server {
  server_name {{ impress_hostname }};
  listen 80;
  if ($host = {{ impress_hostname }}) {
    return 301 https://$host$request_uri;
  }
}

server {
  server_name {{ impress_hostname }};
  listen 443 ssl;
  ssl_certificate /etc/letsencrypt/live/{{ impress_hostname }}/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/{{ impress_hostname }}/privkey.pem;
  include /etc/letsencrypt/options-ssl-nginx.conf;
  ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
  ssl_session_cache shared:SSL:10m; # https://superuser.com/q/1484466/14127

  root /srv/impress/current/public;

  # Serve assets using their precompressed *.gz versions.
  # The filenames contain content hashes, so they should be safe to
  # cache forever.
  # https://stackoverflow.com/a/6952804/107415
  location ~ ^/assets/ {
    gzip_static on;
    expires     max;
    add_header  Cache-Control public;
    add_header  Last-Modified "";
    add_header  ETag "";
  }

  # Try serving static files first. If not found, fall back to the app.
  try_files $uri/index.html $uri @app;

  location @app {
    proxy_pass http://127.0.0.1:3000;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header Host $http_host;
    proxy_redirect off;
  }
}