[infra.git] / modules / gigi / templates / nginx.epp

server {
    listen       0.0.0.0:443 ssl;
    server_name  api.<%=$systemDomain%>;
    server_name  secure.<%=$systemDomain%>;
    ssl_certificate /etc/ssl/private/gigi.crt;
    ssl_certificate_key /etc/ssl/private/gigi.key;

    ssl_client_certificate /etc/ssl/root.crt;
    ssl_verify_client on;
    ssl_verify_depth 4;

    location / {
        proxy_pass  http://<%=$gigi_ip%>;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Real-Proto https;
        proxy_set_header X-Client-Cert $ssl_client_cert;
    }
}

server {
    listen       0.0.0.0:443 ssl;
    server_name  *.<%=$systemDomain%>;
    server_name  <%=$systemDomain%>;
    ssl_certificate /etc/ssl/private/gigi.crt;
    ssl_certificate_key /etc/ssl/private/gigi.key;

    location / {
        proxy_pass  http://<%=$gigi_ip%>;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Real-Proto https;
        proxy_set_header X-Client-Cert $ssl_client_cert;
        <% if($protected != 'no') { %>
        auth_basic "closed site";
        auth_basic_user_file /etc/nginx/access.txt;
        <% } %>
    }
    location ~* /.well-known/someca-challenge/* {
        root /data/challenge;
    }
}

server {
    listen       0.0.0.0:80;
    server_name  *.<%=$systemDomain%>;
    server_name  <%=$systemDomain%>;

    location / {
        proxy_pass  http://<%=$gigi_ip%>;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Real-Proto http;
        proxy_set_header X-Client-Cert "";
        <% if($protected != 'no') { %>
        auth_basic "closed site";
        auth_basic_user_file /etc/nginx/access.txt;
        <% } %>
    }
    location ~* /.well-known/someca-challenge/.* {
        root /data/challenge;
    }
}