location  {{{ route }}} {

    # use our custom request limit and allow bursts
    # deliver them with no queuing delay
    limit_req zone=customstappslimit burst=20 nodelay;

    # intercept OPTIONS request
    # all other CORS headers are set by the backend(s)
    # see https://gist.github.com/michiel/1064640/0dafeb1e8f71a26b94ea15e09e7e5f45bed14dda
    if ($request_method = 'OPTIONS') {
        {{{ cors }}}
        add_header 'Content-Length' '0';
        return 204;
    }

    # if client doesn't set a version header, we don't know which backend to choose
    if ($http_x_stapps_version = "") {
        # return Multiple Choices
        return 300 'You have to supply a client/app version via the X-StApps-Version header!';
    }

    # Version is unsupported or never existed
    if ($proxyurl = unsupported) {
        {{{ cors }}}
        return 404;
    }
    # The version existed, but is outdated now (App should update)
    if ($proxyurl = outdated) {
        return 404;
    }
    # The version is correct, but backend is not responding
    if ($proxyurl = unavailable) {
        {{{ cors }}}
	    return 503;
    }
    limit_except GET OPTIONS POST {
        deny all;
    }
    # backend is available
    proxy_pass http://$proxyurl;
}