opnsense-plugins/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/streams.conf

    # LOG FORMATS
    log_format main '$remote_addr [$time_local] '
                     '$protocol $status $bytes_sent $bytes_received '
                     '$session_time';
    log_format anonymized ':: [$time_local] '
                     '$protocol $status $bytes_sent $bytes_received '
                     '$session_time';

    # UPSTREAM SERVERS
{% for upstream in helpers.toList('OPNsense.Nginx.upstream') %}
    upstream upstream{{ upstream['@uuid'].replace('-','') }} {
{%   if upstream.load_balancing_algorithm is defined and upstream.load_balancing_algorithm != '' %}
{%     if upstream.load_balancing_algorithm == 'ip_hash' %}
           hash $remote_addr consistent;
{%     endif %}
{%   endif %}
{%   for upstream_serveruuid in upstream.serverentries.split(',') %}
{%     set upstream_server = helpers.getUUID(upstream_serveruuid) %}
        server {% if ':' in upstream_server.server %}[{% endif %}{{ upstream_server.server }}{% if ':' in upstream_server.server %}]{% endif
       %}{% if upstream_server.port is defined %}:{{ upstream_server.port }}{% endif
       %}{% if upstream_server.priority is defined %} weight={{ upstream_server.priority }}{% endif
       %}{% if upstream_server.max_conns is defined %} max_conns={{ upstream_server.max_conns }}{% endif
       %}{% if upstream_server.max_fails is defined %} max_fails={{ upstream_server.max_fails }}{% endif
       %}{% if upstream_server.fail_timeout is defined %} fail_timeout={{ upstream_server.fail_timeout }}{% endif
       %}{% if upstream_server.no_use is defined %} {{ upstream_server.no_use }}{% endif %};
{%   endfor %}
    }
{% endfor %}

    # upstream maps
{% for upstream_map in helpers.toList('OPNsense.Nginx.sni_hostname_upstream_map') %}
    map $ssl_preread_server_name $hostmap{{ upstream_map['@uuid'].replace('-','') }} {
{%   for map_entry_uuid in upstream_map.data.split(',') %}
{%     set map_entry = helpers.getUUID(map_entry_uuid) %}
        {{ map_entry.hostname }} upstream{{ map_entry.upstream.replace('-','') }};
{%   endfor %}

    }
{% endfor %}


    include opnsense_stream_vhost_plugins/*.conf;

{% if OPNsense.Nginx.general.enabled is defined and OPNsense.Nginx.general.enabled == '1' %}
{% for server in helpers.toList('OPNsense.Nginx.stream_server') %}
    # servers
    server {
{%   set tls_enabled = server.certificate is defined %}

{%   if server.listen_address is defined and server.listen_address != '' %}
{%     for listen_address in server.listen_address.split(',') %}
        listen {{ listen_address }}{% if server.udp is defined and server.udp == '1' %} udp{% endif %}{% if tls_enabled %} ssl{% endif %}{% if server.proxy_protocol is defined and server.proxy_protocol == '1' %} proxy_protocol{% endif %};
{%     endfor %}
{%   endif %}

        access_log  /var/log/nginx/stream_{{ server['@uuid'] }}.access.log main;
{% if server.syslog_targets is defined %}
{%   set syslog_targets = server.syslog_targets.split(',') %}
{%   include "OPNsense/Nginx/syslog_targets.conf" %}
{% endif %}
        error_log  /var/log/nginx/stream_{{ server['@uuid'] }}.error.log info;

{% if server.route_field == 'sni_upstream_map' %}
        ssl_preread on;
{% endif %}
{% if server.ip_acl is defined %}
{%   set ip_acl = server.ip_acl %}
{%   include "OPNsense/Nginx/ipacl.conf" %}
{% endif %}
{%   if server.certificate is defined %}
{%     if server.ca is defined %}
        ssl_client_certificate /usr/local/etc/nginx/key/{{ server['@uuid'] }}_ca.pem;
        ssl_verify_client {{ server.verify_client }};
{%     endif %}
        ssl_certificate_key /usr/local/etc/nginx/key/{{ server['@uuid'] }}.key;
        ssl_certificate /usr/local/etc/nginx/key/{{ server['@uuid'] }}.pem;
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_dhparam /usr/local/etc/dh-parameters.4096;
        ssl_ciphers 'ECDHE-ECDSA-CAMELLIA256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CAMELLIA256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CAMELLIA128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CAMELLIA128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-RSA-AES128-SHA256';
        ssl_session_timeout 1d;
        ssl_session_cache shared:sslcache{{ server['@uuid'].replace('-','') }}:50m;
        ssl_session_tickets off;
        ssl_prefer_server_ciphers on;
{%   endif %}

        include {{ server['@uuid'] }}_pre/*.conf;

{%   if server.route_field == 'upstream' %}
{%     if server.upstream is defined %}
{%       set upstream = helpers.getUUID(server.upstream) %}
{%       if upstream.tls_enable == '1' %}
{%         if upstream.tls_client_certificate is defined and upstream.tls_client_certificate != '' %}
        proxy_ssl_certificate_key /usr/local/etc/nginx/key/{{ upstream.tls_client_certificate }}.key;
        proxy_ssl_certificate /usr/local/etc/nginx/key/{{ upstream.tls_client_certificate }}.pem;
{%         endif %}
{%       endif %}
        proxy_ssl {% if upstream.tls_enable == '1' %}on{% else %}off{% endif %};
        proxy_pass upstream{{ server.upstream.replace('-','') }};
{%     endif %}
{%   elif server.route_field == 'sni_upstream_map' %}
        proxy_pass $hostmap{{ server.sni_upstream_map.replace('-','') }};
{%   endif %}
        proxy_protocol {% if server.proxy_protocol == '1' %}on{% else %}off{% endif %};
{%   if server.trusted_proxies is defined and server.trusted_proxies != '' %}
{%     for trusted_proxy in server.trusted_proxies.split(',') %}
        set_real_ip_from {{ trusted_proxy }};
{%     endfor %}
{%   endif%}

        include {{ server['@uuid'] }}_post/*.conf;

    }
{% endfor %}
{% endif %}