MagRelo · May 17, 2016 10:25
diff --git a/Prod_SpoonAdmin.liquid b/Prod_SpoonAdmin.liquid
 user                            nginx;
 worker_processes                {{ workers }};
 error_log                       /var/log/nginx.log;

 events {
    worker_connections          1024;
    accept_mutex                off;
 }

 http {
    root                          /etc/cloud66/webroot;
    gzip                          on;
    gzip_min_length               100;
    gzip_proxied                  expired no-cache no-store private auth;
    gzip_types                    text/plain application/xml text/css application/x-javascript text/javascript application/javascript;
    gzip_disable                  "MSIE [1-6]\.";
    server_names_hash_bucket_size 128;

    add_header                  X-Powered-By      cloud66;

    {% if has_ha_proxy_load_balancer == true and supports_realip_module == true %}
    set_real_ip_from {{ load_balancer_address }};
    real_ip_header X-Forwarded-For;
    {% endif %}

    tcp_nopush                  on;
    tcp_nodelay                 off;
    ssl_session_cache           shared:SSL:10m;
    ssl_session_timeout         10m;
    ssl_protocols               TLSv1 TLSv1.1 TLSv1.2;

    underscores_in_headers      on;
    types_hash_max_size         2048;
    include                     mime.types;
    default_type                application/octet-stream;

    client_max_body_size        250m;

    sendfile                    on;
    server_tokens               off;
    keepalive_timeout           65;

    {% for service_container in service_containers %}
    {% for upstream in service_container.upstreams %}
    upstream {{ upstream.name }} {
        {% for private_ip in upstream.private_ips %}
        server {{private_ip}}:{{upstream.port.container}};
        {% endfor # upstream.private_ips %}
    }
    {% endfor # service_container.upstreams %}
    {% endfor # service_containers %}

    {% if websocket_support == true %}
    map $http_upgrade $connection_upgrade {
        default Upgrade;
        '' close;
    }
    {% endif %}

    {% for service_container in service_containers %}
    {% for upstream in service_container.upstreams %}
    {% if upstream.port.http != blank %}
    server {
        listen                  {{ upstream.port.http }};

        {% for ip in blacklist %}
        deny {{ ip }};
        {% endfor %}
        keepalive_timeout       5;
        client_max_body_size    250m;
        # redirect on errors
        error_page              500 502 504 /50x.html;

        # handle error redirect
        location = /50x.html {
            proxy_pass http://placeholders.cloud66.com/nginx/50x.html;
        }

        {% if upstream.port.http == 80 %}
        location /.well-known/acme-challenge/ {
            {% if letsencrypt_primary_address == empty %}
            # serve letsencrypt requests from here
            alias /etc/cloud66/webroot/;
            try_files $uri =404;
            {% else %}
            # serve letsencrypt request from another host
            proxy_pass  http://{{ letsencrypt_primary_address }};
            {% endif %}
        }
        {% endif %}

        {% if red_http_to_https == true %}
        {% if has_load_balancer %}
        set $http_rewrite 0;
        if ($http_x_forwarded_proto = "http") {
            set $http_rewrite 1;
        }
        if ($http_x_forwarded_proto = "") {
            set $http_rewrite 1;
        }
        if ($request_uri ~ ^/.well-known/acme-challenge/.*$) {
            set $http_rewrite 0;
        }
        if ($http_rewrite = 1) {
            rewrite ^(.*) https://$host$1 permanent;
        }
        {% else %}
        if ($request_uri !~ ^/.well-known/acme-challenge/.*$) {
            rewrite ^(.*) https://$host$1 permanent;
        }
        {% endif %}
        {% endif %}

        {% if red_www == 0 %}
        server_name             {{ upstream.traffic_matches }};
        {% endif %}
        {% if red_www == 2 %}
        set $www_rewrite 0;
        if ($http_host ~ ^(?!www\.)(.*)) {
            set $www_rewrite 1;
            set $www_host $1;
        }
        if ($request_uri ~ ^/.well-known/acme-challenge/.*$) {
            set $www_rewrite 0;
        }
        if ($www_rewrite = 1) {
            return 301 $scheme://www.$www_host$request_uri;
        }
        {% endif %}
        {% if red_www == 1 %}
        set $www_rewrite 0;
        if ($http_host ~ ^www\.(.*)$) {
            set $www_rewrite 1;
            set $www_host $1;
        }
        if ($request_uri ~ ^/.well-known/acme-challenge/.*$) {
            set $www_rewrite 0;
        }
        if ($www_rewrite = 1) {
            return 301 $scheme://$www_host$request_uri;
        }
        {% endif %}

        {% if cors_enabled == true %}
        # Cross domain resource
        add_header Access-Control-Allow-Origin "{{ cors_origin }}";
        add_header Access-Control-Allow-Methods "{{ cors_methods }}";
        {% endif %}

        {% if maintenance_mode_active and upstream.port.http == 80 %}
        location / {
            root /etc/cloud66/pages;
            rewrite ^(.*)$ /cloud66_maintenance.html break;
        }
        {% else %}
        location / {
            {% if websocket_support == true %}
            # Next three lines implement websocket support
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
            {% endif %}
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        Host $http_host;
            proxy_redirect          off;
            proxy_pass              http://{{ upstream.name }};
            break;
        }
        {% endif %}
        
    }
    {% endif # if upstream.port.http != blank %}

    {% if allow_ssl == true %}
    {% if upstream.port.https != blank %}
    server {
        listen                    {{ upstream.port.https }};
        ssl                       on;
        ssl_ciphers               'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        ssl_prefer_server_ciphers on;
        ssl_dhparam               /etc/ssl/private/dhparams.pem;
        ssl_certificate_key       /etc/ssl/localcerts/{{ ssl_certificate_filename }}.key;
        ssl_certificate           /etc/ssl/localcerts/{{ ssl_certificate_filename }}.crt;

        {% for ip in blacklist %}
        deny {{ ip }};
        {% endfor %}

        {% if red_www == 0 %}
        server_name             {{ upstream.traffic_matches }};
        {% endif %}
        {% if red_www == 2 %}
        if ($http_host ~ ^(?!www\.)(.*)) {
            return 301 $scheme://www.$1$request_uri;
        }
        {% endif %}
        {% if red_www == 1 %}
        if ($http_host ~ ^www\.(.*)$) {
            return 301 $scheme://$1$request_uri;
        }
        {% endif %}

        client_max_body_size    250m;

        # redirect on errors
        error_page              500 502 504 /50x.html;

        # handle error redirect
        location = /50x.html {
            proxy_pass http://placeholders.cloud66.com/nginx/50x.html;
        }

        {% if cors_enabled == true %}
        # Cross domain resource
        add_header Access-Control-Allow-Origin "{{ cors_origin }}";
        add_header Access-Control-Allow-Methods "{{ cors_methods }}";
        {% endif %}

        {% if maintenance_mode_active and upstream.port.https == 443 %}
        location / {
            root /etc/cloud66/pages;
            rewrite ^(.*)$ /cloud66_maintenance.html break;
        }
        {% else %}
        location / {
            {% if websocket_support == true %}
            # Next three lines implement websocket support
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
            {% endif %}
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        Host $http_host;
            proxy_set_header        X-Forwarded-Proto https;
            proxy_redirect          off;
            proxy_pass              http://{{ upstream.name }};
            break;
        }
        {% endif %}
        
    }
    {% endif # if upstream.port.https != blank %}
    {% endif # if allow_ssl == true %}

    {% endfor # service_container.upstreams %}
    {% endfor # service_containers %}
    server {
        # metrics
        listen   8559;
        location /status {
            stub_status on;
            access_log   off;
            allow 127.0.0.1;
            deny all;
        }
    }

    # --- SpoonNode Root Domain HTTP ---     
    server {

        listen   80;
        server_name spoonadmin.com;

        location / {
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        Host $http_host;
            proxy_set_header        X-Forwarded-Proto https;
            proxy_redirect          off;
            proxy_pass              http://content.1.1;
            break;
        }
        
        # custom rules that apply to root domain
        set $spoonHost "spoonadmin.com";
        set $spoonHome "http://127.0.0.1/home";
        
        # --- WP Login  ---             
        location /wp-login.php {
            proxy_pass                 http://spoonadmin.wpengine.com/wp-login.php;
            proxy_set_header Host      $spoonHost;
            proxy_set_header X-Real-IP $remote_addr;
        }
        
        # --- All WordPress Functionality goes to WPEngine  ---             
        location ~* \/(wp-admin|wp-content|wp-includes|wp-json)(.*)$ {
            proxy_pass                  http://spoonadmin.wpengine.com/$1/$2$is_args$args;
            proxy_set_header Host      $spoonHost;
            proxy_set_header X-Real-IP $remote_addr;
        }        
        
        # --- Allows Auth0 Login Redirect  ---     
        location /index.php {
            proxy_pass                  http://spoonadmin.wpengine.com;
            proxy_set_header Host      $spoonHost;
            proxy_set_header X-Real-IP $remote_addr;
        }     
    }
    
    # --- SpoonNode Root Domain HTTPS --- 
    server {

        listen   443;
        server_name spoonadmin.com;

        location / {
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        Host $http_host;
            proxy_set_header        X-Forwarded-Proto https;
            proxy_redirect          off;
            proxy_pass              https://content.1.1;
            break;
        }
        
        # custom rules that apply to root domain
        set $spoonHost "spoonadmin.com";
        set $spoonHome "https://127.0.0.1/home";
        
         # --- WP Login  ---             
        location /wp-login.php {
            proxy_pass                 https://spoonadmin.wpengine.com/wp-login.php;
            proxy_set_header Host      $spoonHost;
            proxy_set_header X-Real-IP $remote_addr;
        }
        
        # --- All WordPress Functionality goes to WPEngine  ---             
        location ~* \/(wp-admin|wp-content|wp-includes|wp-json)(.*)$ {
            proxy_pass                  https://spoonadmin.wpengine.com/$1/$2$is_args$args;
            proxy_set_header Host      $spoonHost;
            proxy_set_header X-Real-IP $remote_addr;
        }        
        
        # --- Allows Auth0 Login Redirect  ---     
        location /index.php {
            proxy_pass                  https://spoonadmin.wpengine.com;
            proxy_set_header Host      $spoonHost;
            proxy_set_header X-Real-IP $remote_addr;
        }              
    }

    # --- All Subdomains except search and data ---
    server {
        
        listen  80;
        server_name     ~^(?<subdomain>\w+)\.spoonadmin\.com$;
        
        location / {
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        Host $http_host;
            proxy_set_header        X-Forwarded-Proto https;
            proxy_redirect          off;
            proxy_pass              http://content.1.1;
            break;
        }
        
        # --- custom configuration ---
        set $spoonHost "${subdomain}.spoonadmin.com";
        set $spoonHome "http://127.0.0.1/chapter/${subdomain}";
        

        # --- Chapter homepages are on subdomains ---
        location = / {
            proxy_pass                  $spoonHome;
            proxy_set_header Host       $spoonHost;
        }
        
        
        # --- Redirect to root domain on content pages ---
        location ~* \/(about|category|tag|theme|series|lifestyle||how-to|recipe|place|news)\/(\S+)$ {
            rewrite (.*) http://spoonadmin.com$1/$2 permanent;
        }
    
        # --- Redirect to root domain on custom pages ---
        location ~* ^\/(\w|-)+$ {
            rewrite (.*) http://spoonadmin.com$1/$2 permanent;
        }
        

        # --- Redirect to WPEngine for WP Login ---
        location /wp-login.php {
            proxy_pass                 http://spoonadmin.wpengine.com/wp-login.php;
            proxy_set_header Host      $spoonHost;
            proxy_set_header X-Real-IP $remote_addr;
        }

        # --- Redirect to WPengine for wordpress stuff ---        
        location ~* \/(wp-admin|wp-content|wp-includes|wp-json)(.*)$ {
            proxy_pass                  http://spoonadmin.wpengine.com/$1/$2$is_args$args;
            proxy_set_header Host      $spoonHost;
            proxy_set_header X-Real-IP $remote_addr;
        }        
        
        # --- Allow Auth0 Login ---        
        location /index.php {
            proxy_pass                  http://spoonadmin.wpengine.com;
            proxy_set_header Host      $spoonHost;
            proxy_set_header X-Real-IP $remote_addr;
        }            
    }

    # --- All Subdomains except search and data for https ---
    server {
        
        listen  443;        
        server_name     ~^(?<subdomain>\w+)\.spoonadmin\.com$;
        
        location / {
            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header        Host $http_host;
            proxy_set_header        X-Forwarded-Proto https;
            proxy_redirect          off;
            proxy_pass              https://content.1.1;
            break;
        }
        
        # --- custom configuration ---
        set $spoonHost "${subdomain}.spoonadmin.com";
        set $spoonHome "https://127.0.0.1/chapter/${subdomain}";
        
        # --- Chapter homepages are on subdomains ---
        location = / {
            proxy_pass                  $spoonHome;
            proxy_set_header Host       $spoonHost;
        }
        
        # --- Redirect to root domain on content pages ---
        location ~* \/(about|category|tag|theme|series|lifestyle||how-to|place|recipe|news)\/(\S+)$ {
            rewrite (.*) https://spoonadmin.com$1/$2 permanent;
        }
        
        # --- Redirect to root domain on custom pages ---
        location ~* ^\/(\w|-)+$ {
            rewrite (.*) https://spoonadmin.com$1/$2 permanent;
        }

        # --- Redirect to WPEngine for WP Login ---
        location /wp-login.php {
            proxy_pass                 https://spoonadmin.wpengine.com/wp-login.php;
            proxy_set_header Host      $spoonHost;
            proxy_set_header X-Real-IP $remote_addr;
        }
        
        # --- Redirect to WPengine for wordpress stuff ---        
        location ~* \/(wp-admin|wp-content|wp-includes|wp-json)(.*)$ {
            proxy_pass                  https://spoonadmin.wpengine.com/$1/$2$is_args$args;
            proxy_set_header Host      $spoonHost;
            proxy_set_header X-Real-IP $remote_addr;
        }        
        
        # --- Allow Auth0 Login ---        
        location /index.php {
            proxy_pass                  https://spoonadmin.wpengine.com;
            proxy_set_header Host      $spoonHost;
            proxy_set_header X-Real-IP $remote_addr;
        }            
    }
    # --- NewSpoon custom configuration ---

    {% if http_80_missing == true %}
    server {
        # letsencrypt
        listen                  80;
        location /.well-known/acme-challenge/ {
            {% if letsencrypt_primary_address == empty %}
            # serve letsencrypt requests from here
            alias /etc/cloud66/webroot/;
            try_files $uri =404;
            {% else %}
            # serve letsencrypt request from another host
            proxy_pass  http://{{ letsencrypt_primary_address }};
            {% endif %}
        }
    }
    {% endif %}
 }
	user nginx;
	worker_processes {{ workers }};
	error_log /var/log/nginx.log;

	events {
	worker_connections 1024;
	accept_mutex off;
	}

	http {
	root /etc/cloud66/webroot;
	gzip on;
	gzip_min_length 100;
	gzip_proxied expired no-cache no-store private auth;
	gzip_types text/plain application/xml text/css application/x-javascript text/javascript application/javascript;
	gzip_disable "MSIE [1-6]\.";
	server_names_hash_bucket_size 128;

	add_header X-Powered-By cloud66;

	{% if has_ha_proxy_load_balancer == true and supports_realip_module == true %}
	set_real_ip_from {{ load_balancer_address }};
	real_ip_header X-Forwarded-For;
	{% endif %}

	tcp_nopush on;
	tcp_nodelay off;
	ssl_session_cache shared:SSL:10m;
	ssl_session_timeout 10m;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

	underscores_in_headers on;
	types_hash_max_size 2048;
	include mime.types;
	default_type application/octet-stream;

	client_max_body_size 250m;

	sendfile on;
	server_tokens off;
	keepalive_timeout 65;

	{% for service_container in service_containers %}
	{% for upstream in service_container.upstreams %}
	upstream {{ upstream.name }} {
	{% for private_ip in upstream.private_ips %}
	server {{private_ip}}:{{upstream.port.container}};
	{% endfor # upstream.private_ips %}
	}
	{% endfor # service_container.upstreams %}
	{% endfor # service_containers %}

	{% if websocket_support == true %}
	map $http_upgrade $connection_upgrade {
	default Upgrade;
	'' close;
	}
	{% endif %}

	{% for service_container in service_containers %}
	{% for upstream in service_container.upstreams %}
	{% if upstream.port.http != blank %}
	server {
	listen {{ upstream.port.http }};

	{% for ip in blacklist %}
	deny {{ ip }};
	{% endfor %}
	keepalive_timeout 5;
	client_max_body_size 250m;
	# redirect on errors
	error_page 500 502 504 /50x.html;

	# handle error redirect
	location = /50x.html {
	proxy_pass http://placeholders.cloud66.com/nginx/50x.html;
	}

	{% if upstream.port.http == 80 %}
	location /.well-known/acme-challenge/ {
	{% if letsencrypt_primary_address == empty %}
	# serve letsencrypt requests from here
	alias /etc/cloud66/webroot/;
	try_files $uri =404;
	{% else %}
	# serve letsencrypt request from another host
	proxy_pass http://{{ letsencrypt_primary_address }};
	{% endif %}
	}
	{% endif %}

	{% if red_http_to_https == true %}
	{% if has_load_balancer %}
	set $http_rewrite 0;
	if ($http_x_forwarded_proto = "http") {
	set $http_rewrite 1;
	}
	if ($http_x_forwarded_proto = "") {
	set $http_rewrite 1;
	}
	if ($request_uri ~ ^/.well-known/acme-challenge/.*$) {
	set $http_rewrite 0;
	}
	if ($http_rewrite = 1) {
	rewrite ^(.*) https://$host$1 permanent;
	}
	{% else %}
	if ($request_uri !~ ^/.well-known/acme-challenge/.*$) {
	rewrite ^(.*) https://$host$1 permanent;
	}
	{% endif %}
	{% endif %}

	{% if red_www == 0 %}
	server_name {{ upstream.traffic_matches }};
	{% endif %}
	{% if red_www == 2 %}
	set $www_rewrite 0;
	if ($http_host ~ ^(?!www\.)(.*)) {
	set $www_rewrite 1;
	set $www_host $1;
	}
	if ($request_uri ~ ^/.well-known/acme-challenge/.*$) {
	set $www_rewrite 0;
	}
	if ($www_rewrite = 1) {
	return 301 $scheme://www.$www_host$request_uri;
	}
	{% endif %}
	{% if red_www == 1 %}
	set $www_rewrite 0;
	if ($http_host ~ ^www\.(.*)$) {
	set $www_rewrite 1;
	set $www_host $1;
	}
	if ($request_uri ~ ^/.well-known/acme-challenge/.*$) {
	set $www_rewrite 0;
	}
	if ($www_rewrite = 1) {
	return 301 $scheme://$www_host$request_uri;
	}
	{% endif %}

	{% if cors_enabled == true %}
	# Cross domain resource
	add_header Access-Control-Allow-Origin "{{ cors_origin }}";
	add_header Access-Control-Allow-Methods "{{ cors_methods }}";
	{% endif %}

	{% if maintenance_mode_active and upstream.port.http == 80 %}
	location / {
	root /etc/cloud66/pages;
	rewrite ^(.*)$ /cloud66_maintenance.html break;
	}
	{% else %}
	location / {
	{% if websocket_support == true %}
	# Next three lines implement websocket support
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection $connection_upgrade;
	{% endif %}
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Host $http_host;
	proxy_redirect off;
	proxy_pass http://{{ upstream.name }};
	break;
	}
	{% endif %}

	}
	{% endif # if upstream.port.http != blank %}

	{% if allow_ssl == true %}
	{% if upstream.port.https != blank %}
	server {
	listen {{ upstream.port.https }};
	ssl on;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers on;
	ssl_dhparam /etc/ssl/private/dhparams.pem;
	ssl_certificate_key /etc/ssl/localcerts/{{ ssl_certificate_filename }}.key;
	ssl_certificate /etc/ssl/localcerts/{{ ssl_certificate_filename }}.crt;

	{% for ip in blacklist %}
	deny {{ ip }};
	{% endfor %}

	{% if red_www == 0 %}
	server_name {{ upstream.traffic_matches }};
	{% endif %}
	{% if red_www == 2 %}
	if ($http_host ~ ^(?!www\.)(.*)) {
	return 301 $scheme://www.$1$request_uri;
	}
	{% endif %}
	{% if red_www == 1 %}
	if ($http_host ~ ^www\.(.*)$) {
	return 301 $scheme://$1$request_uri;
	}
	{% endif %}

	client_max_body_size 250m;

	# redirect on errors
	error_page 500 502 504 /50x.html;

	# handle error redirect
	location = /50x.html {
	proxy_pass http://placeholders.cloud66.com/nginx/50x.html;
	}

	{% if cors_enabled == true %}
	# Cross domain resource
	add_header Access-Control-Allow-Origin "{{ cors_origin }}";
	add_header Access-Control-Allow-Methods "{{ cors_methods }}";
	{% endif %}

	{% if maintenance_mode_active and upstream.port.https == 443 %}
	location / {
	root /etc/cloud66/pages;
	rewrite ^(.*)$ /cloud66_maintenance.html break;
	}
	{% else %}
	location / {
	{% if websocket_support == true %}
	# Next three lines implement websocket support
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection $connection_upgrade;
	{% endif %}
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Host $http_host;
	proxy_set_header X-Forwarded-Proto https;
	proxy_redirect off;
	proxy_pass http://{{ upstream.name }};
	break;
	}
	{% endif %}

	}
	{% endif # if upstream.port.https != blank %}
	{% endif # if allow_ssl == true %}

	{% endfor # service_container.upstreams %}
	{% endfor # service_containers %}
	server {
	# metrics
	listen 8559;
	location /status {
	stub_status on;
	access_log off;
	allow 127.0.0.1;
	deny all;
	}
	}

	# --- SpoonNode Root Domain HTTP ---
	server {

	listen 80;
	server_name spoonadmin.com;

	location / {
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Host $http_host;
	proxy_set_header X-Forwarded-Proto https;
	proxy_redirect off;
	proxy_pass http://content.1.1;
	break;
	}

	# custom rules that apply to root domain
	set $spoonHost "spoonadmin.com";
	set $spoonHome "http://127.0.0.1/home";

	# --- WP Login ---
	location /wp-login.php {
	proxy_pass http://spoonadmin.wpengine.com/wp-login.php;
	proxy_set_header Host $spoonHost;
	proxy_set_header X-Real-IP $remote_addr;
	}

	# --- All WordPress Functionality goes to WPEngine ---
	location ~* \/(wp-admin\|wp-content\|wp-includes\|wp-json)(.*)$ {
	proxy_pass http://spoonadmin.wpengine.com/$1/$2$is_args$args;
	proxy_set_header Host $spoonHost;
	proxy_set_header X-Real-IP $remote_addr;
	}

	# --- Allows Auth0 Login Redirect ---
	location /index.php {
	proxy_pass http://spoonadmin.wpengine.com;
	proxy_set_header Host $spoonHost;
	proxy_set_header X-Real-IP $remote_addr;
	}
	}

	# --- SpoonNode Root Domain HTTPS ---
	server {

	listen 443;
	server_name spoonadmin.com;

	location / {
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Host $http_host;
	proxy_set_header X-Forwarded-Proto https;
	proxy_redirect off;
	proxy_pass https://content.1.1;
	break;
	}

	# custom rules that apply to root domain
	set $spoonHost "spoonadmin.com";
	set $spoonHome "https://127.0.0.1/home";

	# --- WP Login ---
	location /wp-login.php {
	proxy_pass https://spoonadmin.wpengine.com/wp-login.php;
	proxy_set_header Host $spoonHost;
	proxy_set_header X-Real-IP $remote_addr;
	}

	# --- All WordPress Functionality goes to WPEngine ---
	location ~* \/(wp-admin\|wp-content\|wp-includes\|wp-json)(.*)$ {
	proxy_pass https://spoonadmin.wpengine.com/$1/$2$is_args$args;
	proxy_set_header Host $spoonHost;
	proxy_set_header X-Real-IP $remote_addr;
	}

	# --- Allows Auth0 Login Redirect ---
	location /index.php {
	proxy_pass https://spoonadmin.wpengine.com;
	proxy_set_header Host $spoonHost;
	proxy_set_header X-Real-IP $remote_addr;
	}
	}

	# --- All Subdomains except search and data ---
	server {

	listen 80;
	server_name ~^(?<subdomain>\w+)\.spoonadmin\.com$;

	location / {
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Host $http_host;
	proxy_set_header X-Forwarded-Proto https;
	proxy_redirect off;
	proxy_pass http://content.1.1;
	break;
	}

	# --- custom configuration ---
	set $spoonHost "${subdomain}.spoonadmin.com";
	set $spoonHome "http://127.0.0.1/chapter/${subdomain}";


	# --- Chapter homepages are on subdomains ---
	location = / {
	proxy_pass $spoonHome;
	proxy_set_header Host $spoonHost;
	}


	# --- Redirect to root domain on content pages ---
	location ~* \/(about\|category\|tag\|theme\|series\|lifestyle\|\|how-to\|recipe\|place\|news)\/(\S+)$ {
	rewrite (.*) http://spoonadmin.com$1/$2 permanent;
	}

	# --- Redirect to root domain on custom pages ---
	location ~* ^\/(\w\|-)+$ {
	rewrite (.*) http://spoonadmin.com$1/$2 permanent;
	}


	# --- Redirect to WPEngine for WP Login ---
	location /wp-login.php {
	proxy_pass http://spoonadmin.wpengine.com/wp-login.php;
	proxy_set_header Host $spoonHost;
	proxy_set_header X-Real-IP $remote_addr;
	}

	# --- Redirect to WPengine for wordpress stuff ---
	location ~* \/(wp-admin\|wp-content\|wp-includes\|wp-json)(.*)$ {
	proxy_pass http://spoonadmin.wpengine.com/$1/$2$is_args$args;
	proxy_set_header Host $spoonHost;
	proxy_set_header X-Real-IP $remote_addr;
	}

	# --- Allow Auth0 Login ---
	location /index.php {
	proxy_pass http://spoonadmin.wpengine.com;
	proxy_set_header Host $spoonHost;
	proxy_set_header X-Real-IP $remote_addr;
	}
	}

	# --- All Subdomains except search and data for https ---
	server {

	listen 443;
	server_name ~^(?<subdomain>\w+)\.spoonadmin\.com$;

	location / {
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Host $http_host;
	proxy_set_header X-Forwarded-Proto https;
	proxy_redirect off;
	proxy_pass https://content.1.1;
	break;
	}

	# --- custom configuration ---
	set $spoonHost "${subdomain}.spoonadmin.com";
	set $spoonHome "https://127.0.0.1/chapter/${subdomain}";

	# --- Chapter homepages are on subdomains ---
	location = / {
	proxy_pass $spoonHome;
	proxy_set_header Host $spoonHost;
	}

	# --- Redirect to root domain on content pages ---
	location ~* \/(about\|category\|tag\|theme\|series\|lifestyle\|\|how-to\|place\|recipe\|news)\/(\S+)$ {
	rewrite (.*) https://spoonadmin.com$1/$2 permanent;
	}

	# --- Redirect to root domain on custom pages ---
	location ~* ^\/(\w\|-)+$ {
	rewrite (.*) https://spoonadmin.com$1/$2 permanent;
	}

	# --- Redirect to WPEngine for WP Login ---
	location /wp-login.php {
	proxy_pass https://spoonadmin.wpengine.com/wp-login.php;
	proxy_set_header Host $spoonHost;
	proxy_set_header X-Real-IP $remote_addr;
	}

	# --- Redirect to WPengine for wordpress stuff ---
	location ~* \/(wp-admin\|wp-content\|wp-includes\|wp-json)(.*)$ {
	proxy_pass https://spoonadmin.wpengine.com/$1/$2$is_args$args;
	proxy_set_header Host $spoonHost;
	proxy_set_header X-Real-IP $remote_addr;
	}

	# --- Allow Auth0 Login ---
	location /index.php {
	proxy_pass https://spoonadmin.wpengine.com;
	proxy_set_header Host $spoonHost;
	proxy_set_header X-Real-IP $remote_addr;
	}
	}
	# --- NewSpoon custom configuration ---

	{% if http_80_missing == true %}
	server {
	# letsencrypt
	listen 80;
	location /.well-known/acme-challenge/ {
	{% if letsencrypt_primary_address == empty %}
	# serve letsencrypt requests from here
	alias /etc/cloud66/webroot/;
	try_files $uri =404;
	{% else %}
	# serve letsencrypt request from another host
	proxy_pass http://{{ letsencrypt_primary_address }};
	{% endif %}
	}
	}
	{% endif %}
	}
No results found