worker_processes  1;

events {
    worker_connections  1024;
}

http {
    server {
        listen 443 ssl;
        server_name     login.example.com;

        resolver 127.0.0.11 ipv6=off;
        set $upstream_endpoint http://authelia:8080;

        ssl on;
        ssl_certificate     /etc/ssl/server.crt;
        ssl_certificate_key /etc/ssl/server.key;

        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header X-Frame-Options "SAMEORIGIN";

        location / {
            proxy_set_header  Host $http_host;
            proxy_set_header  X-Original-URI $request_uri;
            proxy_set_header  X-Real-IP $remote_addr;
            proxy_set_header  X-Forwarded-Proto $scheme;
            proxy_intercept_errors on;

            proxy_pass        $upstream_endpoint;

            if ($request_method !~ ^(POST)$){
              error_page 401 = /error/401;
              error_page 403 = /error/403;
              error_page 404 = /error/404;
            }
        }
    }

    server {
        listen 443 ssl;
        server_name     home.example.com;

        resolver 127.0.0.11 ipv6=off;
        set $upstream_endpoint http://nginx-backend;

        ssl on;
        ssl_certificate     /etc/ssl/server.crt;
        ssl_certificate_key /etc/ssl/server.key;

        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header X-Frame-Options "SAMEORIGIN";

        location / {
            proxy_set_header  Host $http_host;
            proxy_pass        $upstream_endpoint;
        }
    }

    server {
        listen 443 ssl; 
        server_name     public.example.com;

        resolver 127.0.0.11 ipv6=off;
        set $upstream_verify http://authelia:8080/api/verify;
        set $upstream_endpoint http://nginx-backend;
        set $upstream_headers http://httpbin:8000/headers;

        ssl on;
        ssl_certificate     /etc/ssl/server.crt;
        ssl_certificate_key /etc/ssl/server.key;

        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header X-Frame-Options "SAMEORIGIN";

        location /auth_verify {
            internal;
            proxy_set_header            Host $http_host;

            proxy_set_header            X-Original-URI $request_uri;
            proxy_set_header            X-Original-URL $scheme://$http_host$request_uri;
            proxy_set_header            X-Real-IP $remote_addr;
            proxy_set_header            X-Forwarded-Proto $scheme;
            proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;

            proxy_pass_request_body     off;
            proxy_set_header            Content-Length "";

            proxy_pass        $upstream_verify;
        }

        location / {
            auth_request /auth_verify;

            auth_request_set $redirect $upstream_http_redirect;
            
            auth_request_set $user $upstream_http_remote_user;
            proxy_set_header X-Forwarded-User $user;
            
            auth_request_set $groups $upstream_http_remote_groups;
            proxy_set_header Remote-Groups $groups;

            proxy_set_header Host $http_host;

            error_page 401 =302 https://login.example.com:8080?rd=$redirect;
            error_page 403 = https://login.example.com:8080/error/403;

            proxy_pass        $upstream_endpoint;
        }

        location /headers {
            auth_request /auth_verify;

            auth_request_set $redirect $upstream_http_redirect;

            auth_request_set $user $upstream_http_remote_user;
            proxy_set_header Custom-Forwarded-User $user;
            
            auth_request_set $groups $upstream_http_remote_groups;
            proxy_set_header Custom-Forwarded-Groups $groups;

            error_page 401 =302 https://login.example.com:8080?rd=$redirect;
            error_page 403 = https://login.example.com:8080/error/403;

            proxy_pass        $upstream_headers;
        }
    }

    server {
        listen 443 ssl; 
        server_name     admin.example.com;

        resolver 127.0.0.11 ipv6=off;
        set $upstream_verify http://authelia:8080/api/verify;
        set $upstream_endpoint http://nginx-backend;

        ssl on;
        ssl_certificate     /etc/ssl/server.crt;
        ssl_certificate_key /etc/ssl/server.key;

        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header X-Frame-Options "SAMEORIGIN";

        location /auth_verify {
            internal;
            proxy_set_header            Host $http_host;

            proxy_set_header            X-Original-URI $request_uri;
            proxy_set_header            X-Original-URL $scheme://$http_host$request_uri;
            proxy_set_header            X-Real-IP $remote_addr;
            proxy_set_header            X-Forwarded-Proto $scheme;
            proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;

            proxy_pass_request_body     off;
            proxy_set_header            Content-Length "";

            proxy_pass        $upstream_verify;
        }

        location / {
            auth_request /auth_verify;

            auth_request_set $redirect $upstream_http_redirect;

            auth_request_set $user $upstream_http_remote_user;
            proxy_set_header X-Forwarded-User $user;
            
            auth_request_set $groups $upstream_http_remote_groups;
            proxy_set_header Remote-Groups $groups;

            proxy_set_header Host $http_host;

            error_page 401 =302 https://login.example.com:8080?rd=$redirect;
            error_page 403 = https://login.example.com:8080/error/403;

            proxy_pass        $upstream_endpoint;
        }
    }

    server {
        listen 443 ssl; 
        server_name     dev.example.com;

        resolver 127.0.0.11 ipv6=off;
        set $upstream_verify http://authelia:8080/api/verify;
        set $upstream_endpoint http://nginx-backend;

        ssl on;
        ssl_certificate     /etc/ssl/server.crt;
        ssl_certificate_key /etc/ssl/server.key;

        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header X-Frame-Options "SAMEORIGIN";

        location /auth_verify {
            internal;
            proxy_set_header            Host $http_host;

            proxy_set_header            X-Original-URI $request_uri;
            proxy_set_header            X-Original-URL $scheme://$http_host$request_uri;
            proxy_set_header            X-Real-IP $remote_addr;
            proxy_set_header            X-Forwarded-Proto $scheme;
            proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;

            proxy_pass_request_body     off;
            proxy_set_header            Content-Length "";

            proxy_pass        $upstream_verify;
        }

        location / {
            auth_request /auth_verify;

            auth_request_set $redirect $upstream_http_redirect;

            auth_request_set $user $upstream_http_remote_user;
            proxy_set_header X-Forwarded-User $user;
            
            auth_request_set $groups $upstream_http_remote_groups;
            proxy_set_header Remote-Groups $groups;

            proxy_set_header Host $http_host;

            error_page 401 =302 https://login.example.com:8080?rd=$redirect;
            error_page 403 = https://login.example.com:8080/error/403;

            proxy_pass        $upstream_endpoint;
        }
    }

    server {
        listen 443 ssl; 
        server_name     mx1.mail.example.com mx2.mail.example.com;

        resolver 127.0.0.11 ipv6=off;
        set $upstream_verify http://authelia:8080/api/verify;
        set $upstream_endpoint http://nginx-backend;

        ssl on;
        ssl_certificate     /etc/ssl/server.crt;
        ssl_certificate_key /etc/ssl/server.key;

        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header X-Frame-Options "SAMEORIGIN";

        location /auth_verify {
            internal;
            proxy_set_header            Host $http_host;

            proxy_set_header            X-Original-URI $request_uri;
            proxy_set_header            X-Original-URL $scheme://$http_host$request_uri;
            proxy_set_header            X-Real-IP $remote_addr;
            proxy_set_header            X-Forwarded-Proto $scheme;
            proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;

            proxy_pass_request_body     off;
            proxy_set_header            Content-Length "";

            proxy_pass        $upstream_verify;
        }

        location / {
            auth_request /auth_verify;

            auth_request_set $redirect $upstream_http_redirect;

            auth_request_set $user $upstream_http_remote_user;
            proxy_set_header X-Forwarded-User $user;
            
            auth_request_set $groups $upstream_http_remote_groups;
            proxy_set_header Remote-Groups $groups;

            proxy_set_header Host $http_host;

            error_page 401 =302 https://login.example.com:8080?rd=$redirect;
            error_page 403 = https://login.example.com:8080/error/403;

            proxy_pass        $upstream_endpoint;
        }
    }

    server {
        listen 443 ssl;
        server_name     single_factor.example.com;

        resolver 127.0.0.11 ipv6=off;
        set $upstream_verify http://authelia:8080/api/verify;
        set $upstream_endpoint http://nginx-backend;
        set $upstream_headers http://httpbin:8000/headers;

        ssl on;
        ssl_certificate     /etc/ssl/server.crt;
        ssl_certificate_key /etc/ssl/server.key;

        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header X-Frame-Options "SAMEORIGIN";

        location /auth_verify {
            internal;
            proxy_set_header            Host $http_host;

            proxy_set_header            X-Original-URI $request_uri;
            proxy_set_header            X-Original-URL $scheme://$http_host$request_uri;
            proxy_set_header            X-Real-IP $remote_addr;
            proxy_set_header            X-Forwarded-Proto $scheme;
            proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;

            # This header is required for basic authentication.
            proxy_set_header            Proxy-Authorization $http_authorization;

            proxy_pass_request_body     off;
            proxy_set_header            Content-Length "";

            proxy_pass        $upstream_verify;
        }

        location / {
            auth_request /auth_verify;

            auth_request_set $redirect $upstream_http_redirect;

            auth_request_set $user $upstream_http_remote_user;
            proxy_set_header X-Forwarded-User $user;
            
            auth_request_set $groups $upstream_http_remote_groups;
            proxy_set_header Remote-Groups $groups;

            proxy_set_header Host $http_host;

            error_page 401 =302 https://login.example.com:8080?rd=$redirect;
            error_page 403 = https://login.example.com:8080/error/403;

            proxy_pass        $upstream_endpoint;
        }

        location /headers {
            auth_request /auth_verify;

            auth_request_set $redirect $upstream_http_redirect;

            auth_request_set $user $upstream_http_remote_user;
            proxy_set_header Custom-Forwarded-User $user;
            
            auth_request_set $groups $upstream_http_remote_groups;
            proxy_set_header Custom-Forwarded-Groups $groups;

            error_page 401 =302 https://login.example.com:8080?rd=$redirect;
            error_page 403 = https://login.example.com:8080/error/403;

            proxy_pass        $upstream_headers;
        }
    }

    server {
        listen 443 ssl;
        server_name     authelia.example.com;

        resolver 127.0.0.11 ipv6=off;
        set $upstream_endpoint http://authelia:8080;

        ssl on;
        ssl_certificate     /etc/ssl/server.crt;
        ssl_certificate_key /etc/ssl/server.key;

        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header X-Frame-Options "SAMEORIGIN";

        location / {
            proxy_set_header  Host $http_host;
            proxy_pass        $upstream_endpoint;
        }
    }
}