first

.dockerignore

+# compiled output
+/dist
+/node_modules
+
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+
+# OS
+.DS_Store
+
+# Tests
+/coverage
+/.nyc_output
+
+# IDEs and editors
+/.idea
+.project
+.classpath
+.c9/
+*.launch
+.settings/
+*.sublime-workspace
+
+# IDE - VSCode
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/launch.json
+!.vscode/extensions.json
+
+/data
+/output
+/config.yaml
+
+.git*
+Dockerfile
+.dockerignore
+/tests

.eslintignore

+webpack.config.js
+dist/*
+build/*
+*.js

.eslintrc.js

+module.exports = {
+  parser: '@typescript-eslint/parser',
+  parserOptions: {
+    project: 'tsconfig.json',
+    sourceType: 'module',
+  },
+  plugins: ['@typescript-eslint/eslint-plugin'],
+  extends: [
+    'plugin:@typescript-eslint/recommended',
+    'plugin:prettier/recommended',
+  ],
+  root: true,
+  env: {
+    node: true,
+    jest: true,
+  },
+  ignorePatterns: ['.eslintrc.js'],
+  rules: {
+    '@typescript-eslint/interface-name-prefix': 'off',
+    '@typescript-eslint/explicit-function-return-type': 'off',
+    '@typescript-eslint/explicit-module-boundary-types': 'off',
+    '@typescript-eslint/no-explicit-any': 'off',
+  },
+};

.gitignore

+# compiled output
+/dist
+/node_modules
+
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+
+# OS
+.DS_Store
+
+# Tests
+/coverage
+/.nyc_output
+
+# IDEs and editors
+/.idea
+.project
+.classpath
+.c9/
+*.launch
+.settings/
+*.sublime-workspace
+
+# IDE - VSCode
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/launch.json
+!.vscode/extensions.json
+
+/data
+/output
+/config.yaml

.gitlab-ci.yml

+stages:
+  - build
+  - combine
+  - deploy
+variables:
+  GIT_DEPTH: "1"
+  CONTAINER_TEST_IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
+  CONTAINER_TEST_ARM_IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG-arm
+  CONTAINER_TEST_X86_IMAGE: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG-x86
+  CONTAINER_RELEASE_IMAGE: $CI_REGISTRY_IMAGE:latest
+before_script:
+  - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
+build-x86:
+  stage: build
+  tags:
+    - docker
+  script:
+    - TARGET_IMAGE=$CONTAINER_TEST_X86_IMAGE
+    - docker build --pull -t $TARGET_IMAGE .
+    - docker push $TARGET_IMAGE
+build-arm:
+  stage: build
+  tags:
+    - docker-arm
+  script:
+    - TARGET_IMAGE=$CONTAINER_TEST_ARM_IMAGE
+    - docker build --pull -t $TARGET_IMAGE .
+    - docker push $TARGET_IMAGE
+combine:
+  stage: combine
+  tags:
+    - docker
+  script:
+    - TARGET_IMAGE=$CONTAINER_TEST_IMAGE
+    - SOURCE_IMAGE_2=$CONTAINER_TEST_ARM_IMAGE
+    - SOURCE_IMAGE_1=$CONTAINER_TEST_X86_IMAGE
+    - docker pull $SOURCE_IMAGE_1
+    - docker pull $SOURCE_IMAGE_2
+    - docker manifest create $TARGET_IMAGE --amend $SOURCE_IMAGE_1 --amend
+      $SOURCE_IMAGE_2
+    - docker manifest push $TARGET_IMAGE
+deploy_latest:
+  stage: deploy
+  tags:
+    - docker
+  script:
+    - TARGET_IMAGE=$CONTAINER_RELEASE_IMAGE
+    - SOURCE_IMAGE=$CONTAINER_TEST_IMAGE
+    - docker pull $SOURCE_IMAGE
+    - docker tag $SOURCE_IMAGE $TARGET_IMAGE
+    - docker push $TARGET_IMAGE
+  only:
+    - master
+deploy_tag:
+  stage: deploy
+  tags:
+    - docker
+  script:
+    - TARGET_IMAGE=$CI_REGISTRY_IMAGE:$CI_COMMIT_TAG
+    - SOURCE_IMAGE=$CONTAINER_TEST_IMAGE
+    - docker pull $SOURCE_IMAGE
+    - docker tag $SOURCE_IMAGE $TARGET_IMAGE
+    - docker push $TARGET_IMAGE
+  only:
+    - tags

.npmignore

+/install-npm.sh
+.git*
+/data
+/output
+/config.yaml
+.idea
+.dockerignore
+Dockerfile
+/src
+/coverage
+/tests
+/dist/tests

.prettierrc

+{
+  "singleQuote": true,
+  "trailingComma": "all"
+}
\ No newline at end of file

Dockerfile

+FROM node:lts-alpine3.15 as base
+LABEL Author="Nanahira <nanahira@momobako.com>"
+
+WORKDIR /etc/nginx/generator
+COPY ./package*.json ./
+
+FROM base as builder
+RUN npm ci && npm cache clean --force
+COPY . ./
+RUN npm run build
+
+FROM base
+ENV NODE_ENV production
+
+RUN npm ci && npm cache clean --force
+COPY --from=builder /etc/nginx/generator/dist ./dist
+COPY ./views ./views
+
+RUN set -x && \
+    addgroup -g 101 -S nginx && \
+    adduser -S -D -H -u 101 -h /var/cache/nginx -s /sbin/nologin -G nginx -g nginx nginx && \
+    apk add --no-cache wget && \
+    wget -O /etc/apk/keys/nginx_signing.rsa.pub https://cs.nginx.com/static/keys/nginx_signing.rsa.pub && \
+    printf "https://minio.momobako.com/nginx-plus/alpine/v`egrep -o '^[0-9]+\.[0-9]+' /etc/alpine-release`/main\n" | tee -a /etc/apk/repositories && \
+    apk add --no-cache \
+        nginx-plus \
+        nginx-plus-module-auth-spnego \
+        nginx-plus-module-brotli \
+        nginx-plus-module-encrypted-session \
+        nginx-plus-module-fips-check \
+        nginx-plus-module-geoip2 \
+        nginx-plus-module-geoip \
+        nginx-plus-module-headers-more \
+        nginx-plus-module-image-filter \
+        nginx-plus-module-lua \
+        nginx-plus-module-ndk \
+        nginx-plus-module-njs \
+        nginx-plus-module-opentracing \
+        nginx-plus-module-passenger \
+        nginx-plus-module-perl \
+        nginx-plus-module-prometheus \
+        nginx-plus-module-rtmp \
+        nginx-plus-module-set-misc \
+        nginx-plus-module-subs-filter \
+        nginx-plus-module-xslt \
+        curl ca-certificates tzdata \
+    && \
+    ln -sf /dev/stdout /var/log/nginx/access.log && \
+    ln -sf /dev/stderr /var/log/nginx/error.log && \
+    rm -rf /etc/nginx/sites-enabled/* /etc/nginx/conf.d/default.conf /etc/nginx/nginx.conf && \
+    mkdir /etc/nginx/stream /etc/nginx/generated && \
+    openssl dhparam 4096 > /etc/nginx/generated/dhparam.pem && \
+    openssl rand 80 > /etc/nginx/generated/ticket.key
+
+COPY ./views/dummy /usr/lib/nginx-plus/check-subscription
+
+EXPOSE 80 443
+STOPSIGNAL SIGQUIT
+ENTRYPOINT [ "./views/entrypoint.sh" ]
+CMD ["nginx", "-g", "daemon off;"]

LICENSE

+The MIT License (MIT)
+
+Copyright (c) 2021 Nanahira
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+

index.ts

+import * as fs from 'fs';
+import Mustache from 'mustache';
+import path from 'path';
+import { getData } from './src/site';
+
+console.log(
+  Mustache.render(
+    fs.readFileSync(
+      path.join(__dirname, '..', 'views', 'nginx.conf.mustache'),
+      'utf8',
+    ),
+    getData(process.env),
+    undefined,
+    { escape: (v) => v },
+  ),
+);

package.json

+{
+  "name": "nginx-proxy",
+  "private": true,
+  "description": "nginx-proxy-desc",
+  "version": "1.0.0",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "scripts": {
+    "lint": "eslint --fix .",
+    "build": "rimraf dist && tsc",
+    "test": "jest --passWithNoTests",
+    "start": "node dist/index.js"
+  },
+  "repository": {
+    "type": "git",
+    "url": "https://code.mycard.moe/3rdeye/nginx-proxy.git"
+  },
+  "author": "Nanahira <nanahira@momobako.com>",
+  "license": "MIT",
+  "keywords": [],
+  "bugs": {
+    "url": "https://code.mycard.moe/3rdeye/nginx-proxy/issues"
+  },
+  "homepage": "https://code.mycard.moe/3rdeye/nginx-proxy",
+  "jest": {
+    "moduleFileExtensions": [
+      "js",
+      "json",
+      "ts"
+    ],
+    "rootDir": "tests",
+    "testRegex": ".*\\.spec\\.ts$",
+    "transform": {
+      "^.+\\.(t|j)s$": "ts-jest"
+    },
+    "collectCoverageFrom": [
+      "**/*.(t|j)s"
+    ],
+    "coverageDirectory": "../coverage",
+    "testEnvironment": "node"
+  },
+  "devDependencies": {
+    "@types/jest": "^28.1.6",
+    "@types/mustache": "^4.2.1",
+    "@types/node": "^18.7.3",
+    "@typescript-eslint/eslint-plugin": "^4.33.0",
+    "@typescript-eslint/parser": "^4.33.0",
+    "eslint": "^7.32.0",
+    "eslint-config-prettier": "^8.5.0",
+    "eslint-plugin-prettier": "^3.4.1",
+    "jest": "^28.1.3",
+    "prettier": "^2.7.1",
+    "rimraf": "^3.0.2",
+    "ts-jest": "^28.0.7",
+    "typescript": "^4.7.4"
+  },
+  "dependencies": {
+    "mustache": "^4.2.0"
+  }
+}

src/parser.ts

+export class Parser {
+  constructor(
+    private prefix: string,
+    private input: Record<string, string> = process.env,
+  ) {}
+
+  getString(key: string) {
+    return this.input[`${this.prefix}${key}`];
+  }
+
+  getNumber(key: string) {
+    const value = this.getString(key);
+    if (!value) {
+      return undefined;
+    }
+    return parseFloat(value);
+  }
+
+  getBoolean(key: string) {
+    const value = this.getString(key);
+    if (!value) {
+      return false;
+    }
+    return value !== 'false' && value !== '0';
+  }
+
+  getDict(key: string) {
+    const prefix = `${this.prefix}${key}_`;
+    const keys = Object.keys(this.input).filter((k) => k.startsWith(prefix));
+    const dict: Record<string, string> = {};
+    for (const k of keys) {
+      dict[k.slice(prefix.length)] = this.input[k];
+    }
+    return dict;
+  }
+
+  getArray(key: string) {
+    let dictValue = Object.values(this.getDict(key));
+    const directValue = this.getString(key);
+    if (directValue) {
+      dictValue = dictValue.concat(directValue.split(','));
+    }
+    if (!dictValue.length) {
+      return;
+    }
+    return dictValue;
+  }
+
+  getArrayNumber(key: string) {
+    return this.getArray(key)?.map((v) => parseFloat(v));
+  }
+}

src/site.ts

+import { Parser } from './parser';
+import { getSiteNames } from './utility';
+
+export interface SiteHttps {
+  ports: number[];
+  cert: string;
+  redirect?: boolean;
+  hsts?: boolean;
+}
+
+export interface Header {
+  name: string;
+  value: string;
+}
+
+export interface SiteRenderData {
+  domains: string[];
+  ports: number[];
+  https?: SiteHttps;
+  headers?: Header[];
+  normalizeDomain?: string;
+  minio?: boolean;
+  disableTop?: boolean;
+  noVerifyCerts?: boolean;
+  noBuffer?: boolean;
+  noCache?: boolean;
+  upstream: string;
+  timeout?: number;
+  serverExtra?: string[];
+  locationExtra?: string[];
+}
+
+export interface RenderData {
+  purgeAllowed?: string[];
+  realIp?: string[];
+  limitRate?: string;
+  limitBurst?: string;
+  maxCacheSize: string;
+  dhparamPath: string;
+  ticketKeyPath: string;
+  certsPath: string;
+  sites: SiteRenderData[];
+  httpExtra?: string[];
+}
+
+function getSiteData(
+  domain: string,
+  input: Record<string, string> = process.env,
+): SiteRenderData {
+  const parser = new Parser(`SITE_${domain}_`, input);
+  let https: SiteHttps;
+  const httpsCert = parser.getString('HTTPS');
+  if (httpsCert) {
+    https = {
+      cert: httpsCert,
+      ports: parser.getArrayNumber('HTTPS_PORTS') || [443],
+      redirect: !parser.getBoolean('HTTPS_NOREDIR'),
+      hsts: parser.getBoolean('HSTS'),
+    };
+  }
+  return {
+    domains: domain.split('+'),
+    ports: parser.getArrayNumber('PORTS') || [80],
+    https,
+    headers: Object.entries(parser.getDict('HEADER')).map(([name, value]) => ({
+      name: name.replace(/_/g, '-'),
+      value,
+    })),
+    normalizeDomain: parser.getString('NORMALIZE_DOMAIN'),
+    minio: parser.getBoolean('MINIO'),
+    disableTop: parser.getBoolean('DISABLE_TOP'),
+    noVerifyCerts: parser.getBoolean('NO_VERIFY_CERTS'),
+    noBuffer: parser.getBoolean('NO_BUFFER'),
+    noCache: parser.getBoolean('NO_CACHE'),
+    upstream: input[`SITE_${domain}`],
+    timeout: parser.getNumber('TIMEOUT'),
+    serverExtra: parser.getArray('SERVER_EXTRA'),
+    locationExtra: parser.getArray('LOCATION_EXTRA'),
+  };
+}
+
+export function getData(
+  input: Record<string, string> = process.env,
+): RenderData {
+  const parser = new Parser('', input);
+  return {
+    purgeAllowed: parser.getArray('PURGE_ALLOWED'),
+    realIp: parser.getArray('REAL_IP'),
+    limitRate: parser.getString('LIMIT_RATE'),
+    limitBurst: parser.getString('LIMIT_BURST'),
+    maxCacheSize: parser.getString('MAX_CACHE_SIZE') || '10g',
+    dhparamPath:
+      parser.getString('DHPARAM_PATH') || '/etc/nginx/generated/dhparam.pem',
+    ticketKeyPath:
+      parser.getString('TICKET_KEY_PATH') || '/etc/nginx/generated/ticket.key',
+    certsPath: parser.getString('CERTS_PATH') || '/etc/nginx/certs',
+    sites: getSiteNames().map((domain) => getSiteData(domain, input)),
+    httpExtra: parser.getArray('HTTP_EXTRA'),
+  };
+}

src/utility.ts

+export function getSiteNames() {
+  const keys = Object.keys(process.env);
+  return keys
+    .filter((key) => {
+      const splits = key.split('_');
+      return splits.length === 2 && splits[0] === 'SITE';
+    })
+    .map((key) => key.replace(/^SITE_/, ''));
+}

tests/sample.spec.ts

+describe('Sample test.', () => {
+  it('should pass', () => {
+    expect(true).toBe(true);
+  });
+});

tsconfig.json

+{
+	"compilerOptions": {
+		"outDir": "dist",
+		"module": "commonjs",
+		"target": "es2021",
+		"esModuleInterop": true,
+		"emitDecoratorMetadata": true,
+		"experimentalDecorators": true,
+		"declaration": true,
+		"sourceMap": true
+	},
+	"compileOnSave": true,
+	"allowJs": true,
+	"include": [
+		"*.ts",
+		"src/**/*.ts",
+		"test/**/*.ts",
+		"tests/**/*.ts"
+	]
+}

views/dummy

+#!/bin/sh
+exit 0

views/entrypoint.sh

+#!/bin/sh
+
+node dist > /etc/nginx/nginx.conf
+
+"$@"
\ No newline at end of file

views/nginx.conf.mustache

+user nginx;
+worker_processes auto;
+pid /var/run/nginx.pid;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+  worker_connections 4096;
+  # multi_accept on;
+}
+
+http {
+
+  ##
+  # Basic Settings
+  ##
+
+  sendfile on;
+  tcp_nopush on;
+  tcp_nodelay on;
+  keepalive_timeout 65;
+  types_hash_max_size 2048;
+  server_tokens off;
+
+  # server_names_hash_bucket_size 64;
+  # server_name_in_redirect off;
+
+  include /etc/nginx/mime.types;
+  default_type application/octet-stream;
+  underscores_in_headers on;
+
+  ##
+  # SSL Settings
+  ##
+
+  ssl_session_timeout 1d;
+  ssl_session_cache shared:SSL:10m;  # about 40000 sessions
+  ssl_session_tickets on;
+
+  # openssl rand 80 > /etc/nginx/generated/ticket.key
+  ssl_session_ticket_key {{ticketKeyPath}};
+
+  # openssl dhparam 4096 > /etc/nginx/generated/dhparam.pem
+  ssl_dhparam {{dhparamPath}};
+
+  # old configuration
+  ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA;
+  ssl_prefer_server_ciphers on;
+
+  # OCSP stapling
+  ssl_stapling on;
+
+  # tls1.3 0-RTT
+  # ssl_early_data on;
+
+
+    ##
+    # Logging Settings
+    ##
+
+  log_format vcombined '$host:$server_port '
+    '$remote_addr - $remote_user [$time_local] '
+    '"$request_method $scheme://$host$request_uri" $status $body_bytes_sent '
+    '"$http_referer" "$http_user_agent" "$upstream_cache_status" "$upstream_http_cache_control"';
+
+  access_log /var/log/nginx/access.log vcombined;
+  error_log /var/log/nginx/error.log;
+
+  ##
+  # Gzip Settings
+  ##
+
+  gzip on;
+
+  gzip_vary on;
+  gzip_proxied any;
+  gzip_comp_level 6;
+  gzip_buffers 16 8k;
+  gzip_http_version 1.1;
+  gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+  # proxy settings
+  map $request_method $purge_method {
+     PURGE 1;
+     default 0;
+  }
+  geo $purge_allowed {
+    default         0;
+    172.16.0.0/12   1;
+    127.0.0.1       1;
+{{#purgeAllowed}}
+    {{.}}       1;
+{{/purgeAllowed}}
+  }
+  proxy_cache_path /etc/nginx/cache levels=1:2 keys_zone=cache:10m max_size={{maxCacheSize}} inactive=1d use_temp_path=off purger=on;
+  proxy_cache_purge $purge_method;
+  proxy_cache cache;
+  proxy_cache_revalidate on;
+  proxy_cache_background_update on;
+  proxy_cache_lock on;
+  proxy_cache_key $scheme://$host$request_uri;
+
+  proxy_cache_lock_timeout 0s;
+  proxy_cache_lock_age 600s;
+  #proxy_cache_use_stale updating;
+
+  add_header X-Cache-Status $upstream_cache_status;
+
+  map $http_upgrade $connection_upgrade {
+     default upgrade;
+     '' close;
+  }
+
+  client_max_body_size 10g;
+
+  # proxy timeout
+  proxy_read_timeout 120s;
+  send_timeout 120s;
+  proxy_send_timeout 120s;
+
+  ##
+  # Node spesific configs
+  ##
+
+  resolver 127.0.0.11 ipv6=off;
+
+  set_real_ip_from 172.16.0.0/12;
+{{#realIp}}
+  set_real_ip_from {{ . }};
+{{/realIp}}
+  real_ip_header X-Forwarded-FOr;
+  real_ip_recursive on;
+
+{{#limitRate}}
+{{#limitBurst}}
+  limit_rate_after {{.}};
+{{/limitBurst}}
+  limit_rate {{.}};
+{{/limitRate}}
+
+  ##
+  # Virtual Host Configs
+  ##
+
+{{#sites}}
+  server {
+    server_name{{#domains}} {{.}}{{/domains}};
+    {{#ports}}
+    listen {{.}};
+    {{/ports}}
+    {{#https}}
+      {{#ports}}
+        listen {{.}} ssl http2;
+      {{/ports}}
+      ssl_certificate {{certsPath}}/{{cert}}/fullchain.pem;
+      ssl_certificate_key {{certsPath}}/{{cert}}/privkey.pem;
+      {{#redirect}}
+        if ($https != "on") {
+          return 301 https://$host$request_uri;
+        }
+      {{/redirect}}
+      {{#hsts}}
+        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
+      {{/hsts}}
+    {{/https}}
+    {{#headers}}
+      add_header {{name}} "{{value}}" always;
+    {{/headers}}
+    {{#normalizeDomain}}
+      if ($host != "{{.}}") {
+        return 301 $scheme://{{.}}$request_uri;
+      }
+    {{/normalizeDomain}}
+    {{#minio}}
+      ignore_invalid_headers off;
+      proxy_buffering off;
+    {{/minio}}
+
+    {{#disableTop}}
+      location = / {
+        return 444;
+      }
+    {{/disableTop}}
+
+    {{#serverExtra}}
+     {{.}}
+    {{/serverExtra}}
+
+    location / {
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header Forwarded "for=$remote_addr;by=$hostname";
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      {{#timeout}}
+        proxy_read_timeout {{.}}s;
+        send_timeout {{.}}s;
+        proxy_send_timeout {{.}}s;
+      {{/timeout}}
+      {{^minio}}
+        proxy_set_header Host $host;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+      {{/minio}}
+      {{#minio}}
+        proxy_set_header Host $http_host;
+        proxy_connect_timeout 300;
+        # Default is HTTP/1, keepalive is only enabled in HTTP/1.1
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+        chunked_transfer_encoding off;
+      {{/minio}}
+      {{#noVerifyCerts}}
+        proxy_ssl_verify off;
+      {{/noVerifyCerts}}
+      {{#noBuffer}}
+        proxy_buffering off;
+      {{/noBuffer}}
+      {{#noCache}}
+        proxy_cache off;
+      {{/noCache}}
+      proxy_pass {{upstream}};
+      {{#locationExtra}}
+        {{.}}
+      {{/locationExtra}}
+    }
+  }
+{{/sites}}
+
+  include /etc/nginx/conf.d/*.conf;
+
+  {{#httpExtra}}
+    {{.}}
+  {{/httpExtra}}
+}
+
+stream {
+  include /etc/nginx/stream/*.conf;
+}
\ No newline at end of file