## $krdsh_* are defined in conf.d/http-krd.sh.conf

server {
    server_name .krd.sh;

    include snip.d/listen-http;
    include snip.d/listen-https;
    include snip.d/ssl-krd.sh;

    log_not_found off;
    access_log off;

    root /var/www/empty;

    include snip.d/deny-dotfiles;
    include snip.d/empty-favicon;

    include snip.d/http-security-headers;

    default_type text/plain;
    keepalive_timeout 0;

    proxy_hide_header Vary;
    # proxy_redirect off;

    # include snip.d/proxy-common-headers;
    # include snip.d/proxy-accept-encoding;
    # include snip.d/proxy-connection-upgrade;
    # include snip.d/proxy-early-data;

    proxy_ssl_name          $krdsh_self_proxy_host;
    proxy_set_header  Host  $krdsh_self_proxy_host;

    location / {
        if ($krdsh_is_ssl) {
            return 200;
        }

        if ($krdsh_need_ssl) {
            return 301 https://$host$request_uri;
        }

        if ($krdsh_nossl_misuse) {
            return 301 https://$krdsh_nossl_realhost$request_uri;
        }

        if ($krdsh_need_redirect) {
            return 301 $krdsh_redirector;
        }

        if ($krdsh_need_proxy) {
            proxy_pass $krdsh_self_proxy_uri;
        }
    }
}