{{ ansible_header | comment }}

{% for site in nginx.reverseproxy_sites %}
# Redirect http://{{ site.from }} to https://{{ site.from }}
server {
    listen 80;
    listen [::]:80;

    server_name {{ site.from }};

    location / {
        return 302 https://$host$request_uri;
    }
}

# Reverse proxify https://{{ site.from }} to http://{{ site.to }}
server {
    listen 443;
    listen [::]:443;

    server_name {{ site.from }};

    ssl on;
    ssl_certificate {{ nginx.ssl.cert }};
    ssl_certificate_key {{ nginx.ssl.cert_key }};

    # SSL ciphers updated by Debian
    include "/etc/letsencrypt/options-ssl-nginx.conf";

    # Enable OCSP Stapling, point to certificate chain
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};

    # Log into separate log files
    access_log      /var/log/nginx/{{ site.from }}.log;
    error_log       /var/log/nginx/{{ site.from }}_error.log;

    # Keep the TCP connection open a bit for faster browsing
    keepalive_timeout 70;
 
    # Custom error page
    error_page  500 502 503 504  /50x.html;
    location = /50x.html {
        root /var/www/html;
    }

    set_real_ip_from 10.231.136.0/24;
    set_real_ip_from 2a0c:700:0:2::/64;
    real_ip_header P-Real-Ip;

    location / {
        proxy_set_header Host {{ site.from }};
        proxy_set_header P-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_redirect off;
        proxy_pass http://{{ site.to }};
    }
}

{% endfor %}