server {
  listen 443 ssl;
  server_name {{ item.domain }} ;

  resolver 172.16.40.20;
  set $backend "http://localhost:{{ item.port }}";
  set $certbot "http://localhost";

  ssl_certificate /etc/nginx/certs/{{ item.domain }}/fullchain.pem;
  ssl_certificate_key /etc/nginx/certs/{{ item.domain }}/privkey.pem;
  
  location /.well-known/acme-challenge/ {
    proxy_pass $certbot;
    proxy_set_header Host $host;
  }
  
  ssl_session_cache shared:SSL:10m;
  client_max_body_size 1024m;
  location / {

    deny 172.16.41.60;
    allow 172.16.0.0/16;
    deny all;

    proxy_pass $backend;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header X-Forwarded-Port 443;
    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header X-Forwarded-For $remote_addr;
    proxy_set_header X-Forwarded-Ssl on;

    # re-write redirects to http as to https, example: /home
    proxy_redirect http:// https://;
  }

  error_log /var/log/nginx/{{ item.domain }}_error.log;
  access_log /var/log/nginx/{{ item.domain }}_access.log;
}