server {
<% if fetch(:nginx_use_ssl) -%>
    <% fetch(:nginx_server_ssl_ports).each do |port| -%>
      listen <%= port %> <%= 'http2' if fetch(:nginx_use_http2)-%>;
    <% end -%>
    ssl on;
    ssl_certificate <%= nginx_ssl_cert_file %>;
    ssl_certificate_key <%= nginx_ssl_cert_key_file %>;
    <% if fetch(:nginx_use_client_ssl) -%>
    <% if fetch(:nginx_ssl_client_ca) -%>
    ssl_trusted_certificate <%= nginx_ssl_client_ca %>;
    <% end -%>
    ssl_verify_client optional_no_ca;
    <% end -%>

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_dhparam <%= nginx_dh_params_file %>;
<% else -%>
    listen <%= fetch(:nginx_server_port) %>;
<% end -%>

  server_tokens off;

  add_header X-Content-Type-Options nosniff;

    client_max_body_size 4G;
    keepalive_timeout 10;

    error_page 500 502 504 /500.html;
    error_page 503 @503;

    server_name <%= fetch(:nginx_server_name) %>;
    root <%= current_path %>/public;
    try_files $uri/index.html $uri @unicorn_<%= fetch(:nginx_config_name) %>;

    location @unicorn_<%= fetch(:nginx_config_name) %> {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        <% if fetch(:nginx_read_timeout) -%>
        proxy_read_timeout <%= fetch(:nginx_read_timeout) %>;
        <% end -%>
        <% if fetch(:nginx_use_ssl) -%>
        proxy_set_header X-Forwarded-Proto https;
        <% end -%>
        <% if fetch(:nginx_use_client_ssl) -%>
        proxy_set_header X-Client-Dn $ssl_client_s_dn;
        proxy_set_header X-Client-Serial $ssl_client_serial;
        proxy_set_header X-Client-Verify $ssl_client_verify;
        proxy_set_header X-Client-Cert $ssl_client_cert;
        <% end -%>

        proxy_pass http://unicorn_<%= fetch(:nginx_config_name) %>;
        # limit_req zone=one;
        access_log <%= nginx_access_log_file %>;
        error_log <%= nginx_error_log_file %>;
    }

    location ^~ /assets/ {
        gzip_static on;
        expires max;
        add_header Cache-Control public;
    }

    location = /50x.html {
        root html;
    }

    location = /404.html {
        root html;
    }

    location @503 {
        error_page 405 = /system/maintenance.html;
        if (-f $document_root/system/maintenance.html) {
            rewrite ^(.*)$ /system/maintenance.html break;
        }
        rewrite ^(.*)$ /503.html break;
    }

    if ($request_method !~ ^(GET|HEAD|PUT|PATCH|POST|DELETE|OPTIONS)$ ){
        return 405;
    }

    if (-f $document_root/system/maintenance.html) {
        return 503;
    }
}