server {
  listen 443      ssl default_server;
  listen [::]:443 ssl default_server;

  http2 on;

  ssl_certificate      ${rspamd_https_cert};
  ssl_certificate_key  ${rspamd_https_key};

  add_header Strict-Transport-Security "max-age=63072000" always;

$(if [ -n "$rspamd_admin_users" ]; then
echo   '  auth_gss on;'
echo   "  auth_gss_keytab ${nginx_keytab};"
printf '  auth_gss_authorized_principal %s;\n' $rspamd_admin_users
fi)

  location / {
    proxy_http_version 1.1;
    proxy_set_header Host \$host;
    proxy_set_header X-Forwarded-Proto \$scheme;
$(if [ -z "$rspamd_admin_users" ]; then
echo '    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;'
fi)
    proxy_pass http://127.0.0.1:${rspamd_port}/;
  }
}