server {
    # SLB IP
    listen 213.180.193.24:443 ssl;
    listen [2a02:6b8::1:24]:443 ssl;

    # Server IP
    listen [1::2:3:4]:443 ssl;
    listen 127.0.0.1:443 ssl;
    listen [::1]:443 ssl;

    server_name guard.a.yandex-team.ru guard.abc.yandex-team.ru guard.bot.yandex-team.ru guard.crm.hd.yandex-team.ru guard.crt-api.yandex-team.ru guard.crt.yandex-team.ru guard.deploy.yandex-team.ru guard.eds.yandex-team.ru guard.help.yandex-team.ru guard.idm.yandex-team.ru guard.juggler.yandex-team.ru guard.kolhoz.yandex-team.ru guard.nanny.yandex-team.ru guard.newci.yandex-team.ru guard.nirvana.yandex-team.ru guard.ok.yandex-team.ru guard.puncher.yandex-team.ru guard.q.yandex-team.ru guard.review.yandex-team.ru guard.sandbox.yandex-team.ru guard.skotty.sec.yandex-team.ru guard.st.yandex-team.ru guard.staff.yandex-team.ru guard.wiki.yandex-team.ru guard.yav.yandex-team.ru guard.yql.yandex-team.ru guard.yt.yandex-team.ru;
    root /srv;

    ssl_certificate             /etc/nginx/certs/guard.yandex-team.ru.crt;
    ssl_certificate_key         /etc/nginx/certs/guard.yandex-team.ru.key;
    ssl_session_cache           shared:SSL:256m;
    ssl_session_timeout         28h;
    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers                 kEECDH+AES128:kEECDH:-3DES:kRSA+AES128:DES-CBC3-SHA:!kEDH:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2;
    ssl_prefer_server_ciphers   on;

    add_header Strict-Transport-Security "max-age=315360000; includeSubDomains";

    access_log /var/log/nginx/guard.access.log main;
    error_log /var/log/nginx/guard.error.log;

    set $global_request_id $request_id;

    location /st/ {
        alias /usr/lib/yandex/passport-frontend/public/;
        gzip_static on;
        brotli_static on;
    }

    location = /robots.txt {
        root /usr/lib/yandex/passport-frontend/public/;
    }

    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_set_header X-Request-Id $global_request_id;
        proxy_set_header Host $host;
        proxy_set_header X-Real-Scheme $scheme;
        proxy_set_header X-Real-IP $remote_addr;
    }
}
