server {
    server_name {{ ([dns_name] + tls_domains|default([])) | join(" ") }};

    listen [::]:443 ssl ipv6only=off;
    ssl_certificate /etc/letsencrypt/live/{{ dns_name }}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/{{ dns_name }}/privkey.pem;

    error_page 500 501 502 503 504 505 506 507 508 510 511 /error/;

    location / {
        proxy_pass {{ proxy_pass }};
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Real-IP $remote_addr;

        proxy_connect_timeout 30s;
        proxy_max_temp_file_size 0;

        # TODO maybe
        #proxy_ssl_verify on;
        #proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
    }

    location /error/ {
        root /srv/http;
        try_files $uri $uri/index.html =503;
    }
}