
upstream tirole_internal {
        keepalive 4;
        server 127.0.0.1:8071;
}

log_format tirole_internal '$remote_addr - $remote_user [$time_local] $upstream_response_time $request_time $request_length "$status" $body_bytes_sent "$scheme" "$host" $request_id';

server {
        listen [<<IP>>]:443 default_server ipv6only=off ssl http2;

        ssl_certificate             /etc/nginx/certs/<<HOST>>.crt;
        ssl_certificate_key         /etc/nginx/certs/<<HOST>>.key;
        ssl_session_cache           shared:SSL:32m;
        ssl_session_timeout         24h;
        ssl_protocols               TLSv1.2 TLSv1.3;
        ssl_ciphers                 EECDH+AESGCM;
        ssl_ecdh_curve              X25519:prime256v1;
        ssl_prefer_server_ciphers   on;

        return 404;
}

server {
        listen [<<IP>>]:443;
        listen 127.0.0.1:80;
        listen [::1]:80;

        server_name <<HOST>> <<SECONDARY_HOST>>;

        ssl_certificate             /etc/nginx/certs/<<HOST>>.crt;
        ssl_certificate_key         /etc/nginx/certs/<<HOST>>.key;
        ssl_session_cache           shared:SSL:32m;
        ssl_session_timeout         24h;
        ssl_protocols               TLSv1.2 TLSv1.3;
        ssl_ciphers                 EECDH+AESGCM;
        ssl_ecdh_curve              X25519:prime256v1;
        ssl_prefer_server_ciphers   on;

        access_log /var/log/nginx/tirole-internal-api.access.log tirole_internal;
        error_log  /var/log/nginx/tirole-internal-api.error.log;

        location / {
                proxy_pass                       http://tirole_internal;
                proxy_http_version               1.1;
                proxy_set_header Connection      "";
                proxy_set_header Host            $host;
                proxy_set_header X-Real-IP       $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Request-Id    $request_id;
        }
}
