user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
worker_rlimit_nofile 30000;

events {
	worker_connections {{ worker_connections }};
    multi_accept on;
}

http {

    {{ maps }}

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	server_tokens off;

    log_format custom '$remote_user [$time_local]'
                  '"$request" $status $body_bytes_sent'
                  '"$http_referer" "$http_user_agent"'
                  '"$request_time" "$upstream_connect_time"';
    access_log /var/log/nginx/access.log custom;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

    # needed for weechat #
    map $http_upgrade $connection_upgrade {
            default upgrade;
            '' close;
    }

	ssl_certificate         {{ ssl_path }}/fullchain.pem;
	ssl_certificate_key     {{ ssl_path }}/privkey.pem;
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_prefer_server_ciphers on;
	ssl_ciphers {{ ssl_ciphers }};

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

    # Increase the buffer size for headers
    proxy_buffer_size          16k;
    proxy_buffers              4 16k;
    proxy_busy_buffers_size    16k;
    client_header_buffer_size 5120k;
    large_client_header_buffers 16 5120k;

	gzip on;
    	
	proxy_cache_path /tmp/nginx.cache.d keys_zone=default_proxy_cache:10m;

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
    include http_include.conf;

    server{
        listen 80 default;
        listen [::]:80 default;

        # disable logging
        access_log off;

        include acme-challenge.conf;
        location /{
        	return 302 https://$host$request_uri;
        }
    }
}

stream {

	ssl_certificate         {{ ssl_path}}/fullchain.pem;
	ssl_certificate_key     {{ ssl_path }}/privkey.pem;
	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_prefer_server_ciphers on;
	ssl_ciphers {{ ssl_ciphers }};

    include stream_include.conf;
}