server{

    # {{ comment }}
    
    listen 443 ssl;
    listen [::]:443 ssl;

    {% if servernames %}server_name{% for s in servernames %} {{ s }}{% endfor %};{% endif %}

    {% if acme %}
    include acme-challenge.conf;
    {% else %}
    listen 80;
    listen [::]:80;
    {% endif %}


    {% if cert_optional %}
    ssl_client_certificate ca_cert.pem;
    ssl_verify_client optional;
    ssl_verify_depth 1;
    {% endif %}
    
    {% if extra_location %}
    location {{ extra_location["location"] }} {
        {{ extra_location["content"] }}
        {% if extra_location["location-auth"] %}
        auth_basic "{{ extra_location["location-auth"] }}";
        auth_basic_user_file /etc/nginx/{{ extra_location["location-auth"] }}.htpasswd;
        {% endif %}
    }
    {% endif %}

    location / {    
        proxy_pass http://{{ targetip }}:{{ targetport }};
        proxy_set_header Host $http_host;
        {{ proxy_pass_blob }}
        {{ cert_header_line }}
        {% if basicauth %}
        auth_basic "{{ basicauth }}";
        auth_basic_user_file /etc/nginx/{{ basicauth }}.htpasswd;
        {% endif %}
    }
}

{% if acme %}
server{

    # {{ comment }}
    
    listen 80;
    listen [::]:80;

    {% if servernames %}server_name{% for s in servernames %} {{ s }}{% endfor %};{% endif %}


    include acme-challenge.conf;
    return 301 https://$host$request_uri;

}
{% endif %}