# Uncomment this if you use Auth SSL:
#map $ssl_client_s_dn  $ssl_client_s_dn_cn {
#  default           "";
#  ~/CN=(?<CN>[^/]+) $CN;
#}
#>GNUNUX
map $ssl_client_s_dn  $ssl_client_s_dn_cn {
  default           "";
  ~/CN=(?<CN>[^/]+) $CN;
}
#<GNUNUX

# FastCGI backend definition
upstream llng_portal_upstream {
    server unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
}

server {
  listen 127.0.0.1:80;
  server_name localhost;
  root /usr/share/lemonldap-ng/portal/htdocs/;
  if ($uri !~ ^/((static|javascript|favicon|.internal-well-known).*|.*\.psgi)) {
    rewrite ^/(.*)$ /index.psgi/$1 break;
  }
  location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
    include /etc/nginx/fastcgi_params;
    fastcgi_pass llng_portal_upstream;
    fastcgi_param REQUEST_URI /.well-known/openid-configuration;
    fastcgi_param HTTP_HOST {{ general.network.interface_0.domain_name_eth0 }};
    fastcgi_param LLTYPE psgi;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
    fastcgi_param PATH_INFO  $fastcgi_path_info;
  }
}

#>GNUNUX
geo $zone_name {
  default ext;
  {{ general.network.interface_0.gateway_eth0 }} ext;
{% for interface in range(zones_list|length) %}
  {{ general.network['interface_' + interface|string]['network_eth' + interface|string] }} int;
{% endfor %}
}
#<GNUNUX

server {
  # GNUNUX listen 80;
  # GNUNUX listen [::]:80;
  # GNUNUX server_name auth.example.com;
#>GNUNUX
  listen {{ general.network.interface_0.domain_name_eth0 }}:443 ssl;
  server_name {{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }};
  ssl_certificate {{ general.tls_cert_directory }}/revprox.crt;
  ssl_certificate_key {{ general.tls_key_directory }}/revprox.key;
  ssl_client_certificate {{ general.tls_ca_directory }}/InternalReverseProxy.crt;
  ssl_session_cache shared:SSL:10m;
#<GNUNUX
  root /usr/share/lemonldap-ng/portal/htdocs/;
  # Use "lm_app" format to get username in nginx.log (see nginx-lmlog.conf)
  #access_log /var/log/nginx/portal.log lm_app;

  # Uncomment this if you are running behind a reverse proxy and want
  # LemonLDAP::NG to see the real IP address of the end user
  # Adjust the settings to match the IP address of your reverse proxy
  # and the header containing the original IP address
  # As an alternative, you can use the PROXY protocol
  #
  #set_real_ip_from  127.0.0.1;
  #real_ip_header    X-Forwarded-For;
#>GNUNUX
  set_real_ip_from  {{ general.revprox.revprox_client_server_ip }};
  real_ip_header    X-Forwarded-For;
#<GNUNUX

  if ($uri !~ ^/((static|javascript|favicon|.well-known).*|.*\.psgi)) {
    rewrite ^/(.*)$ /index.psgi/$1 break;
  }

  location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
    # Note that Content-Security-Policy header is generated by portal itself

    # FastCGI configuration
    include /etc/nginx/fastcgi_params;
    fastcgi_pass llng_portal_upstream;
    fastcgi_param LLTYPE psgi;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
    fastcgi_param PATH_INFO  $fastcgi_path_info;
    # Uncomment this if you use Auth SSL:
    #fastcgi_param  SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;
#>GNUNUX
    fastcgi_param  SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;
#<GNUNUX

    # OR TO USE uWSGI
    #include /etc/nginx/uwsgi_params;
    #uwsgi_pass 127.0.0.1:5000;
    #uwsgi_param LLTYPE psgi;
    #uwsgi_param SCRIPT_FILENAME $document_root$sc;
    #uwsgi_param SCRIPT_NAME $sc;
    # Uncomment this if you use Auth SSL:
    #uwsgi_param  SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;
#>GNUNUX
    uwsgi_param  SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;
#<GNUNUX

    # REST/SOAP functions for sessions management (disabled by default)
    location ~ ^/index.psgi/adminSessions {
      fastcgi_pass llng_portal_upstream;
      allow {{ general.revprox.revprox_client_server_ip }};
      deny all;
    }

    # REST/SOAP functions for proxy auth and password reset (disabled by default)
    location ~ ^/index.psgi/proxy {
      fastcgi_pass llng_portal_upstream;
      allow {{ general.revprox.revprox_client_server_ip }};
      deny all;
    }

    # REST/SOAP functions for sessions access (disabled by default)
    location ~ ^/index.psgi/sessions {
      fastcgi_pass llng_portal_upstream;
      allow {{ general.revprox.revprox_client_server_ip }};
      deny all;
    }

    # REST/SOAP functions for configuration access (disabled by default)
    location ~ ^/index.psgi/config {
      fastcgi_pass llng_portal_upstream;
      allow {{ general.revprox.revprox_client_server_ip }};
      deny all;
    }

    # REST/SOAP functions for notification insertion (disabled by default)
    location ~ ^/index.psgi/notification {
      fastcgi_pass llng_portal_upstream;
      allow {{ general.revprox.revprox_client_server_ip }};
      deny all;
    }

  }

  index index.psgi;
  location / {
    try_files $uri $uri/ =404;

    # Uncomment this if you use https only
    #add_header Strict-Transport-Security "max-age=15768000";
#>GNUNUX
    add_header Strict-Transport-Security "max-age=15768000";
#<GNUNUX
  }

  location /static/ {
    alias /usr/share/lemonldap-ng/portal/htdocs/static/;
  }

#>GNUNUX
  location /static/risotto/ {
    alias /usr/local/lib/static/;
  }
  location /static/common/apps/risotto/ {
    alias /usr/local/lib/static/;
  }
#<GNUNUX

  # DEBIAN
  # If install was made with USEDEBIANLIBS (official releases), uncomment this
  location /javascript/ {
    alias /usr/share/javascript/;
  }
#>GNUNUX
# rewrite well-known
  rewrite ^/.well-known/openid-configuration /.well-known/openid-configuration/$zone_name break;
  location /.well-known/openid-configuration {
    root /var/www/html;
  }
#<GNUNUX
}