dokku/plugins/nginx-vhosts/functions

#!/usr/bin/env bash
set -eo pipefail
[[ $DOKKU_TRACE ]] && set -x
source "$PLUGIN_CORE_AVAILABLE_PATH/common/functions"
source "$PLUGIN_AVAILABLE_PATH/certs/functions"
source "$PLUGIN_AVAILABLE_PATH/config/functions"
source "$PLUGIN_AVAILABLE_PATH/nginx-vhosts/internal-functions"

fn-nginx-log-root() {
  declare desc="get the nginx log root"
  local NGINX_LOG_ROOT="/var/log/nginx"
  fn-nginx-vhosts-uses-openresty && NGINX_LOG_ROOT="/var/log/openresty"
  echo "$NGINX_LOG_ROOT"
}

fn-nginx-access-log-format() {
  declare desc="get the configured access log format"
  declare APP="$1"

  fn-plugin-property-get-default "nginx" "$APP" "access-log-format" ""
}

fn-nginx-access-log-path() {
  declare desc="get the configured access log path"
  declare APP="$1"
  local NGINX_LOG_ROOT="$(fn-nginx-log-root)"

  fn-plugin-property-get-default "nginx" "$APP" "access-log-path" "${NGINX_LOG_ROOT}/${APP}-access.log"
}

fn-nginx-proxy-buffer-size() {
  declare desc="get the configured proxy buffer size"
  declare APP="$1"

  fn-plugin-property-get-default "nginx" "$APP" "proxy-buffer-size" "$(fn-get-pagesize)"
}

fn-nginx-proxy-buffering() {
  declare desc="get the configured proxy buffering"
  declare APP="$1"

  fn-plugin-property-get-default "nginx" "$APP" "proxy-buffering" "on"
}

fn-nginx-proxy-buffers() {
  declare desc="get the configured proxy buffers"
  declare APP="$1"

  fn-plugin-property-get-default "nginx" "$APP" "proxy-buffers" "8 $(fn-get-pagesize)"
}

fn-nginx-proxy-busy-buffers-size() {
  declare desc="get the configured proxy busy buffers size"
  declare APP="$1"

  fn-plugin-property-get-default "nginx" "$APP" "proxy-busy-buffers-size" "$(($(fn-get-pagesize) * 2))"
}

fn-nginx-proxy-read-timeout() {
  declare desc="get the configured proxy read timeout"
  declare APP="$1"

  fn-plugin-property-get-default "nginx" "$APP" "proxy-read-timeout" "60s"
}

fn-nginx-client-max-body-size() {
  declare desc="get the configured client max body size"
  declare APP="$1"

  fn-plugin-property-get-default "nginx" "$APP" "client-max-body-size" ""
}

fn-nginx-error-log-path() {
  declare desc="get the configured access log path"
  declare APP="$1"
  local NGINX_LOG_ROOT="$(fn-nginx-log-root)"

  fn-plugin-property-get-default "nginx" "$APP" "error-log-path" "${NGINX_LOG_ROOT}/${APP}-error.log"
}

get_nginx_location() {
  declare desc="check that nginx is at the expected location and return it"
  fn-nginx-vhosts-nginx-location
}

validate_nginx() {
  declare desc="validate entire nginx config"
  declare APP="${1:-}" FLAG="${2:-}"
  local NGINX_LOCATION EXIT_CODE
  NGINX_LOCATION=$(get_nginx_location)
  if [[ -z "$NGINX_LOCATION" ]]; then
    exit 1
  fi

  if [[ "$APP" == "--clean" ]]; then
    APP=""
    FLAG="--clean"
  fi

  set +e
  sudo "$NGINX_LOCATION" -t >/dev/null 2>&1
  EXIT_CODE=$?
  set -e
  if [[ "$EXIT_CODE" -eq "0" ]]; then
    return
  fi

  if [[ -n "$APP" ]]; then
    verify_app_name "$APP"
    nginx_vhosts_validate_single_func "$APP" "$FLAG"
  else
    for app in $(dokku_apps "false"); do
      nginx_vhosts_validate_single_func "$app" "$FLAG"
    done
  fi

  set +e
  sudo "$NGINX_LOCATION" -t >/dev/null 2>&1
  EXIT_CODE=$?
  set -e
  if [[ "$EXIT_CODE" -eq "0" ]]; then
    return
  fi

  sudo "$NGINX_LOCATION" -t
  exit $?
}

restart_nginx() {
  declare desc="restart nginx for given distros"
  local PROXY_ENABLED="$(plugn trigger proxy-is-enabled "$APP")"
  local PROXY_TYPE="$(plugn trigger proxy-type "$APP")"
  if [[ "$PROXY_ENABLED" == "true" ]] && [[ "$PROXY_TYPE" == "nginx" ]]; then
    fn-nginx-vhosts-nginx-init-cmd "reload"
  fi
}

nginx_logs() {
  declare desc="display app nginx logs"
  declare NGINX_LOGS_TYPE="${1#nginx:}" APP="$2"

  local NGINX_LOGS_TYPE=${NGINX_LOGS_TYPE%-logs}
  local NGINX_LOGS_PATH="$("fn-nginx-${NGINX_LOGS_TYPE}-log-path" "$APP")"

  if [[ "$NGINX_LOGS_PATH" == "off" ]] || [[ "$NGINX_LOGS_PATH" == "/dev/null" ]]; then
    dokku_log_fail "$NGINX_LOGS_TYPE logs are disabled for this app"
  fi

  if [[ $3 == "-t" ]]; then
    local NGINX_LOGS_ARGS="-F"
  else
    local NGINX_LOGS_ARGS="-n 20"
  fi

  tail "$NGINX_LOGS_ARGS" "$NGINX_LOGS_PATH"
}

configure_nginx_ports() {
  declare desc="configure nginx listening ports"
  local APP=$1
  local RAW_TCP_PORTS="$(get_app_raw_tcp_ports "$APP")"
  local DOKKU_PROXY_PORT=$(config_get "$APP" DOKKU_PROXY_PORT)
  local DOKKU_PROXY_SSL_PORT=$(config_get "$APP" DOKKU_PROXY_SSL_PORT)
  local DOKKU_PROXY_PORT_MAP=$(config_get "$APP" DOKKU_PROXY_PORT_MAP)
  local IS_APP_VHOST_ENABLED=true
  local UPSTREAM_PORT="5000"
  plugn trigger domains-vhost-enabled "$APP" 2>/dev/null || IS_APP_VHOST_ENABLED=false

  if [[ -z "$DOKKU_PROXY_PORT" ]] && [[ -z "$RAW_TCP_PORTS" ]]; then
    if [[ "$IS_APP_VHOST_ENABLED" == "false" ]]; then
      dokku_log_info1 "No proxy port set, setting to random open high port"
      local PROXY_PORT=$(get_available_port)
    else
      local PROXY_PORT=$(config_get --global DOKKU_PROXY_PORT)
      PROXY_PORT=${PROXY_PORT:=80}
    fi
    DOKKU_QUIET_OUTPUT=1 config_set --no-restart "$APP" DOKKU_PROXY_PORT="$PROXY_PORT"
  fi
  if [[ -z "$DOKKU_PROXY_SSL_PORT" ]]; then
    if (is_ssl_enabled "$APP"); then
      local PROXY_SSL_PORT=$(config_get --global DOKKU_PROXY_SSL_PORT)
      PROXY_SSL_PORT=${PROXY_SSL_PORT:=443}
      if [[ -z "$RAW_TCP_PORTS" ]] && [[ "$IS_APP_VHOST_ENABLED" == "false" ]]; then
        dokku_log_info1 "No proxy ssl port set, setting to random open high port"
        PROXY_SSL_PORT=$(get_available_port)
      fi
      DOKKU_QUIET_OUTPUT=1 config_set --no-restart "$APP" DOKKU_PROXY_SSL_PORT="$PROXY_SSL_PORT"
    fi
  fi
  if [[ -z "$DOKKU_PROXY_PORT_MAP" ]]; then
    if [[ -n "$RAW_TCP_PORTS" ]]; then
      local RAW_TCP_PORT
      for RAW_TCP_PORT in $RAW_TCP_PORTS; do
        local PROXY_PORT_MAP+=" http:${RAW_TCP_PORT}:${RAW_TCP_PORT} "
      done
    else
      local PROXY_PORT=${PROXY_PORT:-$DOKKU_PROXY_PORT}
      local PROXY_SSL_PORT=${PROXY_SSL_PORT:-$DOKKU_PROXY_SSL_PORT}
      [[ -f "$DOKKU_ROOT/$APP/PORT.web.1" ]] && local UPSTREAM_PORT="$(<"$DOKKU_ROOT/$APP/PORT.web.1")"
      if [[ -n "$PROXY_PORT" ]] && [[ -n "$PROXY_SSL_PORT" ]]; then
        local PROXY_PORT_MAP+=" http:${PROXY_PORT}:$UPSTREAM_PORT https:${PROXY_SSL_PORT}:$UPSTREAM_PORT "
      elif [[ -n "$PROXY_PORT" ]]; then
        local PROXY_PORT_MAP+=" http:${PROXY_PORT}:$UPSTREAM_PORT "
      fi
    fi
    if [[ -n "$PROXY_PORT_MAP" ]]; then
      local PROXY_PORT_MAP="$(echo "$PROXY_PORT_MAP" | xargs)"
      local PROXY_PORT_MAP+=" $(merge_dedupe_list "$(remove_val_from_list "$PORT_MAP" "$DOKKU_PROXY_PORT_MAP" " ")" " ") "
      DOKKU_QUIET_OUTPUT=1 config_set --no-restart "$APP" DOKKU_PROXY_PORT_MAP="$PROXY_PORT_MAP"
    fi
  fi
}

validate_ssl_domains() {
  declare desc="check configured domains against SSL cert contents and show warning if mismatched"
  local APP=$1
  local VHOST_PATH="$DOKKU_ROOT/$APP/VHOST"
  local SSL_HOSTNAME=$(get_ssl_hostnames "$APP")
  local SSL_HOSTNAME_REGEX=$(echo "$SSL_HOSTNAME" | xargs | sed 's|\.|\\.|g' | sed 's/\*/\[^\.\]\*/g' | sed 's/ /|/g')

  if ! (grep -q -E "^${SSL_HOSTNAME_REGEX}$" "$VHOST_PATH" &>/dev/null); then
    dokku_log_info1 "No matching configured domains for $APP found in SSL certificate. Your app will show as insecure in a browser if accessed via SSL"
    dokku_log_info1 "Please add appropriate domains via the dokku domains command"
    [[ -n "$NONSSL_VHOSTS" ]] && dokku_log_info1 "Configured domains for app:"
    local domain
    for domain in $(echo "$NONSSL_VHOSTS" | xargs); do
      dokku_log_info2 "$domain"
    done
    [[ -n "$SSL_HOSTNAME" ]] && dokku_log_info1 "Domains found in SSL certificate:"
    for domain in $(echo "$SSL_HOSTNAME" | xargs); do
      dokku_log_info2 "$domain"
    done
  fi
}

get_custom_nginx_template() {
  declare desc="attempts to copy custom nginx template from app image"
  local APP="$1"
  local DESTINATION_FILE="$2"
  local IMAGE_TAG="$(get_running_image_tag "$APP")"
  local IMAGE=$(get_deploying_app_image_name "$APP" "$IMAGE_TAG")
  local NGINX_TEMPLATE_NAME="nginx.conf.sigil"
  local DISABLE_CUSTOM_CONFIG="$(fn-plugin-property-get-default "nginx" "$APP" "disable-custom-config" "false")"

  if [[ "$DISABLE_CUSTOM_CONFIG" == "true" ]]; then
    return
  fi

  copy_from_image "$IMAGE" "$NGINX_TEMPLATE_NAME" "$DESTINATION_FILE" 2>/dev/null || true
}

is_tls13_available() {
  declare desc="detects whether the installed nginx version has TLSv1.3 support"
  local NGINX_VERSION="$1"
  local MAJOR_VERSION MINOR_VERSION PATCH_VERSION
  local HAS_SUPPORT=false

  MAJOR_VERSION=$(echo "$NGINX_VERSION" | awk '{split($0,a,"."); print a[1]}')
  MINOR_VERSION=$(echo "$NGINX_VERSION" | awk '{split($0,a,"."); print a[2]}')
  PATCH_VERSION=$(echo "$NGINX_VERSION" | awk '{split($0,a,"."); print a[3]}')
  if [[ "$MAJOR_VERSION" -ge "2" ]]; then
    HAS_SUPPORT=true
  elif [[ "$MAJOR_VERSION" -eq "1" ]] && [[ "$MINOR_VERSION" -ge "13" ]]; then
    HAS_SUPPORT=true
  fi

  echo $HAS_SUPPORT
}

is_spdy_enabled() {
  declare desc="detects whether the installed nginx version has spdy support"
  local NGINX_VERSION="$1"
  local MAJOR_VERSION MINOR_VERSION PATCH_VERSION
  local HAS_SUPPORT=true

  MAJOR_VERSION=$(echo "$NGINX_VERSION" | awk '{split($0,a,"."); print a[1]}')
  MINOR_VERSION=$(echo "$NGINX_VERSION" | awk '{split($0,a,"."); print a[2]}')
  PATCH_VERSION=$(echo "$NGINX_VERSION" | awk '{split($0,a,"."); print a[3]}')
  if [[ "$MAJOR_VERSION" -ge "2" ]]; then
    HAS_SUPPORT=false
  elif [[ "$MAJOR_VERSION" -eq "1" ]]; then
    if [[ "$MINOR_VERSION" -ge "10" ]]; then
      HAS_SUPPORT=false
    elif [[ "$MINOR_VERSION" -ge "9" ]] && [[ "$PATCH_VERSION" -ge "5" ]]; then
      HAS_SUPPORT=false
    fi
  fi

  echo $HAS_SUPPORT
}

is_http2_push_enabled() {
  declare desc="detects whether the installed nginx version has http2 push support"
  local NGINX_VERSION="$1"
  local MAJOR_VERSION MINOR_VERSION PATCH_VERSION
  local HAS_SUPPORT=false

  MAJOR_VERSION=$(echo "$NGINX_VERSION" | awk '{split($0,a,"."); print a[1]}')
  MINOR_VERSION=$(echo "$NGINX_VERSION" | awk '{split($0,a,"."); print a[2]}')
  PATCH_VERSION=$(echo "$NGINX_VERSION" | awk '{split($0,a,"."); print a[3]}')
  if [[ "$MAJOR_VERSION" -ge "2" ]]; then
    HAS_SUPPORT=true
  elif [[ "$MAJOR_VERSION" -eq "1" ]]; then
    if [[ "$MINOR_VERSION" -eq "13" ]] && [[ "$PATCH_VERSION" -ge "9" ]]; then
      HAS_SUPPORT=true
    elif [[ "$MINOR_VERSION" -ge "14" ]]; then
      HAS_SUPPORT=true
    fi
  fi

  echo $HAS_SUPPORT
}

is_http2_enabled() {
  declare desc="detects whether the installed nginx version has http2 support"
  local NGINX_VERSION="$1"
  local MAJOR_VERSION MINOR_VERSION PATCH_VERSION
  local HAS_SUPPORT=false

  MAJOR_VERSION=$(echo "$NGINX_VERSION" | awk '{split($0,a,"."); print a[1]}')
  MINOR_VERSION=$(echo "$NGINX_VERSION" | awk '{split($0,a,"."); print a[2]}')
  PATCH_VERSION=$(echo "$NGINX_VERSION" | awk '{split($0,a,"."); print a[3]}')
  if [[ "$MAJOR_VERSION" -ge "2" ]]; then
    HAS_SUPPORT=true
  elif [[ "$MAJOR_VERSION" -eq "1" ]]; then
    if [[ "$MINOR_VERSION" -eq "11" ]] && [[ "$PATCH_VERSION" -ge "5" ]]; then
      HAS_SUPPORT=true
    elif [[ "$MINOR_VERSION" -ge "12" ]]; then
      HAS_SUPPORT=true
    fi
  fi

  echo $HAS_SUPPORT
}

is_grpc_enabled() {
  declare desc="detects whether the installed nginx version has grpc support"
  local NGINX_VERSION="$1"
  local MAJOR_VERSION MINOR_VERSION PATCH_VERSION
  local HAS_SUPPORT=false

  MAJOR_VERSION=$(echo "$NGINX_VERSION" | awk '{split($0,a,"."); print a[1]}')
  MINOR_VERSION=$(echo "$NGINX_VERSION" | awk '{split($0,a,"."); print a[2]}')
  PATCH_VERSION=$(echo "$NGINX_VERSION" | awk '{split($0,a,"."); print a[3]}')
  if [[ "$MAJOR_VERSION" -ge "2" ]]; then
    HAS_SUPPORT=true
  elif [[ "$MAJOR_VERSION" -eq "1" ]]; then
    if [[ "$MINOR_VERSION" -eq "13" ]] && [[ "$PATCH_VERSION" -ge "10" ]]; then
      HAS_SUPPORT=true
    elif [[ "$MINOR_VERSION" -ge "14" ]]; then
      HAS_SUPPORT=true
    fi
  fi

  echo $HAS_SUPPORT
}

nginx_build_config() {
  declare desc="build nginx config to proxy app containers using sigil"
  declare APP="$1" DOKKU_APP_LISTEN_PORT="$2" DOKKU_APP_LISTEN_IP="$3"
  local VHOST_PATH="$DOKKU_ROOT/$APP/VHOST"
  local APP_URLS_PATH="$DOKKU_ROOT/$APP/URLS"
  local NGINX_TEMPLATE_NAME="nginx.conf.sigil"
  local NGINX_TEMPLATE="$PLUGIN_AVAILABLE_PATH/nginx-vhosts/templates/$NGINX_TEMPLATE_NAME"
  local SCHEME=http
  local NGINX_TEMPLATE_SOURCE="built-in"
  local APP_SSL_PATH="$DOKKU_ROOT/$APP/tls"
  local RAW_TCP_PORTS="$(get_app_raw_tcp_ports "$APP")"
  local DOKKU_APP_LISTENERS

  CUSTOM_NGINX_TEMPLATE="$(plugn trigger nginx-app-template-source "$APP" "app-config")"
  if [[ -n "$CUSTOM_NGINX_TEMPLATE" ]]; then
    NGINX_TEMPLATE="$CUSTOM_NGINX_TEMPLATE"
  fi

  local IS_APP_VHOST_ENABLED=true
  plugn trigger domains-vhost-enabled "$APP" 2>/dev/null || IS_APP_VHOST_ENABLED=false

  if [[ "$(plugn trigger proxy-is-enabled "$APP")" == "true" ]]; then
    if [[ -z "$DOKKU_APP_LISTEN_PORT" ]] && [[ -z "$DOKKU_APP_LISTEN_IP" ]]; then
      DOKKU_APP_LISTENERS="$(plugn trigger network-get-listeners "$APP" "web" | xargs)"
    elif [[ -n "$DOKKU_APP_LISTEN_PORT" ]] && [[ -n "$DOKKU_APP_LISTEN_IP" ]]; then
      local PASSED_LISTEN_IP_PORT=true
    fi

    # setup nginx listen ports
    configure_nginx_ports "$APP"
    local PROXY_PORT=$(config_get "$APP" DOKKU_PROXY_PORT)
    local PROXY_SSL_PORT=$(config_get "$APP" DOKKU_PROXY_SSL_PORT)
    local PROXY_PORT_MAP=$(config_get "$APP" DOKKU_PROXY_PORT_MAP)

    local PORT_MAP
    for PORT_MAP in $PROXY_PORT_MAP; do
      local PROXY_UPSTREAM_PORT="$(awk -F ':' '{ print $3 }' <<<"$PORT_MAP")"
      if [[ "$(is_val_in_list "$PROXY_UPSTREAM_PORT" "$PROXY_UPSTREAM_PORTS" " ")" == "false" ]]; then
        local PROXY_UPSTREAM_PORTS+="$PROXY_UPSTREAM_PORT "
      fi
    done
    local PROXY_UPSTREAM_PORTS="$(echo "$PROXY_UPSTREAM_PORTS" | xargs)"

    local SSL_INUSE=
    local NONSSL_VHOSTS=$(plugn trigger domains-list "$APP")
    local NOSSL_SERVER_NAME=$(echo "$NONSSL_VHOSTS" | xargs)
    if is_ssl_enabled "$APP"; then
      local SSL_INUSE=true
      local SCHEME=https
      validate_ssl_domains "$APP"
      local SSL_HOSTNAME=$(get_ssl_hostnames "$APP")
      local SSL_HOSTNAME_REGEX=$(echo "$SSL_HOSTNAME" | xargs | sed 's|\.|\\.|g' | sed 's/\*/\[^\.\]\*/g' | sed 's/ /|/g')

      if [[ "$IS_APP_VHOST_ENABLED" == "true" ]]; then
        local SSL_VHOSTS=$(grep -E "^${SSL_HOSTNAME_REGEX}$" "$VHOST_PATH" || true)
      else
        local SSL_VHOSTS=$(<"$DOKKU_ROOT/VHOST")
      fi
      local SSL_SERVER_NAME
      local host
      for host in $SSL_VHOSTS; do
        # SSL_SERVER_NAME should only contain items not in NOSSL_SERVER_NAME
        if [[ ! $NOSSL_SERVER_NAME =~ (^|[[:space:]])$host($|[[:space:]]) ]]; then
          SSL_SERVER_NAME="${host}${SSL_SERVER_NAME:+ $SSL_SERVER_NAME}"
        fi
      done
    fi

    local NGINX_LOCATION NGINX_VERSION SPDY_SUPPORTED TLS13_SUPPORTED HTTP2_SUPPORTED HTTP2_PUSH_SUPPORTED GRPC_SUPPORTED
    NGINX_LOCATION=$(get_nginx_location)
    if [[ -z "$NGINX_LOCATION" ]]; then
      exit 1
    fi
    NGINX_VERSION="$("$NGINX_LOCATION" -v 2>&1 | cut -d'/' -f 2)"
    SPDY_SUPPORTED="$(is_spdy_enabled "$NGINX_VERSION")"
    TLS13_SUPPORTED="$(is_tls13_available "$NGINX_VERSION")"
    HTTP2_SUPPORTED="$(is_http2_enabled "$NGINX_VERSION")"
    HTTP2_PUSH_SUPPORTED="$(is_http2_push_enabled "$NGINX_VERSION")"
    GRPC_SUPPORTED="$(is_grpc_enabled "$NGINX_VERSION")"

    PROXY_PORT_MAP=$(echo "$PROXY_PORT_MAP" | xargs) # trailing spaces mess up default template

    local NGINX_LOG_ROOT="$(fn-nginx-log-root)"
    local NGINX_ACCESS_LOG_FORMAT="$(fn-nginx-access-log-format "$APP")"
    local NGINX_ACCESS_LOG_PATH="$(fn-nginx-access-log-path "$APP")"
    local NGINX_ERROR_LOG_PATH="$(fn-nginx-error-log-path "$APP")"
    local CLIENT_MAX_BODY_SIZE="$(fn-nginx-client-max-body-size "$APP")"
    local PROXY_READ_TIMEOUT="$(fn-nginx-proxy-read-timeout "$APP")"
    local PROXY_BUFFER_SIZE="$(fn-nginx-proxy-buffer-size "$APP")"
    local PROXY_BUFFERING="$(fn-nginx-proxy-buffering "$APP")"
    local PROXY_BUFFERS="$(fn-nginx-proxy-buffers "$APP")"
    local PROXY_BUSY_BUFFERS_SIZE="$(fn-nginx-proxy-busy-buffers-size "$APP")"

    if [[ -z "$DOKKU_APP_LISTENERS" ]]; then
      dokku_log_warn_quiet "No web listeners specified for $APP"
    elif (is_deployed "$APP"); then
      if [[ "$(plugn trigger network-get-static-listeners "$APP" "web")" == "" ]]; then
        local IMAGE_TAG=$(get_running_image_tag "$APP")
        local IMAGE=$(get_deploying_app_image_name "$APP" "$IMAGE_TAG" 2>/dev/null)
        if ! verify_image "$IMAGE" 2>/dev/null; then
          dokku_log_fail "Missing image for app"
        fi
      fi

      local NGINX_BUILD_CONFIG_TMP_WORK_DIR=$(mktemp -d "/tmp/dokku-${DOKKU_PID}-${FUNCNAME[0]}.XXXXXX")
      local NGINX_CONF=$(mktemp --tmpdir="${NGINX_BUILD_CONFIG_TMP_WORK_DIR}" "nginx.conf.XXXXXX")
      local CUSTOM_NGINX_TEMPLATE="$NGINX_BUILD_CONFIG_TMP_WORK_DIR/$NGINX_TEMPLATE_NAME"
      # shellcheck disable=SC2086
      trap "rm -rf '$NGINX_CONF' '$NGINX_BUILD_CONFIG_TMP_WORK_DIR' >/dev/null" RETURN INT TERM EXIT

      get_custom_nginx_template "$APP" "$CUSTOM_NGINX_TEMPLATE" 2>/dev/null
      if [[ -f "$CUSTOM_NGINX_TEMPLATE" ]]; then
        dokku_log_info1 'Overriding default nginx.conf with detected nginx.conf.sigil'
        local NGINX_TEMPLATE="$CUSTOM_NGINX_TEMPLATE"
        local NGINX_TEMPLATE_SOURCE="app-supplied"
      fi

      local NGINX_BIND_ADDRESS_IP4="$(fn-plugin-property-get-default "nginx" "$APP" "bind-address-ipv4" "")"
      local NGINX_BIND_ADDRESS_IP6="$(fn-plugin-property-get-default "nginx" "$APP" "bind-address-ipv6" "::")"
      [[ -z "$NGINX_BIND_ADDRESS_IP6" ]] && NGINX_BIND_ADDRESS_IP6="::"

      local PROXY_X_FORWARDED_FOR="$(fn-plugin-property-get-default "nginx" "$APP" "x-forwarded-for-value" "\$remote_addr")"
      local PROXY_X_FORWARDED_PORT="$(fn-plugin-property-get-default "nginx" "$APP" "x-forwarded-port-value" "\$server_port")"
      local PROXY_X_FORWARDED_PROTO="$(fn-plugin-property-get-default "nginx" "$APP" "x-forwarded-proto-value" "\$scheme")"
      local PROXY_X_FORWARDED_SSL="$(fn-plugin-property-get-default "nginx" "$APP" "x-forwarded-ssl" "")"

      eval "$(config_export app "$APP")"
      local SIGIL_PARAMS=(-f "$NGINX_TEMPLATE" APP="$APP" DOKKU_ROOT="$DOKKU_ROOT"
        NOSSL_SERVER_NAME="$NOSSL_SERVER_NAME"
        # Deprecated: Remove this after a few versions
        DOKKU_APP_LISTENERS="$DOKKU_APP_LISTENERS"
        DOKKU_LIB_ROOT="$DOKKU_LIB_ROOT"
        PASSED_LISTEN_IP_PORT="$PASSED_LISTEN_IP_PORT"
        SPDY_SUPPORTED="$SPDY_SUPPORTED"
        TLS13_SUPPORTED="$TLS13_SUPPORTED"
        HTTP2_SUPPORTED="$HTTP2_SUPPORTED"
        NGINX_LOG_ROOT="$NGINX_LOG_ROOT"
        NGINX_ACCESS_LOG_FORMAT="$NGINX_ACCESS_LOG_FORMAT"
        NGINX_ACCESS_LOG_PATH="$NGINX_ACCESS_LOG_PATH"
        NGINX_ERROR_LOG_PATH="$NGINX_ERROR_LOG_PATH"
        NGINX_BIND_ADDRESS_IP4="$NGINX_BIND_ADDRESS_IP4"
        NGINX_BIND_ADDRESS_IP6="$NGINX_BIND_ADDRESS_IP6"
        HTTP2_PUSH_SUPPORTED="$HTTP2_PUSH_SUPPORTED"
        GRPC_SUPPORTED="$GRPC_SUPPORTED"
        DOKKU_APP_LISTEN_PORT="$DOKKU_APP_LISTEN_PORT" DOKKU_APP_LISTEN_IP="$DOKKU_APP_LISTEN_IP"
        APP_SSL_PATH="$APP_SSL_PATH" SSL_INUSE="$SSL_INUSE" SSL_SERVER_NAME="$SSL_SERVER_NAME"
        CLIENT_MAX_BODY_SIZE="$CLIENT_MAX_BODY_SIZE"
        PROXY_READ_TIMEOUT="$PROXY_READ_TIMEOUT"
        PROXY_BUFFER_SIZE="$PROXY_BUFFER_SIZE"
        PROXY_BUFFERING="$PROXY_BUFFERING"
        PROXY_BUFFERS="$PROXY_BUFFERS"
        PROXY_BUSY_BUFFERS_SIZE="$PROXY_BUSY_BUFFERS_SIZE"
        # Deprecated: Remove this after a few versions
        NGINX_PORT="$PROXY_PORT" NGINX_SSL_PORT="$PROXY_SSL_PORT"
        PROXY_PORT="$PROXY_PORT" PROXY_SSL_PORT="$PROXY_SSL_PORT" RAW_TCP_PORTS="$RAW_TCP_PORTS"
        PROXY_PORT_MAP="$PROXY_PORT_MAP" PROXY_UPSTREAM_PORTS="$PROXY_UPSTREAM_PORTS"
        PROXY_X_FORWARDED_FOR="$PROXY_X_FORWARDED_FOR"
        PROXY_X_FORWARDED_PORT="$PROXY_X_FORWARDED_PORT"
        PROXY_X_FORWARDED_PROTO="$PROXY_X_FORWARDED_PROTO"
        PROXY_X_FORWARDED_SSL="$PROXY_X_FORWARDED_SSL")

      while read -r line || [[ -n "$line" ]]; do
        PROC_TYPE=${line%%=*}
        LISTENERS="$(plugn trigger network-get-listeners "$APP" "$PROC_TYPE" | xargs)"
        UPP_PROC_TYPE="${PROC_TYPE^^}"
        UPP_PROC_TYPE="${UPP_PROC_TYPE//-/_}"
        SIGIL_PARAMS+=("DOKKU_APP_${UPP_PROC_TYPE}_LISTENERS=$LISTENERS")
      done < <(plugn trigger ps-current-scale "$APP")

      if grep DOKKU_APP_LISTENERS "$NGINX_TEMPLATE"; then
        dokku_log_warn "Deprecated: Usage of DOKKU_APP_LISTENERS within nginx.conf.sigil templates is deprecated in favor of DOKKU_APP_WEB_LISTENERS"
      fi

      if grep NGINX_SSL_PORT "$NGINX_TEMPLATE"; then
        dokku_log_warn "Deprecated: Usage of NGINX_SSL_PORT within nginx.conf.sigil templates is deprecated in favor of PROXY_SSL_PORT"
      fi

      if grep NGINX_PORT "$NGINX_TEMPLATE"; then
        dokku_log_warn "Deprecated: Usage of NGINX_PORT within nginx.conf.sigil templates is deprecated in favor of PROXY_PORT"
      fi

      # execute sigil template processing
      xargs -i echo "-----> Configuring {}...(using $NGINX_TEMPLATE_SOURCE template)" <<<"$(echo "${SSL_VHOSTS}" "${NONSSL_VHOSTS}" | tr ' ' '\n' | sort -u)"
      sigil "${SIGIL_PARAMS[@]}" | cat -s >"$NGINX_CONF"

      dokku_log_info1 "Creating $SCHEME nginx.conf"
      mv "$NGINX_CONF" "$DOKKU_ROOT/$APP/nginx.conf"

      fn-nginx-vhosts-manage-hsts "$APP" "$SSL_INUSE"

      plugn trigger nginx-pre-reload "$APP" "$DOKKU_APP_LISTEN_PORT" "$DOKKU_APP_LISTEN_IP"

      dokku_log_verbose "Reloading nginx"
      validate_nginx && restart_nginx >/dev/null
    fi

    if ([[ -n "$NONSSL_VHOSTS" ]] || [[ -n "$SSL_VHOSTS" ]]) && [[ "$IS_APP_VHOST_ENABLED" == "true" ]]; then
      echo "# THIS FILE IS GENERATED BY DOKKU - DO NOT EDIT, YOUR CHANGES WILL BE OVERWRITTEN" >"$APP_URLS_PATH"
      xargs -i echo "$SCHEME://{}" <<<"$(echo "${SSL_VHOSTS}" "${NONSSL_VHOSTS}" | tr ' ' '\n' | sort -u)" >>"$APP_URLS_PATH"
    fi
  else
    # note because this clause is long. if the proxy is disabled:
    dokku_log_info1 "Nginx support is disabled for app ($APP)"
    if [[ -f "$DOKKU_ROOT/$APP/nginx.conf" ]]; then
      dokku_log_info1 "Deleting nginx.conf"
      rm "$DOKKU_ROOT/$APP/nginx.conf"

      if (is_deployed "$APP"); then
        dokku_log_info1 "Reloading nginx after nginx.conf deletion"
        validate_nginx && restart_nginx >/dev/null
      fi
    fi
  fi
}