infra_public/roles/stable/nginx/templates/reverse_proxy.conf.j2

server {
  listen 80;
  listen [::]:80;
  listen 443 ssl http2;
  server_name {{item.server_name}};

  keepalive_timeout 200;
  {{item.custom_config | default('') | indent(2)}}

  {% if with_ssl %}

  ssl_session_timeout 5m;
  ssl_session_cache shared:SSL:50m;
  ssl_session_tickets off;
  ssl_certificate /etc/nginx/certs/ada/ada.crt;
  ssl_certificate_key /etc/nginx/certs/ada/ada.key;
  {% endif %}

  location / {
    proxy_pass {{item.proxy_pass}};

    # set host
    proxy_set_header Host              $host;
    proxy_set_header X-Forwarded-For   42.42.42.42;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host  $host;
    proxy_set_header X-Forwarded-Port  $server_port;

    # websocket proxy
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    # compression
    gzip on;
    gzip_types      text/plain application/xml application/json;
    gzip_proxied    no-cache no-store private expired auth;
    gzip_min_length 1000;

    # cache
    proxy_cache STATIC;
  }
}