server {
  listen       *:<nginx-port> ssl;

  server_name  _;

  ssl on;
  ssl_certificate           /etc/ssl/certs/ssl-cert-snakeoil.pem;
  ssl_certificate_key       /etc/ssl/private/ssl-cert-snakeoil.key;
  ssl_session_cache         shared:SSL:10m;
  ssl_session_timeout       5m;
  ssl_protocols             TLSv1.2;
  ssl_ciphers               ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA;
  ssl_prefer_server_ciphers on;

  location ~ /\. {
    # Protection against versioning tools parsing
    return 404;
  }

  location ~ /(LICENSE|INSTALL|README|CHANGELOG|LASTGEN|MAINTAINERS|UPGRADE|AUTHORS|COPYRIGHT) {
    # Protection against auto generation
    return 404;
  }

  location / {
    limit_except GET {
        deny all;
    }
    proxy_pass            https://127.0.0.1:<patroni-api-port>/;
    proxy_read_timeout    10s;
    proxy_connect_timeout 30s;
    proxy_send_timeout    30s;
    proxy_set_header      Host $http_host;
    proxy_set_header      X-Real-IP $remote_addr;
    proxy_set_header      X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header      X-Forwarded-Proto https;
  }
}