{% if nginx_site_proxy is defined and nginx_site_proxy is not string %}
upstream {{ nginx_site_name }} {
{% for item in nginx_site_proxy %}
{%   set item = item | regex_replace("^(https://)?([^/]*).*$", "\\2") %}
{%   if item | regex_search(".*:[0-9]+$") %}
    server {{ item }};
{%   else %}
    server {{ item }}:443;
{%   endif %}
{% endfor %}
}
{% endif %}
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name {{ nginx_site_name }};

    access_log {{ nginx_logdir }}/{{ nginx_site_name }}.access.log combined;
    error_log {{ nginx_logdir }}/{{ nginx_site_name }}.error.log warn;

    add_header Strict-Transport-Security "max-age=63072000" always;

{% if nginx_site_ssl_config is defined %}
{%   if nginx_site_ssl_config == "old" %}
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
    ssl_prefer_server_ciphers on;
{%   endif %}
{% endif %}
    ssl_certificate {{ tls_certs }}/{{ nginx_site_name }}-fullchain.crt;
    ssl_certificate_key {{ tls_private }}/{{ nginx_site_name }}.key;

{% include "./{}.conf.j2".format(nginx_site_name) ignore missing %}
{% if nginx_site_redirect is defined %}
    return 301 {{ nginx_site_redirect }};
{% elif nginx_site_proxy is defined %}
    location / {
{%  if nginx_site_proxy is not string %}
{%    set path = nginx_site_proxy[0] | regex_replace("^(https://)?([^/]*)(.*)$", "\\3") %}
        # https://trac.nginx.org/nginx/ticket/1307
        proxy_ssl_verify off;
        proxy_pass https://{{ nginx_site_name }}{{ path }};
{%  else %}
        proxy_pass {{ nginx_site_proxy }};
{%  endif %}
    }
{% else %}
    root /srv/web/{{ nginx_site_name }};
{% endif %}
}

server {
    listen 80;
    listen [::]:80;
    server_name {{ nginx_site_name }};
    location /.well-known/acme-challenge/ {
        proxy_pass https://certbot.home.foo.sh/.well-known/acme-challenge/;
    }
    location / {
{% if nginx_site_redirect is defined %}
        return 301 {{ nginx_site_redirect }};
{% else %}
        return 301 https://$host$request_uri;
{% endif %}
    }
}