server {
    listen 80;
    listen [::]:80;
    server_name {{ http_dns_prefix }}-api.{{ http_domain_external }} ;
    return 301 https://$http_host$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name {{ http_dns_prefix }}-api.{{ http_domain_external }} ;
    index index.html index.htm;

    ssl_certificate /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/fullchain.pem;
    ssl_certificate_key /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem;
    ssl_prefer_server_ciphers       on;
    include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;

    location / {
        # allow defined addresses to access
        allow   127.0.0.0/8;
        allow   ::1/128;
{% for host in pdns_limit_api_access %}
        allow   {{ host }};
{% endfor %}
        # drop rest of the world
        deny    all;

        proxy_set_header        Host $host;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;

        proxy_pass          http://127.0.0.1:8081;
        proxy_read_timeout  90;

        proxy_redirect      http://127.0.0.1:8081 https://{{ http_dns_prefix }}-api.{{ http_domain_external }};
    }

}