server {
  listen 80;
  listen [::]:80;

  server_name {{ item.domain }};

  return 301 https://$host$request_uri;
}

server {
  listen 443 ssl;
  listen [::]:443 ssl;

  server_name {{ item.domain }};

  ssl_certificate     {{ item.cert }};
  ssl_certificate_key {{ item.key }};

  include {{ item.ssl_conf }};

  ssl_verify_client optional;
  ssl_client_certificate {{ item.clnt_ca }};

  proxy_cache_bypass $http_upgrade;
  proxy_http_version 1.1;
  proxy_redirect     off;

  proxy_set_header Connection        "upgrade";
  proxy_set_header HOST              $host;
  proxy_set_header Upgrade           $http_upgrade;
  proxy_set_header X-Forwarded-For   $remote_addr;
  proxy_set_header X-Forwarded-Host  $host;
  proxy_set_header X-Forwarded-Port  $server_port;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header X-Real-IP         $remote_addr;

  location / {
    recursive_error_pages on;

    error_page 418 = @no_crt;
    error_page 419 = @with_crt;

    if ($ssl_client_verify != SUCCESS) {
      return 418;
    }

    if ($ssl_client_verify = SUCCESS) {
      return 419;
    }
  }

  location @no_crt {
    proxy_pass https://{{ item.no_crt }};
  }

  location @with_crt {
    proxy_pass https://{{ item.with_crt }};
  }
}