upstream {{backend_upstream_name}} {
    server {{backend_host}}:{{backend_port}};
    server 127.0.0.1 backup;
}

server {
    listen 80;
    listen [::]:80;

    server_name {{static_server_name}};
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name {{static_server_name}};

    access_log /var/log/nginx/{{static_server_name}}-access.log;
    error_log /var/log/nginx/{{static_server_name}}-error.log;

    ssl_certificate /etc/letsencrypt/live/{{static_server_name}}/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/{{static_server_name}}/privkey.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';

    root {{remote_static_path}}/;
    index index.html index.htm;

    location /.well-known/acme-challenge {
        alias /var/lib/letsencrypt/.well-known/acme-challenge;
        default_type "text/plain";
        try_files $uri =404;
    }

    location {{backend_url}}/api {
        uwsgi_pass  {{backend_upstream_name}};
        include /etc/nginx/uwsgi_params;
    }

    location {{backend_url}}/admin {
        uwsgi_pass  {{backend_upstream_name}};
        include /etc/nginx/uwsgi_params;
    }

    location {{backend_url}}/auth {
        uwsgi_pass  {{backend_upstream_name}};
        include /etc/nginx/uwsgi_params;
    }

    location /backend/static {
        alias {{backend_nginx_static_root}}; # backend static files
    }

    location /backend/media {
        alias {{backend_nginx_media_root}};  # backend media files
    }

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ /index.html;
    }

}