server {
  listen 443 ssl;
  ssl_certificate /etc/${SSL_TYPE}/live/${CNAME}/fullchain.pem;
  ssl_certificate_key /etc/${SSL_TYPE}/live/${CNAME}/privkey.pem;
  ssl_trusted_certificate /etc/${SSL_TYPE}/live/${CNAME}/fullchain.pem;

  ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
  ssl_prefer_server_ciphers on;
  ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
  ssl_dhparam /etc/dh/nginx.pem;

  server_tokens off;
  add_header Strict-Transport-Security "max-age=31536000";
  add_header X-Content-Type-Options nosniff;

  client_max_body_size 100m;

  gzip on;
  gzip_vary on;
  gzip_min_length 1280;
  gzip_http_version 1.1;
  gzip_types text/plain text/css application/json application/x-javascript text/xml text/csv;

  location /- {
    proxy_pass http://enketo:8005/-;
    proxy_redirect off;
    proxy_set_header Host $host;
  }

  location ~ ^/v\d {
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass http://service:8383;
    proxy_redirect off;

    # set up request-body gzip decompression:
    set $max_chunk_size 16384;    # ~16KB
    set $max_body_size 134217728; # ~128MB
    rewrite_by_lua_file inflate_body.lua;

    # buffer requests, but not responses, so streaming out works.
    proxy_request_buffering on;
    proxy_buffering off;
    proxy_read_timeout 2m;
  }

  location / {
    root /usr/share/nginx/html;
  }
}