listen 0.0.0.0:{{ HTTPS_PORT }} ssl {% if HTTP2 == "yes" %}http2{% endif %};
{% set paths = {"cert": "", "key": ""} %}
{% if AUTO_LETS_ENCRYPT == "yes" %}
	{% set x = paths.update({"cert": "/etc/letsencrypt/live/" + FIRST_SERVER + "/fullchain.pem"}) %}
	{% set x = paths.update({"key": "/etc/letsencrypt/live/" + FIRST_SERVER + "/privkey.pem"}) %}
{% elif USE_CUSTOM_HTTPS == "yes" %}
	{% set x = paths.update({"cert": CUSTOM_HTTPS_CERT}) %}
	{% set x = paths.update({"key": CUSTOM_HTTPS_KEY}) %}
{% elif GENERATE_SELF_SIGNED_HTTPS == "yes" %}
	{% if MULTISITE == "yes" %}
		{% set x = paths.update({"cert": "/etc/nginx/" + FIRST_SERVER + "/self-cert.pem"}) %}
		{% set x = paths.update({"key": "/etc/nginx/" + FIRST_SERVER + "/self-key.pem"}) %}
	{% else %}
		{% set x = paths.update({"cert": "/etc/nginx/self-cert.pem"}) %}
		{% set x = paths.update({"key": "/etc/nginx/self-key.pem"}) %}
	{% endif %}
{% endif %}
ssl_certificate {{ paths["cert"] }};
ssl_certificate_key {{ paths["key"] }};
ssl_protocols {{ HTTPS_PROTOCOLS }};
ssl_prefer_server_ciphers on;
ssl_session_tickets off;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
{% if STRICT_TRANSPORT_SECURITY != "" %}
more_set_headers 'Strict-Transport-Security: {{ STRICT_TRANSPORT_SECURITY }}';
{% endif %}
{% if "TLSv1.2" in HTTPS_PROTOCOLS %}
ssl_dhparam /etc/nginx/dhparam;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
{% endif %}
{% if AUTO_LETS_ENCRYPT %}
include {{ NGINX_PREFIX }}lets-encrypt-webroot.conf;
{% endif %}