server { listen 0.0.0.0:80; server_name <%=$domain%>; gzip on; location / { fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param REQUEST_URI $request_uri; fastcgi_param PATH_INFO $document_uri; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_NAME $host; fastcgi_param SERVER_PORT '80'; fastcgi_param SERVER_PROTOCOL 'http'; fastcgi_param USER_ROLES 'anonymous/void:*'; fastcgi_pass <%=$socket%>; } location ~* /.well-known/someca-challenge/.* { root /data/challenge; } } <%=inline_epp(file('motion/user_map.epp', 'motion/user_map.template.epp'), {container => $container})%> log_format <%=$container%>-cert '$date_gmt $ssl_client_serial:$ssl_client_i_dn;$<%=$container%>_user_role'; server { listen 0.0.0.0:443 ssl; server_name <%=$domain%>; gzip on; ssl_certificate <%=$cert_stem%>.crt; ssl_certificate_key <%=$cert_stem%>.key; ssl_client_certificate /etc/ssl/<%=$container%>-roots.pem; ssl_verify_client on; ssl_verify_depth 4; access_log /tmp/<%=$container%>-certs.log <%=$container%>-cert; location / { fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; fastcgi_param REQUEST_URI $request_uri; fastcgi_param PATH_INFO $document_uri; fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_NAME $host; fastcgi_param SERVER_PORT '443'; fastcgi_param SERVER_PROTOCOL 'https'; fastcgi_param USER_ROLES $<%=$container%>_user_role; fastcgi_pass <%=$socket%>; <% if($protected != 'no') { %> auth_basic "closed site"; auth_basic_user_file /etc/nginx/access.txt; <% } %> } location ~* /.well-known/someca-challenge/.* { root /data/challenge; } }