[%
    is_prod = envtype == 'production' && ! envname;
    is_rc   = envtype == 'rc' || envtype == 'production' && envname == 'rc';
    is_test = envtype == 'testing';
    is_dev  = envtype == 'development';

    env = is_rc ? 'rc' : envtype;

    path = '/opt/www/social';

    instances = {
        production  = 'social'
        rc          = 'social-rc'
        testing     = 'social-test'
        development = 'social-dev'
    };
    instance = instances.$env;
    broker_frontend_ip = '127.0.0.1';
    broker_frontend_ip2 = '[2a02:6b8:c04:106:8000:611:0:3]';

    api_backend = !is_dev ? 'http://unix:/tmp/yandex-social-api.sock:' : 'http://127.0.0.1:400$instance_num';
    proxy2_backend = !is_dev ? 'http://unix:/tmp/yandex-social-proxy2.sock:' : 'http://127.0.0.1:500$instance_num';
    broker_backend = !is_dev ? 'http://unix:/tmp/yandex-social-broker.sock:' : 'http://127.0.0.1:600$instance_num';
    broker_frontend = 'http://' _ broker_frontend_ip _ ':' _ (is_dev ? '300$instance_num' : '3000');

    broker_tlds = '(?:az|co\.il|com|com\.am|com\.ge|com\.tr|ee|eu|fi|fr|pl|ru|ua|by|kg|kz|lt|lv|md|tj|tm|uz)';
%]

[% BLOCK listen %]
    listen  [% IF ip %][% ip %]:[% END %][% port %][% IF default %] default backlog=1024[% END %][% IF v6 AND ip.match(':') %] ipv6only=on[% END %];
[% END ~%]

[% BLOCK listens_web %]
    [%
        external_listen_ips_by_env = {
            production = [
                '213.180.204.201'
                '[2a02:6b8::201]'
            ]
            rc = [
                '213.180.205.28'
                '[2a02:6b8:0:3400::1:28]'
            ]
            testing = [
                '141.8.146.5'
                '[2a02:6b8:0:3400::5]'
            ]
            development = []
        };
        local_listen_ips = [
            '127.0.0.1'
            '[::1]'
        ];
        external_listen_ips = external_listen_ips_by_env.$env;
        ip = hostip.match(':') ? '[' _ hostip _ ']' : hostip;
        listen_ips = external_listen_ips.merge(local_listen_ips, [ ip ]);
    %]
    [%- FOR listen_ip IN listen_ips %]
        [% INCLUDE listen ip=listen_ip port=port default=default v6=v6 %]
    [%- END %]
[% END ~%]

[% BLOCK listens_api %]
    [%
        external_listen_ips_by_env = {
            production = [
                '93.158.157.106'
                '[2a02:6b8:0:3400::106]'
            ]
            rc = []
            testing = [
                '95.108.254.101'
                '[2a02:6b8:0:3400::2:101]'
            ]
            development = []
        };
        local_listen_ips = [
            '127.0.0.1'
            '[::1]'
        ];
        external_listen_ips = external_listen_ips_by_env.$env;
        ip = hostip.match(':') ? '[' _ hostip _ ']' : hostip;
        listen_ips = external_listen_ips.merge(local_listen_ips, [ ip ]);
    %]
    [%- FOR listen_ip IN listen_ips %]
        [% INCLUDE listen ip=listen_ip port=port default=default v6=v6 %]
    [%- END %]
[% END ~%]

[% BLOCK server_name %]
    [%
        subdomain = env == 'development' ? '(\d)\.' _ instance : instance;

        IF domain == 'ru';
            server_name = '~^' _ subdomain _ '\.yandex\.(' _ broker_tlds _ ')$';
        ELSE;
            server_name = '~^' _ subdomain _ '\.yandex\.(' _ domain _ ')$';
        END;
    %]
    server_name         [% server_name %];
[% END %]

[% BLOCK instance_vars %]
    [% IF is_dev %]
    set                 $instance_num   $1;
    set                 $instance       "$instance_num.[% instance %]";
    set                 $tld            $2;
    [% ELSE %]
    set                 $instance       [% instance %];
    set                 $tld            $1;
    [% END %]
[% END ~%]

[% BLOCK log %]
    [% UNLESS is_dev %]
    access_log          [% path %]/log/nginx.[% instance %].yandex.[% domain %].access_log    main;
    [% END %]
[% END ~%]

[% BLOCK ssl_general %]
    ssl                         on;
    ssl_certificate             /etc/nginx/certs/[% filename %].crt;
    ssl_certificate_key         /etc/nginx/certs/[% filename %].key;
    ssl_session_cache           shared:SSL:64m;
    ssl_session_timeout         28h;
    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers                 kEECDH+AES128:kEECDH:-3DES:kRSA+AES128:DES-CBC3-SHA:!kEDH:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2;
    ssl_prefer_server_ciphers   on;
[% END ~%]

[% BLOCK ssl_web %]
    [%~
        sslfilenames = {
            production  = 'social.yandex.ru'
            rc          = 'social-rc.yandex.ru'
            testing     = 'social-test.yandex.ru'
            development = 'social-dev.yandex.ru'
        };
        sslfilename = sslfilenames.$env;
    ~%]
    [% INCLUDE ssl_general filename=sslfilename %]
    [% IF is_prod %]
    ssl_stapling                on;
    resolver                    127.0.0.1;
    [% END %]
[% END ~%]

[% BLOCK ssl_api %]
    [%~
        sslfilenames = {
            production  = 'api.social.yandex.ru'
            rc          = 'social-rc.yandex.ru'
            testing     = 'api.social-test.yandex.ru'
            development = 'social-dev.yandex.ru'
        };
        sslfilename = sslfilenames.$env;
    ~%]
    [% UNLESS is_dev %]
        [% INCLUDE ssl_general filename=sslfilename %]
    [% END %]
[% END ~%]

[% BLOCK proxy_headers %]
    proxy_set_header    Host            $host;
    proxy_set_header    X-Real-IP       $remote_addr;
    proxy_set_header    X-Real-Scheme   $scheme;
[% END ~%]

[% BLOCK location_ping %]
    location /ping.html {
        proxy_pass      [% broker_backend %]/ping?check=db,frontend,blackbox[% IF is_dev OR is_test %],social_api[% END %];
    }
[% END ~%]

[% BLOCK location_api %]

    location /api {
        proxy_pass      [% api_backend %];
    }

    location /api2 {
        proxy_pass      [% api_backend %];
    }

    location /proxy2 {
        proxy_pass      [% proxy2_backend %];
    }

    location ~ '^/proxy2/task/.+?/sign_request' {
        proxy_ignore_headers    X-Accel-Redirect;
        proxy_pass_header       X-Accel-Redirect;
        proxy_pass      [% proxy2_backend %];
    }

    location /brokerapi {
        rewrite ^/brokerapi(.*)$   $1  break;
        proxy_pass      [% broker_backend %];
    }
[% END ~%]

[% BLOCK location_svn %]
    location ~ (/\.svn) {
        deny            all;
    }
[% END ~%]

[% BLOCK location_providers %]
    location /providers {
        if ($arg_callback !~ '^[a-zA-Z0-9_]{0,100}$') {
            return 400;
        }

        add_header      X-Content-Type-Options      nosniff;

        keepalive_timeout       0;

        types {
            application/json        json;
            application/javascript  jsonp;
            application/xml         xml;
        }

        charset_types application/json application/javascript application/xml;

        sub_filter       %%callback%% $arg_callback;
        sub_filter_types application/javascript;

        root        [% path %]/static/providers;

        if ($tld ~* '^(?:co\.il|com|com\.tr|fr)$') {
            root	[% path %]/static/providers-turkey;
        }
    }
[% END ~%]

[% BLOCK hsts %]
    add_header      Strict-Transport-Security   "max-age=[% 60 * 60 * 24 * 365 * 10 %]; includeSubDomains";
[% END ~%]

[% BLOCK location_mailru_receiver %]
    location /receiver.html {
        add_header      X-Content-Type-Options      nosniff;
        expires         1M;
        root            [% path %]/static;
    }
[% END ~%]

[% BLOCK proxy_buffering %]
    proxy_buffering                 on;
    proxy_max_temp_file_size        0;
    proxy_buffers                   8   16k;
    proxy_buffer_size               32k;
[% END ~%]
