# redirect http to https

server  {
         listen  [::]:80;
         server_name {{ second_domains }};
         return  301 https://$server_name$request_uri;
}

# conf for https

server  {
        listen  [::]:443;
        server_name  {{ second_domains }};


# conf for LE ACME
        location ~ /.well-known/acme-challenge/ {
                default_type "text/plain";
                root         /var/lib/acme/challenges ;
                }
        location = /.well-known/acme-challenge/ {
                return 404;
                }

# TLS conf
 ssl on;
 ssl_certificate /etc/nginx/sites/{{ main_domain }}/{{ main_domain }}.chained;
 ssl_certificate_key /etc/nginx/sites/{{ main_domain }}/{{ main_domain }}.key;
 ssl_session_timeout 5m;
 ssl_prefer_server_ciphers on;
 add_header Strict-Transport-Security max-age=2678400;
 ssl_dhparam /etc/nginx/dh4096.pem;
 ssl_session_cache shared:SSL:50m;


# reverse proxy
        location / {
                proxy_pass http://[{{ ip6_back }}];
                proxy_redirect off;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Ssl on;
                }
}