tambakoo/nginx-config.txt

## nginx-config.txt
user                            nginx;
worker_processes                {{ workers }};
error_log                       {{ deploy_to }}/shared/log/nginx_error.log;
{% if dynamic_modules == true %}
include                         modules-enabled/*.conf;
{% endif %}

events {
    worker_connections          1024;
    {% if passenger != true %}
    accept_mutex                off;
    {% endif %}
}

http {
    gzip                        on;
    gzip_min_length             100;
    gzip_proxied                expired no-cache no-store private auth;
    gzip_types                  text/plain application/xml text/css application/x-javascript text/javascript application/javascript;
    gzip_disable                "MSIE [1-6]\.";

    add_header                  X-Powered-By      cloud66;

    {% if supports_realip_module == true %}
    {% for load_balancer_address in load_balancer_addresses %}
    set_real_ip_from {{ load_balancer_address }};
    {% endfor %}
    real_ip_header X-Forwarded-For;
    {% endif %}

    {% if passenger != true %}
    tcp_nopush                  on;
    tcp_nodelay                 off;
    {% else %}
    passenger_root              {{ passenger_location }};
    passenger_friendly_error_pages off;
    {% if passenger_enterprise == true %}
    passenger_rolling_restarts  on;
    {% endif %}
    {% if use_ruby_shell == true %}
    passenger_ruby              {{ ruby_shell }};
    {% endif %}
    passenger_user              nginx;
    passenger_pool_idle_time    0;
    passenger_max_pool_size     {{ passenger_pool_max }};
    {% endif %}
    ssl_session_cache           shared:SSL:10m;
    ssl_session_timeout         10m;
    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;

    underscores_in_headers      on;
    {% if passenger != true %}
    types_hash_max_size         2048;
    {% endif %}
    include                     mime.types;
    default_type                application/octet-stream;

    client_max_body_size        250m;

    sendfile                    on;
    server_tokens               off;

    {% if cloud_type == "googlecloud" %}
    # ref: https://cloud.google.com/load-balancing/docs/https/#timeouts_and_retries
    keepalive_timeout           620;
    {% else %}
    keepalive_timeout           75;
    {% endif %}

    {% if passenger != true %}
    upstream socket_server {
        server unix:/tmp/web_server.sock fail_timeout=0;
        {% if ports != empty %}
        {% for port in ports %}
        server localhost:{{ port }} fail_timeout=0;
        {% endfor %}
        {% endif %}
    }
    {% endif %}

    {% if websocket_support == true %}
    map $http_upgrade $connection_upgrade {
        default Upgrade;
        '' close;
    }
    {% endif %}

    {% if cors_enabled == true %}
    # Cross domain resource
    map $http_origin $cors_return_origin {
        {% if cors_all_origins %}
        default "$http_origin";
        {% else %}
        default "";
        {% for allowed_origin in cors_origins %}
        {{ allowed_origin }} "$http_origin";
        {% endfor # allowed_origin in cors_origins %}
        {% endif # cors_all_origins %}
    }
    {% endif # cors_enabled == true %}

    server {
        listen                  80 default_server;

        {% for ip in blacklist %}
        deny {{ ip }};
        {% endfor %}

        location /.well-known/acme-challenge/ {
            {% if letsencrypt_primary_address == empty %}
            # serve letsencrypt requests from here
            alias /etc/cloud66/webroot/;
            try_files $uri =404;
            {% else %}
            # serve letsencrypt request from another host
            proxy_pass  http://{{ letsencrypt_primary_address }};
            {% endif %}
        }

        {% if red_http_to_https == true %}
        {% if has_load_balancer %}
        set $http_rewrite 0;
        if ($http_x_forwarded_proto = "http") {
            set $http_rewrite 1;
        }
        if ($request_uri ~ ^/.well-known/acme-challenge/.*$) {
            set $http_rewrite 0;
        }
        if ($http_rewrite = 1) {
            rewrite ^(.*) https://$host$1 permanent;
        }
        {% else %}
        if ($request_uri !~ ^/.well-known/acme-challenge/.*$) {
            rewrite ^(.*) https://$host$1 permanent;
        }
        {% endif %}
        {% endif %}

        {% if red_www == 0 %}
        server_name             _;
        {% endif %}
        {% if red_www == 2 %}
        set $www_rewrite 0;
        if ($http_host ~ ^(?!www\.)(.*)) {
            set $www_rewrite 1;
            set $www_host $1;
        }
        if ($request_uri ~ ^/.well-known/acme-challenge/.*$) {
            set $www_rewrite 0;
        }
        if ($www_rewrite = 1) {
            return 301 $scheme://www.$www_host$request_uri;
        }
        {% endif %}
        {% if red_www == 1 %}
        set $www_rewrite 0;
        if ($http_host ~ ^www\.(.*)$) {
            set $www_rewrite 1;
            set $www_host $1;
        }
        if ($request_uri ~ ^/.well-known/acme-challenge/.*$) {
            set $www_rewrite 0;
        }
        if ($www_rewrite = 1) {
            return 301 $scheme://$www_host$request_uri;
        }
        {% endif %}

        {% if passenger == true %}
        rails_env               {{ environment }};
        passenger_enabled       on;
        {% endif %}
        root                    {{ deploy_to }}/current/public;

        client_max_body_size    250m;
        # redirect to 503 if maintenance page present
        if (-f $document_root/cloud66_maintenance.html) {
            return 503;
        }

        # redirect on errors
        error_page              500 502 504 /50x.html;

        # handle error redirect
        location = /50x.html {
            proxy_pass http://placeholders.cloud66.com/nginx/50x.html;
        }

        error_page              503 @maintenance;

        location @maintenance {
            error_page 405 = /cloud66_maintenance.html;
            if (-f $document_root/cloud66_maintenance.html) {
                rewrite ^(.*)$ /cloud66_maintenance.html break;
            }
            rewrite ^(.*)$ /503.html break;
        }

        {% if cors_enabled == true %}
        # Cross domain resource
        add_header 'Access-Control-Allow-Origin' "$cors_return_origin" always;
        add_header 'Access-Control-Allow-Methods' '{{ cors_methods }}' always;
        {% if cors_headers == blank %}
        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' always;
        {% else %}
        add_header 'Access-Control-Allow-Headers' '{{ cors_headers }}' always;
        {% endif # cors_headers == blank %}
        add_header 'Access-Control-Allow-Credentials' '{{ cors_credentials }}' always;
        if ($request_method = 'OPTIONS') {
            set $is_preflight "1";
        }
        if ($http_access_control_request_method) {
            set $is_preflight "${is_preflight}1";
        }
        if ($is_preflight = "11") {
            return 204;
        }
        {% endif # cors_enabled == true %}

        {% if passenger == true %}
        try_files $uri /cloud66_maintenance.html @passenger;
        location @passenger {
            passenger_enabled           on;
            passenger_min_instances     5;
            {% if passenger_supports_cgi_param == true %}
            passenger_set_cgi_param     HTTP_X_FORWARDED_PROTO $scheme;
            {% endif %}
        }
        {% if passenger_action_cable %}
        location /cable {
            passenger_app_group_name {{ app_name }}_action_cable;
            passenger_force_max_concurrent_requests_per_process 0;
        }
        {% endif %}
        {% else %}
        location / {
            {% if websocket_support == true %}
            # Next three lines enable websocket support
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
            {% endif %}
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        Host $http_host;
            proxy_redirect          off;

            if (!-f $request_filename) {
                proxy_pass  http://socket_server;
                break;
            }
        }
        {% endif %}
        location ~ \.php$ {
            deny  all;
        }
        location /status {
            stub_status on;
            access_log   off;
            allow 127.0.0.1;
            deny all;
        }
    }

    server {
       listen   8559;
       location /status {
            stub_status on;
            access_log   off;
            allow 127.0.0.1;
            deny all;
        }
    }

    {% if allow_ssl == true %}
    server {
        listen                    443;
        ssl                       on;
        ssl_ciphers               'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        ssl_prefer_server_ciphers on;
        ssl_dhparam               /etc/ssl/private/dhparams.pem;
        ssl_certificate_key       /etc/ssl/localcerts/{{ ssl_certificate_filename }}.key;
        ssl_certificate           /etc/ssl/localcerts/{{ ssl_certificate_filename }}.crt;

        {% for ip in blacklist %}
        deny {{ ip }};
        {% endfor %}

        {% if red_www == 0 %}
        server_name             {{ ssl_certificate_servernames }};
        {% endif %}
        {% if red_www == 2 %}
        if ($http_host ~ ^(?!www\.)(.*)) {
            return 301 $scheme://www.$1$request_uri;
        }
        {% endif %}
        {% if red_www == 1 %}
        if ($http_host ~ ^www\.(.*)$) {
            return 301 $scheme://$1$request_uri;
        }
        {% endif %}

        client_max_body_size    250m;
        {% if passenger == true %}
        rails_env               {{ environment }};
        {% endif %}
        root                    {{ deploy_to }}/current/public;

        # redirect to 503 if maintenance page present
        if (-f $document_root/cloud66_maintenance.html) {
            return 503;
        }

        # redirect on errors
        error_page              500 502 504 /50x.html;

        # handle error redirect
        location = /50x.html {
            proxy_pass http://placeholders.cloud66.com/nginx/50x.html;
        }

        error_page              503 @maintenance;

        location @maintenance {
            error_page 405 = /cloud66_maintenance.html;
            if (-f $document_root/cloud66_maintenance.html) {
                rewrite ^(.*)$ /cloud66_maintenance.html break;
            }
            rewrite ^(.*)$ /503.html break;
        }

        {% if cors_enabled == true %}
        # Cross domain resource
        add_header 'Access-Control-Allow-Origin' "$cors_return_origin" always;
        add_header 'Access-Control-Allow-Methods' '{{ cors_methods }}' always;
        {% if cors_headers == blank %}
        add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' always;
        {% else %}
        add_header 'Access-Control-Allow-Headers' '{{ cors_headers }}' always;
        {% endif # cors_headers == blank %}
        add_header 'Access-Control-Allow-Credentials' '{{ cors_credentials }}' always;
        if ($request_method = 'OPTIONS') {
            set $is_preflight "1";
        }
        if ($http_access_control_request_method) {
            set $is_preflight "${is_preflight}1";
        }
        if ($is_preflight = "11") {
            return 204;
        }
        {% endif # cors_enabled == true %}

        {% if passenger == true %}
        try_files $uri /cloud66_maintenance.html @passenger;
        location @passenger {
            passenger_enabled           on;
            passenger_min_instances     5;
            {% if passenger_supports_cgi_param == true %}
            passenger_set_cgi_param     HTTP_X_FORWARDED_PROTO $scheme;
            {% endif %}
        }
        {% else %}
        location / {
            {% if websocket_support == true %}
            # Next three lines enable websocket support
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
            {% endif %}
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        Host $http_host;
            proxy_set_header        X-Forwarded-Proto https;
            proxy_redirect          off;

            if (!-f $request_filename) {
                proxy_pass  http://socket_server;
                break;
            }
        }
        {% endif %}
        location ~ \.php$ {
            deny  all;
        }
    }
    {% endif %}
}
	user nginx;
	worker_processes {{ workers }};
	error_log {{ deploy_to }}/shared/log/nginx_error.log;
	{% if dynamic_modules == true %}
	include modules-enabled/*.conf;
	{% endif %}

	events {
	worker_connections 1024;
	{% if passenger != true %}
	accept_mutex off;
	{% endif %}
	}

	http {
	gzip on;
	gzip_min_length 100;
	gzip_proxied expired no-cache no-store private auth;
	gzip_types text/plain application/xml text/css application/x-javascript text/javascript application/javascript;
	gzip_disable "MSIE [1-6]\.";

	add_header X-Powered-By cloud66;

	{% if supports_realip_module == true %}
	{% for load_balancer_address in load_balancer_addresses %}
	set_real_ip_from {{ load_balancer_address }};
	{% endfor %}
	real_ip_header X-Forwarded-For;
	{% endif %}

	{% if passenger != true %}
	tcp_nopush on;
	tcp_nodelay off;
	{% else %}
	passenger_root {{ passenger_location }};
	passenger_friendly_error_pages off;
	{% if passenger_enterprise == true %}
	passenger_rolling_restarts on;
	{% endif %}
	{% if use_ruby_shell == true %}
	passenger_ruby {{ ruby_shell }};
	{% endif %}
	passenger_user nginx;
	passenger_pool_idle_time 0;
	passenger_max_pool_size {{ passenger_pool_max }};
	{% endif %}
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

	underscores_in_headers on;
	{% if passenger != true %}
	types_hash_max_size 2048;
	{% endif %}
	include mime.types;
	default_type application/octet-stream;

	client_max_body_size 250m;

	sendfile on;
	server_tokens off;

	{% if cloud_type == "googlecloud" %}
	# ref: https://cloud.google.com/load-balancing/docs/https/#timeouts_and_retries
	keepalive_timeout 620;
	{% else %}
	keepalive_timeout 75;
	{% endif %}

	{% if passenger != true %}
	upstream socket_server {
	server unix:/tmp/web_server.sock fail_timeout=0;
	{% if ports != empty %}
	{% for port in ports %}
	server localhost:{{ port }} fail_timeout=0;
	{% endfor %}
	{% endif %}
	}
	{% endif %}

	{% if websocket_support == true %}
	map $http_upgrade $connection_upgrade {
	default Upgrade;
	'' close;
	}
	{% endif %}

	{% if cors_enabled == true %}
	# Cross domain resource
	map $http_origin $cors_return_origin {
	{% if cors_all_origins %}
	default "$http_origin";
	{% else %}
	default "";
	{% for allowed_origin in cors_origins %}
	{{ allowed_origin }} "$http_origin";
	{% endfor # allowed_origin in cors_origins %}
	{% endif # cors_all_origins %}
	}
	{% endif # cors_enabled == true %}

	server {
	listen 80 default_server;

	{% for ip in blacklist %}
	deny {{ ip }};
	{% endfor %}

	location /.well-known/acme-challenge/ {
	{% if letsencrypt_primary_address == empty %}
	# serve letsencrypt requests from here
	alias /etc/cloud66/webroot/;
	try_files $uri =404;
	{% else %}
	# serve letsencrypt request from another host
	proxy_pass http://{{ letsencrypt_primary_address }};
	{% endif %}
	}

	{% if red_http_to_https == true %}
	{% if has_load_balancer %}
	set $http_rewrite 0;
	if ($http_x_forwarded_proto = "http") {
	set $http_rewrite 1;
	}
	if ($request_uri ~ ^/.well-known/acme-challenge/.*$) {
	set $http_rewrite 0;
	}
	if ($http_rewrite = 1) {
	rewrite ^(.*) https://$host$1 permanent;
	}
	{% else %}
	if ($request_uri !~ ^/.well-known/acme-challenge/.*$) {
	rewrite ^(.*) https://$host$1 permanent;
	}
	{% endif %}
	{% endif %}

	{% if red_www == 0 %}
	server_name _;
	{% endif %}
	{% if red_www == 2 %}
	set $www_rewrite 0;
	if ($http_host ~ ^(?!www\.)(.*)) {
	set $www_rewrite 1;
	set $www_host $1;
	}
	if ($request_uri ~ ^/.well-known/acme-challenge/.*$) {
	set $www_rewrite 0;
	}
	if ($www_rewrite = 1) {
	return 301 $scheme://www.$www_host$request_uri;
	}
	{% endif %}
	{% if red_www == 1 %}
	set $www_rewrite 0;
	if ($http_host ~ ^www\.(.*)$) {
	set $www_rewrite 1;
	set $www_host $1;
	}
	if ($request_uri ~ ^/.well-known/acme-challenge/.*$) {
	set $www_rewrite 0;
	}
	if ($www_rewrite = 1) {
	return 301 $scheme://$www_host$request_uri;
	}
	{% endif %}

	{% if passenger == true %}
	rails_env {{ environment }};
	passenger_enabled on;
	{% endif %}
	root {{ deploy_to }}/current/public;

	client_max_body_size 250m;
	# redirect to 503 if maintenance page present
	if (-f $document_root/cloud66_maintenance.html) {
	return 503;
	}

	# redirect on errors
	error_page 500 502 504 /50x.html;

	# handle error redirect
	location = /50x.html {
	proxy_pass http://placeholders.cloud66.com/nginx/50x.html;
	}

	error_page 503 @maintenance;

	location @maintenance {
	error_page 405 = /cloud66_maintenance.html;
	if (-f $document_root/cloud66_maintenance.html) {
	rewrite ^(.*)$ /cloud66_maintenance.html break;
	}
	rewrite ^(.*)$ /503.html break;
	}

	{% if cors_enabled == true %}
	# Cross domain resource
	add_header 'Access-Control-Allow-Origin' "$cors_return_origin" always;
	add_header 'Access-Control-Allow-Methods' '{{ cors_methods }}' always;
	{% if cors_headers == blank %}
	add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' always;
	{% else %}
	add_header 'Access-Control-Allow-Headers' '{{ cors_headers }}' always;
	{% endif # cors_headers == blank %}
	add_header 'Access-Control-Allow-Credentials' '{{ cors_credentials }}' always;
	if ($request_method = 'OPTIONS') {
	set $is_preflight "1";
	}
	if ($http_access_control_request_method) {
	set $is_preflight "${is_preflight}1";
	}
	if ($is_preflight = "11") {
	return 204;
	}
	{% endif # cors_enabled == true %}

	{% if passenger == true %}
	try_files $uri /cloud66_maintenance.html @passenger;
	location @passenger {
	passenger_enabled on;
	passenger_min_instances 5;
	{% if passenger_supports_cgi_param == true %}
	passenger_set_cgi_param HTTP_X_FORWARDED_PROTO $scheme;
	{% endif %}
	}
	{% if passenger_action_cable %}
	location /cable {
	passenger_app_group_name {{ app_name }}_action_cable;
	passenger_force_max_concurrent_requests_per_process 0;
	}
	{% endif %}
	{% else %}
	location / {
	{% if websocket_support == true %}
	# Next three lines enable websocket support
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection $connection_upgrade;
	{% endif %}
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Host $http_host;
	proxy_redirect off;

	if (!-f $request_filename) {
	proxy_pass http://socket_server;
	break;
	}
	}
	{% endif %}
	location ~ \.php$ {
	deny all;
	}
	location /status {
	stub_status on;
	access_log off;
	allow 127.0.0.1;
	deny all;
	}
	}

	server {
	listen 8559;
	location /status {
	stub_status on;
	access_log off;
	allow 127.0.0.1;
	deny all;
	}
	}

	{% if allow_ssl == true %}
	server {
	listen 443;
	ssl on;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers on;
	ssl_dhparam /etc/ssl/private/dhparams.pem;
	ssl_certificate_key /etc/ssl/localcerts/{{ ssl_certificate_filename }}.key;
	ssl_certificate /etc/ssl/localcerts/{{ ssl_certificate_filename }}.crt;

	{% for ip in blacklist %}
	deny {{ ip }};
	{% endfor %}

	{% if red_www == 0 %}
	server_name {{ ssl_certificate_servernames }};
	{% endif %}
	{% if red_www == 2 %}
	if ($http_host ~ ^(?!www\.)(.*)) {
	return 301 $scheme://www.$1$request_uri;
	}
	{% endif %}
	{% if red_www == 1 %}
	if ($http_host ~ ^www\.(.*)$) {
	return 301 $scheme://$1$request_uri;
	}
	{% endif %}

	client_max_body_size 250m;
	{% if passenger == true %}
	rails_env {{ environment }};
	{% endif %}
	root {{ deploy_to }}/current/public;

	# redirect to 503 if maintenance page present
	if (-f $document_root/cloud66_maintenance.html) {
	return 503;
	}

	# redirect on errors
	error_page 500 502 504 /50x.html;

	# handle error redirect
	location = /50x.html {
	proxy_pass http://placeholders.cloud66.com/nginx/50x.html;
	}

	error_page 503 @maintenance;

	location @maintenance {
	error_page 405 = /cloud66_maintenance.html;
	if (-f $document_root/cloud66_maintenance.html) {
	rewrite ^(.*)$ /cloud66_maintenance.html break;
	}
	rewrite ^(.*)$ /503.html break;
	}

	{% if cors_enabled == true %}
	# Cross domain resource
	add_header 'Access-Control-Allow-Origin' "$cors_return_origin" always;
	add_header 'Access-Control-Allow-Methods' '{{ cors_methods }}' always;
	{% if cors_headers == blank %}
	add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type' always;
	{% else %}
	add_header 'Access-Control-Allow-Headers' '{{ cors_headers }}' always;
	{% endif # cors_headers == blank %}
	add_header 'Access-Control-Allow-Credentials' '{{ cors_credentials }}' always;
	if ($request_method = 'OPTIONS') {
	set $is_preflight "1";
	}
	if ($http_access_control_request_method) {
	set $is_preflight "${is_preflight}1";
	}
	if ($is_preflight = "11") {
	return 204;
	}
	{% endif # cors_enabled == true %}

	{% if passenger == true %}
	try_files $uri /cloud66_maintenance.html @passenger;
	location @passenger {
	passenger_enabled on;
	passenger_min_instances 5;
	{% if passenger_supports_cgi_param == true %}
	passenger_set_cgi_param HTTP_X_FORWARDED_PROTO $scheme;
	{% endif %}
	}
	{% else %}
	location / {
	{% if websocket_support == true %}
	# Next three lines enable websocket support
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection $connection_upgrade;
	{% endif %}
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Host $http_host;
	proxy_set_header X-Forwarded-Proto https;
	proxy_redirect off;

	if (!-f $request_filename) {
	proxy_pass http://socket_server;
	break;
	}
	}
	{% endif %}
	location ~ \.php$ {
	deny all;
	}
	}
	{% endif %}
	}