server {
	listen 80;
	server_name {{ hostname_riot }};

	server_tokens off;

	location /.well-known/acme-challenge {
		{#
			The proxy can access the files directly.
			An external server likely does not have permission to read these files,
			so we'll just proxy to acme's :402 port.
		#}

		{%- if matrix_nginx_proxy_enabled -%}
		default_type "text/plain";
		alias {{ matrix_ssl_certs_path }}/run/acme-challenge;
		{%- else -%}
		proxy_pass http://localhost:402;
		{% endif %}
	}

	location / {
		return 301 https://$http_host$request_uri;
	}
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name {{ hostname_riot }};

	server_tokens off;
	root /dev/null;

	ssl on;
	ssl_certificate {{ matrix_ssl_certs_path }}/live/{{ hostname_riot }}/fullchain;
	ssl_certificate_key {{ matrix_ssl_certs_path }}/live/{{ hostname_riot }}/privkey;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

    location / {
        proxy_pass http://{{ 'riot' if matrix_nginx_proxy_enabled else 'localhost' }}:8765;
        proxy_set_header X-Forwarded-For $remote_addr;
    }
}