{{ ansible_managed | comment }}

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 768;
    #worker_processes auto; # <- default is 1
}

http {
    sendfile on;
    tcp_nopush on;
    types_hash_max_size 2048;
    server_tokens off;

    server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
    ssl_prefer_server_ciphers on;

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    gzip off; # compression and crypto don't mix

    # include /etc/nginx/conf.d/*.conf;  # Ansible
    include /etc/nginx/sites-enabled/*;
}

stream {
    include /etc/nginx/stream_rp.conf;

    # Proxy request from the back end address
    map $ssl_preread_server_name $name_from_back {
        acme-v02.api.letsencrypt.org    acme;
        r3.o.lencr.org                  r3;
        default            self-back;
    }
    upstream acme {
        server acme-v02.api.letsencrypt.org:443;
    }
    upstream r3 {
        server r3.o.lencr.org:443;
    }
    upstream self-back {
        server 127.0.0.1:9443;
    }
    server {
        listen 192.168.10.1:443;
        proxy_pass $name_from_back;
        ssl_preread on;
    }
}