+server {
+ listen 0.0.0.0:80;
+ server_name <%=$domain%>;
+ gzip on;
+
+ location / {
+ fastcgi_param QUERY_STRING $query_string;
+ fastcgi_param REQUEST_METHOD $request_method;
+ fastcgi_param CONTENT_TYPE $content_type;
+ fastcgi_param CONTENT_LENGTH $content_length;
+ fastcgi_param REQUEST_URI $request_uri;
+ fastcgi_param PATH_INFO $document_uri;
+ fastcgi_param REMOTE_ADDR $remote_addr;
+ fastcgi_param REMOTE_PORT $remote_port;
+ fastcgi_param SERVER_NAME $host;
+ fastcgi_param SERVER_PORT '80';
+ fastcgi_param SERVER_PROTOCOL 'http';
+ fastcgi_param USER_ROLES 'anonymous/void:*';
+ fastcgi_pass <%=$socket%>;
+ }
+ location ~* /.well-known/someca-challenge/.* {
+ root /data/challenge;
+ }
+}
+<%=inline_epp(file('motion/user_map.epp', 'motion/user_map.template.epp'), {container => $container})%>
+log_format <%=$container%>-cert '$date_gmt $ssl_client_serial:$ssl_client_i_dn;$<%=$container%>_user_role';
+server {
+ listen 0.0.0.0:443 ssl;
+ server_name <%=$domain%>;
+ gzip on;
+ ssl_certificate <%=$cert_stem%>.crt;
+ ssl_certificate_key <%=$cert_stem%>.key;
+
+ ssl_client_certificate /etc/ssl/<%=$container%>-roots.pem;
+ ssl_verify_client on;
+ ssl_verify_depth 4;
+ access_log /tmp/<%=$container%>-certs.log <%=$container%>-cert;
+
+ location / {
+ fastcgi_param QUERY_STRING $query_string;
+ fastcgi_param REQUEST_METHOD $request_method;
+ fastcgi_param CONTENT_TYPE $content_type;
+ fastcgi_param CONTENT_LENGTH $content_length;
+ fastcgi_param REQUEST_URI $request_uri;
+ fastcgi_param PATH_INFO $document_uri;
+ fastcgi_param REMOTE_ADDR $remote_addr;
+ fastcgi_param REMOTE_PORT $remote_port;
+ fastcgi_param SERVER_NAME $host;
+ fastcgi_param SERVER_PORT '443';
+ fastcgi_param SERVER_PROTOCOL 'https';
+ fastcgi_param USER_ROLES $<%=$container%>_user_role;
+ fastcgi_pass <%=$socket%>;
+
+ <% if($protected != 'no') { %>
+ auth_basic "closed site";
+ auth_basic_user_file /etc/nginx/access.txt;
+ <% } %>
+ }
+ location ~* /.well-known/someca-challenge/.* {
+ root /data/challenge;
+ }
+}