server {
    listen *:443 ssl;
    listen [::]:443 ssl;

    ssl_certificate         /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem;
    ssl_certificate_key     /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/privkey.pem;

    server_name {{ tpl .Values.fqdn . }};

    root /usr/share/nginx/html;

    client_max_body_size 0;

    try_files $uri/index.html $uri.html $uri @sunstone;

    location ~* \.(ico|css|js|gif|jpe?g|png)(\?[0-9]+)?$ {
        expires 1y;

        # Need to enable proxying in this location as well
        try_files $uri @sunstone;
    }

    # Rails error pages
    error_page 500 502 503 504 /500.html;

    location @sunstone {
        proxy_pass http://localhost:9869;

        # Forward original host name to be seen in unicorn
        proxy_set_header Host $host;

        # Server name and address like being available in PHP
        proxy_set_header SERVER_NAME $server_name;
        proxy_set_header SERVER_ADDR $server_addr;

        # Forward client ip address to rack/rails so logging
        proxy_set_header X-Forwarded-For $remote_addr;

        # Tell rack if it is http or https
        # https://github.com/intridea/omniauth/blob/master/lib/omniauth/strategy.rb#L483
        # http://nginx.org/en/docs/http/ngx_http_core_module.html#variables
        # $https was introduced in 1.1.11 - we are using 0.7.67-3+squeeze3
        # so we cannot use
        #   proxy_set_header HTTPS $https;
        # but have to forward the scheme like this
        proxy_set_header X_FORWARDED_SCHEME $scheme;

        # Some applications seem to use X_FORWARDED_SCHEME while others need
        # X_FORWARDED_PROTO, so we set X_FORWARDED_PROTO too
        proxy_set_header X_FORWARDED_PROTO $scheme;

    }
}