# nginx-sso - example nginx config
#
# (c) 2015 by Johannes Gilger <heipei@hackvalue.de>
#
# This is an example config for using nginx with the nginx-sso cookie system.
# For simplicity, this config sets up two fictional vhosts that you can use to
# test against both components of the nginx-sso system: ssoauth & ssologin.
# In a real deployment, these vhosts would be separate hosts.

#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;

events {
    worker_connections  1024;
}


http {
    server {
        listen 443 ssl;
        server_name     auth.test.local localhost;

        ssl on;
        ssl_certificate     /etc/ssl/server.crt;
        ssl_certificate_key /etc/ssl/server.key;

        error_page 401 = @error401;
        location @error401 {
            return 302 https://auth.test.local:8080/authentication/login?redirect=$scheme://$http_host$request_uri;
        }

        location /authentication/ {
            proxy_set_header  X-Original-URI $request_uri;
            proxy_set_header  Host $http_host;
            proxy_set_header  X-Real-IP $remote_addr;

            proxy_pass        http://auth/authentication/;
        }

        location /authentication/js/ {
            proxy_pass        http://auth/js/;
        }

        location /authentication/img/ {
            proxy_pass        http://auth/img/;
        }

        location /authentication/css/ {
            proxy_pass        http://auth/css/;
        }
    }

    server {
        listen 443 ssl;
        root /usr/share/nginx/html;
 
        server_name     secret1.test.local secret2.test.local secret.test.local localhost;

        ssl on;
        ssl_certificate     /etc/ssl/server.crt;
        ssl_certificate_key /etc/ssl/server.key;

        error_page 401 = @error401;
        location @error401 {
            return 302 https://auth.test.local:8080/authentication/login?redirect=$scheme://$http_host$request_uri;
        }

        location /authentication/verify {
            proxy_set_header  X-Original-URI $request_uri;
            proxy_set_header  Host $http_host;
            proxy_set_header  X-Real-IP $remote_addr;

            proxy_pass        http://auth/authentication/verify;
        }

        location = /secret.html {
            auth_request /authentication/verify;
            
            auth_request_set $user $upstream_http_x_remote_user;
            proxy_set_header X-Forwarded-User $user;
            auth_request_set $groups $upstream_http_remote_groups;
            proxy_set_header Remote-Groups $groups;
            auth_request_set $expiry $upstream_http_remote_expiry;
            proxy_set_header Remote-Expiry $expiry;
        }
    }
}