From ecb27521b411339d7cf9e9652d37b3e8174ed26c Mon Sep 17 00:00:00 2001
From: Stefano Badoino <16034687+SBado@users.noreply.github.com>
Date: Wed, 23 Feb 2022 11:32:39 +0100
Subject: [PATCH 1/6] PROXY Protocol support implementation

---
 backend/internal/nginx.js                     |  3 +-
 .../20220209144645_proxy_protocol.js          | 36 +++++++++++++++++++
 backend/schema/endpoints/proxy-hosts.json     | 28 +++++++++++++++
 backend/templates/_listen.conf                | 20 ++++++++---
 backend/templates/_proxy_protocol.conf        |  6 ++++
 backend/templates/proxy_host.conf             |  1 +
 frontend/js/app/nginx/proxy/form.ejs          | 17 ++++++++-
 frontend/js/app/nginx/proxy/form.js           | 14 +++++++-
 frontend/js/i18n/messages.json                |  4 ++-
 frontend/js/models/proxy-host.js              |  2 ++
 10 files changed, 122 insertions(+), 9 deletions(-)
 create mode 100644 backend/migrations/20220209144645_proxy_protocol.js
 create mode 100644 backend/templates/_proxy_protocol.conf

diff --git a/backend/internal/nginx.js b/backend/internal/nginx.js
index 52bdd66dc..0291dfda6 100644
--- a/backend/internal/nginx.js
+++ b/backend/internal/nginx.js
@@ -157,7 +157,8 @@ const internalNginx = {
 				for (let i = 0; i < host.locations.length; i++) {
 					let locationCopy = Object.assign({}, {access_list_id: host.access_list_id}, {certificate_id: host.certificate_id}, 
 						{ssl_forced: host.ssl_forced}, {caching_enabled: host.caching_enabled}, {block_exploits: host.block_exploits},
-						{allow_websocket_upgrade: host.allow_websocket_upgrade}, {http2_support: host.http2_support},
+						{allow_websocket_upgrade: host.allow_websocket_upgrade}, {enable_proxy_protocol: host.enable_proxy_protocol},
+						{load_balancer_ip: host.load_balancer_ip}, {http2_support: host.http2_support},
 						{hsts_enabled: host.hsts_enabled}, {hsts_subdomains: host.hsts_subdomains}, {access_list: host.access_list},
 						{certificate: host.certificate}, host.locations[i]);
 			
diff --git a/backend/migrations/20220209144645_proxy_protocol.js b/backend/migrations/20220209144645_proxy_protocol.js
new file mode 100644
index 000000000..8c8099128
--- /dev/null
+++ b/backend/migrations/20220209144645_proxy_protocol.js
@@ -0,0 +1,36 @@
+const migrate_name = 'proxy_protocol';
+const logger       = require('../logger').migrate;
+
+/**
+ * Migrate
+ *
+ * @see http://knexjs.org/#Schema
+ *
+ * @param   {Object}  knex
+ * @param   {Promise} Promise
+ * @returns {Promise}
+ */
+exports.up = function (knex/*, Promise*/) {
+	logger.info('[' + migrate_name + '] Migrating Up...');
+
+	return knex.schema.table('proxy_host', function (proxy_host) {
+		proxy_host.integer('enable_proxy_protocol').notNull().unsigned().defaultTo(0);
+		proxy_host.string('load_balancer_ip').notNull().defaultTo('');
+	})
+		.then(() => {
+			logger.info('[' + migrate_name + '] proxy_host Table altered');
+		});
+
+};
+
+/**
+ * Undo Migrate
+ *
+ * @param   {Object}  knex
+ * @param   {Promise} Promise
+ * @returns {Promise}
+ */
+exports.down = function (knex, Promise) {
+	logger.warn('[' + migrate_name + '] You can\'t migrate down this one.');
+	return Promise.resolve(true);
+};
\ No newline at end of file
diff --git a/backend/schema/endpoints/proxy-hosts.json b/backend/schema/endpoints/proxy-hosts.json
index 9a3fff2fc..27a8ec2ab 100644
--- a/backend/schema/endpoints/proxy-hosts.json
+++ b/backend/schema/endpoints/proxy-hosts.json
@@ -58,6 +58,16 @@
       "example": true,
       "type": "boolean"
     },
+    "enable_proxy_protocol": {
+      "description": "Enable PROXY Protocol support",
+      "example": true,
+      "type": "boolean"
+    },
+    "load_balancer_ip": {
+      "type": "string",
+      "minLength": 0,
+      "maxLength": 255
+    },
     "access_list_id": {
       "$ref": "../definitions.json#/definitions/access_list_id"
     },
@@ -155,6 +165,12 @@
     "allow_websocket_upgrade": {
       "$ref": "#/definitions/allow_websocket_upgrade"
     },
+    "enable_proxy_protocol": {
+      "$ref": "#/definitions/enable_proxy_protocol"
+    },
+    "load_balancer_ip": {
+      "$ref": "#/definitions/load_balancer_ip"
+    },
     "access_list_id": {
       "$ref": "#/definitions/access_list_id"
     },
@@ -245,6 +261,12 @@
           "allow_websocket_upgrade": {
             "$ref": "#/definitions/allow_websocket_upgrade"
           },
+          "enable_proxy_protocol": {
+            "$ref": "#/definitions/enable_proxy_protocol"
+          },
+          "load_balancer_ip": {
+            "$ref": "#/definitions/load_balancer_ip"
+          },
           "access_list_id": {
             "$ref": "#/definitions/access_list_id"
           },
@@ -318,6 +340,12 @@
           "allow_websocket_upgrade": {
             "$ref": "#/definitions/allow_websocket_upgrade"
           },
+          "enable_proxy_protocol": {
+            "$ref": "#/definitions/enable_proxy_protocol"
+          },
+          "load_balancer_ip": {
+            "$ref": "#/definitions/load_balancer_ip"
+          },
           "access_list_id": {
             "$ref": "#/definitions/access_list_id"
           },
diff --git a/backend/templates/_listen.conf b/backend/templates/_listen.conf
index 730f3a7c4..15f0c8659 100644
--- a/backend/templates/_listen.conf
+++ b/backend/templates/_listen.conf
@@ -1,15 +1,25 @@
+{% if enable_proxy_protocol == 1 or enable_proxy_protocol == true%}
+  listen 88 proxy_protocol;
+{% if ipv6 -%}
+  listen [::]:88 proxy_protocol;
+{% endif %}  
+{% else -%}
   listen 80;
 {% if ipv6 -%}
   listen [::]:80;
-{% else -%}
-  #listen [::]:80;
+{% endif %}   
 {% endif %}
 {% if certificate -%}
+{% if enable_proxy_protocol == 1 or enable_proxy_protocol == true%}
+  listen 444 ssl{% if http2_support %} http2{% endif %} proxy_protocol;
+{% if ipv6 -%}
+  listen [::]:444 ssl{% if http2_support %} http2{% endif %} proxy_protocol;
+{% endif %}
+{% else -%}
   listen 443 ssl{% if http2_support %} http2{% endif %};
 {% if ipv6 -%}
   listen [::]:443 ssl{% if http2_support %} http2{% endif %};
-{% else -%}
-  #listen [::]:443;
 {% endif %}
 {% endif %}
-  server_name {{ domain_names | join: " " }};
+{% endif %}
+  server_name {{ domain_names | join: " " }};
\ No newline at end of file
diff --git a/backend/templates/_proxy_protocol.conf b/backend/templates/_proxy_protocol.conf
new file mode 100644
index 000000000..fa81494b7
--- /dev/null
+++ b/backend/templates/_proxy_protocol.conf
@@ -0,0 +1,6 @@
+{% if enable_proxy_protocol == 1 or enable_proxy_protocol == true %}
+{% if load_balancer_ip != '' %}
+  set_real_ip_from {{ load_balancer_ip }};
+  real_ip_header proxy_protocol;
+{% endif %}
+{% endif %}
\ No newline at end of file
diff --git a/backend/templates/proxy_host.conf b/backend/templates/proxy_host.conf
index ec30cca0d..d733c853a 100644
--- a/backend/templates/proxy_host.conf
+++ b/backend/templates/proxy_host.conf
@@ -12,6 +12,7 @@ server {
 {% include "_exploits.conf" %}
 {% include "_hsts.conf" %}
 {% include "_forced_ssl.conf" %}
+{% include "_proxy_protocol.conf" %}
 
 {% if allow_websocket_upgrade == 1 or allow_websocket_upgrade == true %}
 proxy_set_header Upgrade $http_upgrade;
diff --git a/frontend/js/app/nginx/proxy/form.ejs b/frontend/js/app/nginx/proxy/form.ejs
index 56868f552..9c30f13c4 100644
--- a/frontend/js/app/nginx/proxy/form.ejs
+++ b/frontend/js/app/nginx/proxy/form.ejs
@@ -72,7 +72,7 @@
                                 </label>
                             </div>
                         </div>
-                        <div class="col-sm-12 col-md-12">
+                        <div class="col-sm-6 col-md-6">
                             <div class="form-group">
                                 <label class="custom-switch">
                                     <input type="checkbox" class="custom-switch-input" name="allow_websocket_upgrade" value="1"<%- allow_websocket_upgrade ? ' checked' : '' %>>
@@ -81,6 +81,21 @@
                                 </label>
                             </div>
                         </div>
+                        <div class="col-sm-6 col-md-6">
+                            <div class="form-group">
+                                <label class="custom-switch">
+                                    <input type="checkbox" class="custom-switch-input" name="enable_proxy_protocol" value="1"<%- enable_proxy_protocol ? ' checked' : '' %>>
+                                    <span class="custom-switch-indicator"></span>
+                                    <span class="custom-switch-description"><%- i18n('proxy-hosts', 'enable-proxy-protocol') %> <a href="https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/#introduction" target="_blank"><i class="fe fe-help-circle"></i></a></span>
+                                </label>
+                            </div>
+                        </div>
+                        <div class="col-sm-12 col-md-12">
+                            <div class="form-group">
+                                <label class="form-label"><%- i18n('proxy-hosts', 'load-balancer-ip') %>  <a href="https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/#changing-the-load-balancers-ip-address-to-the-client-ip-address" target="_blank"><i class="fe fe-help-circle"></i></a></label>
+                                <input type="text" name="load_balancer_ip" class="form-control text-monospace" placeholder="" value="<%- load_balancer_ip %>" autocomplete="off" maxlength="255" <%- enable_proxy_protocol ? '' : ' disabled' %>>
+                            </div>
+                        </div>
 
                         <div class="col-sm-12 col-md-12">
                             <div class="form-group">
diff --git a/frontend/js/app/nginx/proxy/form.js b/frontend/js/app/nginx/proxy/form.js
index 1dfb5c189..5ffd145a0 100644
--- a/frontend/js/app/nginx/proxy/form.js
+++ b/frontend/js/app/nginx/proxy/form.js
@@ -43,7 +43,9 @@ module.exports = Mn.View.extend({
         dns_provider_credentials: 'textarea[name="meta[dns_provider_credentials]"]',
         propagation_seconds:      'input[name="meta[propagation_seconds]"]',
         forward_scheme:           'select[name="forward_scheme"]',
-        letsencrypt:              '.letsencrypt'
+        letsencrypt:              '.letsencrypt',
+        enable_proxy_protocol:    'input[name="enable_proxy_protocol"]',
+        load_balancer_ip:         'input[name="load_balancer_ip"]'
     },
 
     regions: {
@@ -51,6 +53,14 @@ module.exports = Mn.View.extend({
     },
 
     events: {
+        'change @ui.enable_proxy_protocol': function () {
+            let checked = this.ui.enable_proxy_protocol.prop('checked');
+            this.ui.load_balancer_ip
+                .prop('disabled', !checked)
+                .parents('.form-group')
+                .css('opacity', checked ? 1 : 0.5);
+        },
+
         'change @ui.certificate_select': function () {
             let id = this.ui.certificate_select.val();
             if (id === 'new') {
@@ -163,6 +173,7 @@ module.exports = Mn.View.extend({
             data.block_exploits          = !!data.block_exploits;
             data.caching_enabled         = !!data.caching_enabled;
             data.allow_websocket_upgrade = !!data.allow_websocket_upgrade;
+            data.enable_proxy_protocol   = !!data.enable_proxy_protocol;
             data.http2_support           = !!data.http2_support;
             data.hsts_enabled            = !!data.hsts_enabled;
             data.hsts_subdomains         = !!data.hsts_subdomains;
@@ -264,6 +275,7 @@ module.exports = Mn.View.extend({
     onRender: function () {
         let view = this;
 
+        this.ui.enable_proxy_protocol.trigger('change');
         this.ui.ssl_forced.trigger('change');
         this.ui.hsts_enabled.trigger('change');
 
diff --git a/frontend/js/i18n/messages.json b/frontend/js/i18n/messages.json
index 896a9633d..1aaa3ac7a 100644
--- a/frontend/js/i18n/messages.json
+++ b/frontend/js/i18n/messages.json
@@ -133,7 +133,9 @@
       "allow-websocket-upgrade": "Websockets Support",
       "ignore-invalid-upstream-ssl": "Ignore Invalid SSL",
       "custom-forward-host-help": "Add a path for sub-folder forwarding.\nExample: 203.0.113.25/path",
-      "search": "Search Host…"
+      "search": "Search Host…",
+      "enable-proxy-protocol": "Enable PROXY Protocol",
+      "load-balancer-ip": "Load balancer or TCP proxy IP / CIDR range "
     },
     "redirection-hosts": {
       "title": "Redirection Hosts",
diff --git a/frontend/js/models/proxy-host.js b/frontend/js/models/proxy-host.js
index b82d09fef..b1a80f541 100644
--- a/frontend/js/models/proxy-host.js
+++ b/frontend/js/models/proxy-host.js
@@ -19,6 +19,8 @@ const model = Backbone.Model.extend({
             hsts_subdomains:         false,
             caching_enabled:         false,
             allow_websocket_upgrade: false,
+            enable_proxy_protocol:   false,
+            load_balancer_ip:        '',
             block_exploits:          false,
             http2_support:           false,
             advanced_config:         '',

From eac0517e631f13983b80873fe2b8e04ad59d3ad0 Mon Sep 17 00:00:00 2001
From: jwklijnsma <janwiebe@janwiebe.eu>
Date: Fri, 9 Feb 2024 18:49:31 +0100
Subject: [PATCH 2/6] add.

---
 .../internal/20220209144645_proxy_protocol.js | 36 +++++++++++++++++++
 backend/internal/nginx.js                     |  2 +-
 backend/schema/endpoints/proxy-hosts.json     | 10 ++++++
 3 files changed, 47 insertions(+), 1 deletion(-)
 create mode 100644 backend/internal/20220209144645_proxy_protocol.js

diff --git a/backend/internal/20220209144645_proxy_protocol.js b/backend/internal/20220209144645_proxy_protocol.js
new file mode 100644
index 000000000..8c8099128
--- /dev/null
+++ b/backend/internal/20220209144645_proxy_protocol.js
@@ -0,0 +1,36 @@
+const migrate_name = 'proxy_protocol';
+const logger       = require('../logger').migrate;
+
+/**
+ * Migrate
+ *
+ * @see http://knexjs.org/#Schema
+ *
+ * @param   {Object}  knex
+ * @param   {Promise} Promise
+ * @returns {Promise}
+ */
+exports.up = function (knex/*, Promise*/) {
+	logger.info('[' + migrate_name + '] Migrating Up...');
+
+	return knex.schema.table('proxy_host', function (proxy_host) {
+		proxy_host.integer('enable_proxy_protocol').notNull().unsigned().defaultTo(0);
+		proxy_host.string('load_balancer_ip').notNull().defaultTo('');
+	})
+		.then(() => {
+			logger.info('[' + migrate_name + '] proxy_host Table altered');
+		});
+
+};
+
+/**
+ * Undo Migrate
+ *
+ * @param   {Object}  knex
+ * @param   {Promise} Promise
+ * @returns {Promise}
+ */
+exports.down = function (knex, Promise) {
+	logger.warn('[' + migrate_name + '] You can\'t migrate down this one.');
+	return Promise.resolve(true);
+};
\ No newline at end of file
diff --git a/backend/internal/nginx.js b/backend/internal/nginx.js
index a92d23b54..e5b62f140 100644
--- a/backend/internal/nginx.js
+++ b/backend/internal/nginx.js
@@ -154,7 +154,7 @@ const internalNginx = {
 				for (let i = 0; i < host.locations.length; i++) {
 					let locationCopy = Object.assign({}, {access_list_id: host.access_list_id}, {certificate_id: host.certificate_id},
 						{ssl_forced: host.ssl_forced}, {caching_enabled: host.caching_enabled}, {block_exploits: host.block_exploits},
-						{allow_websocket_upgrade: host.allow_websocket_upgrade}, {enable_proxy_protocol: host.enable_proxy_protocol},
+						{allow_websocket_upgrade: host.allow_websocket_upgrade}, {enable_proxy_protocol: host.enable_proxy_protocol}, {enable_proxy_protocol: host.enable_proxy_protocol},
 						{load_balancer_ip: host.load_balancer_ip}, {http2_support: host.http2_support},
 						{hsts_enabled: host.hsts_enabled}, {hsts_subdomains: host.hsts_subdomains}, {access_list: host.access_list},
 						{certificate: host.certificate}, host.locations[i]);
diff --git a/backend/schema/endpoints/proxy-hosts.json b/backend/schema/endpoints/proxy-hosts.json
index 27a8ec2ab..c74f655a2 100644
--- a/backend/schema/endpoints/proxy-hosts.json
+++ b/backend/schema/endpoints/proxy-hosts.json
@@ -68,6 +68,16 @@
       "minLength": 0,
       "maxLength": 255
     },
+    "enable_proxy_protocol": {
+      "description": "Enable PROXY Protocol support",
+      "example": true,
+      "type": "boolean"
+    },
+    "load_balancer_ip": {
+      "type": "string",
+      "minLength": 0,
+      "maxLength": 255
+    },
     "access_list_id": {
       "$ref": "../definitions.json#/definitions/access_list_id"
     },

From 07e973faf7cd3e46668c8f7b1ec9040dc3c203a1 Mon Sep 17 00:00:00 2001
From: jwklijnsma <janwiebe@janwiebe.eu>
Date: Tue, 27 Feb 2024 11:32:57 +0100
Subject: [PATCH 3/6] fix error jenkins

---
 backend/templates/_listen.conf | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/backend/templates/_listen.conf b/backend/templates/_listen.conf
index 0bb2d02d4..15f0c8659 100644
--- a/backend/templates/_listen.conf
+++ b/backend/templates/_listen.conf
@@ -10,11 +10,15 @@
 {% endif %}   
 {% endif %}
 {% if certificate -%}
-  listen 443 ssl{% if http2_support == 1 or http2_support == true %} http2{% endif %};
+{% if enable_proxy_protocol == 1 or enable_proxy_protocol == true%}
+  listen 444 ssl{% if http2_support %} http2{% endif %} proxy_protocol;
 {% if ipv6 -%}
-  listen [::]:443 ssl{% if http2_support == 1 or http2_support == true %} http2{% endif %};
+  listen [::]:444 ssl{% if http2_support %} http2{% endif %} proxy_protocol;
+{% endif %}
 {% else -%}
-  #listen [::]:443;
+  listen 443 ssl{% if http2_support %} http2{% endif %};
+{% if ipv6 -%}
+  listen [::]:443 ssl{% if http2_support %} http2{% endif %};
 {% endif %}
 {% endif %}
 {% endif %}

From 198144da169d2efc332865ec46228d2e9bd23562 Mon Sep 17 00:00:00 2001
From: jwklijnsma <janwiebe@janwiebe.eu>
Date: Tue, 27 Feb 2024 11:38:28 +0100
Subject: [PATCH 4/6] fix

---
 backend/templates/_listen.conf | 1 -
 1 file changed, 1 deletion(-)

diff --git a/backend/templates/_listen.conf b/backend/templates/_listen.conf
index 15f0c8659..9081f240f 100644
--- a/backend/templates/_listen.conf
+++ b/backend/templates/_listen.conf
@@ -20,6 +20,5 @@
 {% if ipv6 -%}
   listen [::]:443 ssl{% if http2_support %} http2{% endif %};
 {% endif %}
-{% endif %}
 {% endif %}
   server_name {{ domain_names | join: " " }};
\ No newline at end of file

From 2fde003525e080ae9d8ae3251483fcbfe07dc4f0 Mon Sep 17 00:00:00 2001
From: jwklijnsma <janwiebe@janwiebe.eu>
Date: Tue, 27 Feb 2024 11:44:49 +0100
Subject: [PATCH 5/6] fix

---
 backend/templates/_listen.conf | 43 ++++++++++++++++++----------------
 1 file changed, 23 insertions(+), 20 deletions(-)

diff --git a/backend/templates/_listen.conf b/backend/templates/_listen.conf
index 9081f240f..1817912d7 100644
--- a/backend/templates/_listen.conf
+++ b/backend/templates/_listen.conf
@@ -1,24 +1,27 @@
-{% if enable_proxy_protocol == 1 or enable_proxy_protocol == true%}
+{% if enable_proxy_protocol == 1 or enable_proxy_protocol == true %}
   listen 88 proxy_protocol;
-{% if ipv6 -%}
-  listen [::]:88 proxy_protocol;
-{% endif %}  
-{% else -%}
+  {% if ipv6 -%}
+    listen [::]:88 proxy_protocol;
+  {% endif %}
+{% else %}
   listen 80;
-{% if ipv6 -%}
-  listen [::]:80;
-{% endif %}   
+  {% if ipv6 -%}
+    listen [::]:80;
+  {% endif %}
 {% endif %}
-{% if certificate -%}
-{% if enable_proxy_protocol == 1 or enable_proxy_protocol == true%}
-  listen 444 ssl{% if http2_support %} http2{% endif %} proxy_protocol;
-{% if ipv6 -%}
-  listen [::]:444 ssl{% if http2_support %} http2{% endif %} proxy_protocol;
+
+{% if certificate %}
+  {% if enable_proxy_protocol == 1 or enable_proxy_protocol == true %}
+    listen 444 ssl{% if http2_support %} http2{% endif %} proxy_protocol;
+    {% if ipv6 -%}
+      listen [::]:444 ssl{% if http2_support %} http2{% endif %} proxy_protocol;
+    {% endif %}
+  {% else %}
+    listen 443 ssl{% if http2_support %} http2{% endif %};
+    {% if ipv6 -%}
+      listen [::]:443 ssl{% if http2_support %} http2{% endif %};
+    {% endif %}
+  {% endif %}
 {% endif %}
-{% else -%}
-  listen 443 ssl{% if http2_support %} http2{% endif %};
-{% if ipv6 -%}
-  listen [::]:443 ssl{% if http2_support %} http2{% endif %};
-{% endif %}
-{% endif %}
-  server_name {{ domain_names | join: " " }};
\ No newline at end of file
+
+server_name {{ domain_names | join: " " }};
\ No newline at end of file

From b91d8341fca197e6ff53f6fd33332a51a9dfaf59 Mon Sep 17 00:00:00 2001
From: jwklijnsma <janwiebe@janwiebe.eu>
Date: Tue, 27 Feb 2024 11:50:55 +0100
Subject: [PATCH 6/6] add

---
 backend/templates/_listen.conf | 46 +++++++++++++++++-----------------
 1 file changed, 23 insertions(+), 23 deletions(-)

diff --git a/backend/templates/_listen.conf b/backend/templates/_listen.conf
index 1817912d7..e757d2ee3 100644
--- a/backend/templates/_listen.conf
+++ b/backend/templates/_listen.conf
@@ -1,27 +1,27 @@
-{% if enable_proxy_protocol == 1 or enable_proxy_protocol == true %}
+{% if enable_proxy_protocol == 1 or enable_proxy_protocol == true%}
   listen 88 proxy_protocol;
-  {% if ipv6 -%}
-    listen [::]:88 proxy_protocol;
-  {% endif %}
-{% else %}
+{% if ipv6 -%}
+  listen [::]:88 proxy_protocol;
+{% endif %}  
+{% else -%}
   listen 80;
-  {% if ipv6 -%}
-    listen [::]:80;
-  {% endif %}
+{% if ipv6 -%}
+  listen [::]:80;
+{% endif %}   
 {% endif %}
-
-{% if certificate %}
-  {% if enable_proxy_protocol == 1 or enable_proxy_protocol == true %}
-    listen 444 ssl{% if http2_support %} http2{% endif %} proxy_protocol;
-    {% if ipv6 -%}
-      listen [::]:444 ssl{% if http2_support %} http2{% endif %} proxy_protocol;
-    {% endif %}
-  {% else %}
-    listen 443 ssl{% if http2_support %} http2{% endif %};
-    {% if ipv6 -%}
-      listen [::]:443 ssl{% if http2_support %} http2{% endif %};
-    {% endif %}
-  {% endif %}
+{% if certificate -%}
+{% if enable_proxy_protocol == 1 or enable_proxy_protocol == true%}
+  listen 444 ssl{% if http2_support %} http2{% endif %} proxy_protocol;
+{% if ipv6 -%}
+  listen [::]:444 ssl{% if http2_support %} http2{% endif %} proxy_protocol;
 {% endif %}
-
-server_name {{ domain_names | join: " " }};
\ No newline at end of file
+{% else -%}
+  listen 443 ssl{% if http2_support %} http2{% endif %};
+{% endif %}
+{% else -%}
+{% if ipv6 -%}
+  listen [::]:443 ssl{% if http2_support %} http2{% endif %};
+{% endif %}
+{% endif %}
+{% endif %}
+  server_name {{ domain_names | join: " " }};
\ No newline at end of file