{# input variables ~ examples:
- acme_challenge_location ~ /ssl/:
- resolver ~ 127.0.0.11:
- servers
    - name ~ doma.in,
    - all_names ~ doma.in testing.doma.in
    - proxy_pass ~ http://localhost:3333
    - certificate_dir ~ /ssl/other.doma.in (configured by certificate_name parameter)
    - server_options
        - opt_1;
        ...
    - location_options
        - opt_1;
        ...  
    - http_port ~ 80
    - https_port ~ 443
    - http_custom_params ~ proxy_protocol
    - https_custom_params ~ proxy_protocol
-#}

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;
    server_tokens off;
    gzip on;

    proxy_connect_timeout 300;
    proxy_send_timeout 600;
    proxy_read_timeout 600;
    send_timeout 600;
    client_max_body_size 500M;

    server {
        return 404;
    }

    map $http_host $proxied_host {
        "" $host;
        default $http_host;
    }
    map $http_x_forwarded_port $proxied_port {
        "" $server_port;
        default $http_x_forwarded_port;
    }
    map $http_x_forwarded_host $proxied_x_host {
        "" $host:$proxied_port;
        default $http_x_forwarded_host;
    }
    map $http_x_forwarded_proto $proxied_proto {
        "" $scheme;
        default $http_x_forwarded_proto;
    }
    map $http_x_real_ip $proxied_remote_addr {
        "" $remote_addr;
        default $http_x_real_ip;
    }
    map $http_x_forwarded_for $proxied_forwarded_for {
        "" $proxy_add_x_forwarded_for;
        default $http_x_forwarded_for;
    }
    {%- for server in servers %}
    {# #}
    server {
        {%- if server["http_port"] %}
        listen              {{ server["http_port"] }} {{- " " + server["http_custom_params"] if server["http_custom_params"] else ""}};
        {%- endif %}

        {%- if server["certificate_dir"] %}
        listen              {{ server["https_port"] }} ssl {{- " " + server["https_custom_params"] if server["https_custom_params"] else ""}};
        ssl_certificate     {{ server["certificate_dir"] }}/fullchain.pem;
        ssl_certificate_key {{ server["certificate_dir"] }}/privkey.pem;

        if ($scheme = 'http') {
            return 302 https://$host$request_uri;
        }
        {%- endif %}
        keepalive_timeout   70;

        server_name         {{ server["all_names"] or server["name"] }};

        {%- if acme_challenge_location %}
        {# #}
        location /.well-known/acme-challenge {
            root {{ acme_challenge_location }};
        }
        {%- endif %}

        {%- if server["server_options"] %}
        {# #}
        {%- for server_option in server["server_options"] %}
        {{ server_option }}
        {%- endfor %}
        {%- endif %}

        {%- if server["proxy_pass"] %}
        {# #}
        location / {
            resolver {{ resolver }};
            set $host_{{ loop.index }} {{ server["proxy_pass"] }};
            proxy_pass $host_{{ loop.index }};

            proxy_set_header HOST $proxied_host;
            proxy_set_header X-Forwarded-Host $proxied_x_host;
            proxy_set_header X-Forwarded-Port $proxied_port;
            proxy_set_header X-Forwarded-Proto $proxied_proto;
            proxy_set_header X-Forwarded-For $proxied_forwarded_for;
            proxy_set_header X-Real-IP $proxied_remote_addr;

            {%- if server["location_options"] %}
            {# #}
            {%- for location_option in server["location_options"] %}
            {{ location_option }}
            {%- endfor %}
            {%- endif %}
        }
        {%- endif %}
    }
    {%- endfor %}
}

include /etc/nginx/conf.d/*.conf;