif %}
	{% if vhost.listen.v6 %}{{ nginx_listen(vhost.listen.v6_ip, vhost.listen.ssl_port, ["ssl", "http2"]) }}{% endif %}

	{% endif %}

	{% if vhost.listen.nossl %}
	{% if vhost.listen.v4 %}{{ nginx_listen(vhost.listen.v4_ip, vhost.listen.nossl_port, []) }}{% endif %}
	{% if vhost.listen.v6 %}{{ nginx_listen(vhost.listen.v6_ip, vhost.listen.nossl_port, []) }}{% endif %}
	{% endif %}

	{% for i in vhost.listen.custom %}
	listen {{ i }};
	{% endfor %}

	{% for header in vhost_headers if header %}
	add_header {{ header }} "{{ vhost_headers[header] }}";
	{% endfor %}

	{% for c in vhost.custom|default([]) %}
	{{ c }};
	{% endfor %}


	{% for location in ( vhost.locations + vhost_proxy_location ) %}
	location {{ location.match }} {
		{% if "alias" in location %}
		alias {{ location.alias }};
		{% endif %}
		{% if location.backend|d(False) %}
		proxy_pass {{ location.backend }};

		proxy_buffering off;

		# add proxy headers
		proxy_set_header Host			{{ location.host|d(vhost.host) }};
		proxy_set_header X-Real-IP		$remote_addr;
		proxy_set_header X-Forwarded-For	$proxy_add_x_forwarded_for;
		{% if not location.force_forwarded_ssl_header|d(vhost.force_forwarded_ssl_header) %}
		proxy_set_header X-Forwarded-Proto	$scheme;
		proxy_set_header X-Forwarded-Ssl	$https;
		proxy_set_header X-Url-Scheme		$scheme;
		{% else %}
		proxy_set_header X-Forwarded-Proto	https;
		proxy_set_header X-Forwarded-Ssl	on;
		proxy_set_header X-Url-Scheme		https;
		{% endif %}

		# add custom proxy headers
		{% for header in vhost.add_proxy_headers if header %}
		proxy_set_header {{ header }}		"{{ vhost.add_proxy_headers[header] }}";
		{% endfor %}

		# Websockets
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";

		# remove custom proxy headers
{% for header in vhost.hide_proxy_headers if header %}
		proxy_hide_header {{ header }};
{% endfor %}
		# hide downstream headers for security reasons
		proxy_hide_header X-Powered-By;
		proxy_hide_header Server;
		proxy_hide_header X-AspNetMvc-Version;
		proxy_hide_header X-AspNet-Version;

		# no double headers
		proxy_hide_header Strict-Transport-Security;
		{% endif %}
		{% for c in location.custom|default([]) %}
		{{ c }};
		{% endfor %}
	}
	{% endfor %}


	{% if vhost.disallow_dotfiles %}
	# disallow every path starting with a dot except .well-known/
	location ~ /\.(?!well-known\/).* {
		deny all;
	}
	{% endif %}


	{% if vhost.auth.enable %}
	auth_basic           "restricted area";
	auth_basic_user_file {{ vhost.auth.path }}; 
	satisfy {{ vhost.auth.satisfy }};
	{% endif %}


	{% for include in vhost.includes %}
	include {{ include }};
	{% endfor %}

	{% if vhost.letsencrypt %}
	ssl_certificate /etc/ssl/nginx_{{ vhost_name }}.chain.crt;
	ssl_certificate_key /etc/ssl/private/nginx_{{ vhost_name }}.key;
	{% elif vhost.crt and vhost.key %}
	ssl_certificate {{ vhost.crt }};
	ssl_certificate_key {{ vhost.key }};
	{% endif %}
}