#====================================================================
# Nginx configuration for LemonLDAP::NG sample applications
#====================================================================

# Sample reverse-proxy virtualhost
server {
    listen __VHOSTLISTEN__;
    server_name test1.__DNSDOMAIN__;

    location / {
        # Trigger Lemonldap::NG access control
        auth_request /auth;
        # Since auth_request only understands 200 or 403 but not 302,
        # redirect user to portal is done through 403
        error_page 403 @maybe302;

        # Hide cookie and send data about user to apps
        set $lm_headers "";
        proxy_set_header "Cookie" $lm_headers;
        # Alternatively, you can set headers carrying user data
        # one by one, by setting Nginx vars lm_* corresponding
        # to exported headers as defined in Lemonldap::NG manager
        # (in lower case, e.g. "Auth-User" => $lm_auth_user),
        # plus var $lm_cookie to remove from request header
        # Lemonldap::NG cookie but no other cookie
        #set $lm_cookie "";
        #set $lm_auth_user "";
        #proxy_set_header "Cookie" $lm_cookie;
        #proxy_set_header "Auth-User" $lm_auth_user;

        # Transfer request to backend
        proxy_pass http://target.__DNSDOMAIN__/;
    }

    # Redirect user to Lemonldap::NG portal if $portalURL is set
    set $portalURL "";
    location @maybe302 {
        if ($portalURL) {
            rewrite .* $portalURL redirect;
        }
        return 403;
    }

    # Subrequest to run Lemonldap::NG access control
    location = /auth {
        perl Lemonldap::NG::Handler::run;
    }
}

# Sample FastCGI application
server {
    listen __VHOSTLISTEN__;
    server_name test2.__DNSDOMAIN__;

    location / {
        # Trigger Lemonldap::NG access control
        auth_request /auth;
        # Since auth_request only understands 200 or 403 but not 302,
        # redirect user to portal is done through 403
        error_page 403 @maybe302;

        # Hide cookie and send data about user to apps
        # You have to set headers carrying user,
        # by setting Nginx vars lm_* corresponding
        # to exported headers as defined in Lemonldap::NG manager
        # (in lower case, e.g. "Auth-User" => $lm_auth_user),
        # plus var $lm_cookie to remove from request header
        # Lemonldap::NG cookie but no other cookie
        set $lm_cookie "";
        set $lm_auth_user "";
        fastcgi_param HTTP_COOKIE $lm_cookie;
        fastcgi_param HTTP_AUTH_USER $lm_auth_user;

        # Transfer request to backend - assume fcgiwrap is installed
        root __TESTDIR__;
        try_files $uri $uri/index.pl;
        include fastcgi_params;
        fastcgi_pass unix:/var/run/fcgiwrap.socket;
    }

    # Redirect user to Lemonldap::NG portal if $portalURL is set
    set $portalURL "";
    location @maybe302 {
        if ($portalURL) {
            rewrite .* $portalURL redirect;
        }
        return 403;
    }

    # Subrequest to run Lemonldap::NG access control
    location = /auth {
        perl Lemonldap::NG::Handler::run;
    }
}