map $ssl_preread_server_name $name {
	chat.signal.org                         signal-service;
	ud-chat.signal.org                      signal-service;
	storage.signal.org                      storage-service;
	cdn.signal.org                          signal-cdn;
	cdn2.signal.org                         signal-cdn2;
	cdn3.signal.org                         signal-cdn3;
	cdsi.signal.org                         cdsi;
	contentproxy.signal.org                 content-proxy;
	sfu.voip.signal.org                     sfu;
	svr2.signal.org                         svr2;
	updates.signal.org                      updates;
	updates2.signal.org                     updates2;

	x.kp2pml30.moe                          xray-entrypoint;
	pr.kp2pml30.moe                         signal-proxy;

	kp2pml30.moe                            ssl-terminator;
	dns.kp2pml30.moe                        ssl-terminator;
	git.kp2pml30.moe                        ssl-terminator;
	cache.nix.kp2pml30.moe                  ssl-terminator;
	backend.kp2pml30.moe                    ssl-terminator;

	default                                 deny;
}

upstream signal-service {
	server chat.signal.org:443;
}

upstream storage-service {
	server storage.signal.org:443;
}

upstream signal-cdn {
	server cdn.signal.org:443;
}

upstream signal-cdn2 {
	server cdn2.signal.org:443;
}

upstream signal-cdn3 {
	server cdn3.signal.org:443;
}

upstream cdsi {
	server cdsi.signal.org:443;
}

upstream content-proxy {
	server contentproxy.signal.org:443;
}

upstream sfu {
	server sfu.voip.signal.org:443;
}

upstream svr2 {
	server svr2.signal.org:443;
}

upstream updates {
	server updates.signal.org:443;
}

upstream updates2 {
	server updates2.signal.org:443;
}

upstream xray-entrypoint {
	server 127.0.0.1:8010;
}

upstream deny {
	server 127.0.0.1:9;
}

upstream self {
	server 127.0.0.1:80;
}

upstream ssl-terminator {
	server 127.0.0.1:8443;
}

upstream signal-proxy {
	server 127.0.0.1:8444;
}

server {
	listen          443;
	ssl_preread     on;
	proxy_pass      $name;
}

server {
	listen          8443 ssl;
	server_name     kp2pml30.moe git.kp2pml30.moe cache.nix.kp2pml30.moe backend.kp2pml30.moe dns.kp2pml30.moe;
	proxy_pass      self;

	ssl_certificate         /var/lib/acme/kp2pml30.moe/fullchain.pem;
	ssl_certificate_key     /var/lib/acme/kp2pml30.moe/key.pem;
	ssl_trusted_certificate /var/lib/acme/kp2pml30.moe/chain.pem;
}

server {
	listen          8444 ssl;
	server_name     pr.kp2pml30.moe;
	ssl_preread     on;
	proxy_pass      $name;

	ssl_certificate         /var/lib/acme/kp2pml30.moe/fullchain.pem;
	ssl_certificate_key     /var/lib/acme/kp2pml30.moe/key.pem;
	ssl_trusted_certificate /var/lib/acme/kp2pml30.moe/chain.pem;
}

log_format proxy_log '$remote_addr [$time_local] '
	'$protocol $status $bytes_sent $bytes_received '
	'$session_time "$upstream_addr" '
	'"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"'
	'Proxy: "$ssl_preread_server_name" $name"';

access_log /var/log/nginx/aboba-access.log proxy_log buffer=1k flush=1m;