server {
  listen ${synapse_federation_port}      ssl default_server;
  listen [::]:${synapse_federation_port} ssl default_server;

  http2 on;

  ssl_certificate         ${synapse_https_cert};
  ssl_certificate_key     ${synapse_https_key};
  ssl_trusted_certificate ${synapse_https_cacert};

  add_header Strict-Transport-Security "max-age=63072000" always;

  location / {
    proxy_http_version 1.1;
    proxy_set_header Host \$host;
    proxy_set_header X-Real-IP \$remote_addr;
    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto \$scheme;
    proxy_pass http://127.0.0.1:${synapse_local_federation_port};
  }
}

server {
  listen 443      ssl default_server;
  listen [::]:433 ssl default_server;

  http2 on;

  ssl_certificate         ${synapse_https_cert};
  ssl_certificate_key     ${synapse_https_key};
  ssl_trusted_certificate ${synapse_https_cacert};

  root ${synapse_element_webroot};

  add_header Strict-Transport-Security "max-age=63072000" always;
  client_max_body_size ${synapse_upload_sizelimit};

  location ~ ^(/_matrix|/_synapse/client) {
    proxy_http_version 1.1;
    proxy_set_header Host \$host;
    proxy_set_header X-Real-IP \$remote_addr;
    proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto \$scheme;
    proxy_pass http://127.0.0.1:${synapse_local_client_port};
  }
}