## map directive must be in http context
# Uncomment this if you use Auth SSL:
#map $ssl_client_s_dn  $ssl_client_s_dn_cn {
#  default           "";
#  ~/CN=(?<CN>[^/]+) $CN;
#}

# FastCGI/uWSGI backend definition
upstream llng_portal_upstream {
    server unix:__FASTCGISOCKDIR__/llng-fastcgi.sock;
    #server 127.0.0.1:5000;
}

server {
  listen __PORT__;
  listen [::]:__PORT__;
  server_name auth.__DNSDOMAIN__;
  root __PORTALSITEDIR__;
  # Use "lm_app" format to get username in nginx.log (see nginx-lmlog.conf)
  #access_log /var/log/nginx/portal.log lm_app;

  # Uncomment this if you are running behind a reverse proxy and want
  # LemonLDAP::NG to see the real IP address of the end user
  # Adjust the settings to match the IP address of your reverse proxy
  # and the header containing the original IP address
  # As an alternative, you can use the PROXY protocol
  #
  #set_real_ip_from  127.0.0.1;
  #real_ip_header    X-Forwarded-For;

  if ($uri !~ ^/((static|javascript|favicon).*|.*\.psgi)) {
    rewrite ^/(.*)$ /index.psgi/$1 break;
  }

  location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
    # Note that Content-Security-Policy header is generated by portal itself

    # FastCGI configuration
    include /etc/nginx/fastcgi_params;
    fastcgi_pass llng_portal_upstream;
    fastcgi_param LLTYPE psgi;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
    fastcgi_param PATH_INFO  $fastcgi_path_info;
    # Uncomment this if you use Auth SSL:
    #fastcgi_param  SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;

    # Or with uWSGI
    #include /etc/nginx/uwsgi_params;
    #uwsgi_pass llng_portal_upstream;
    #uwsgi_param LLTYPE psgi;
    #uwsgi_param SCRIPT_FILENAME $document_root$sc;
    #uwsgi_param SCRIPT_NAME $sc;
    # Uncomment this if you use Auth SSL:
    #uwsgi_param  SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;

    # REST/SOAP functions for sessions management (disabled by default)
    location ~ ^/index.psgi/adminSessions {
      fastcgi_pass llng_portal_upstream;
      #uwsgi_pass llng_portal_upstream;
      deny all;
    }

    # REST/SOAP functions for proxy auth and password reset (disabled by default)
    location ~ ^/index.psgi/proxy {
      fastcgi_pass llng_portal_upstream;
      #uwsgi_pass llng_portal_upstream;
      deny all;
    }

    # REST/SOAP functions for sessions access (disabled by default)
    location ~ ^/index.psgi/sessions {
      fastcgi_pass llng_portal_upstream;
      #uwsgi_pass llng_portal_upstream;
      deny all;
    }

    # REST/SOAP functions for configuration access (disabled by default)
    location ~ ^/index.psgi/config {
      fastcgi_pass llng_portal_upstream;
      #uwsgi_pass llng_portal_upstream;
      deny all;
    }

    # REST/SOAP functions for notification insertion (disabled by default)
    location ~ ^/index.psgi/notification {
      fastcgi_pass llng_portal_upstream;
      #uwsgi_pass llng_portal_upstream;
      deny all;
    }

  }

  index index.psgi;
  location / {
    try_files $uri $uri/ =404;
  }

  location /static/ {
    alias __PORTALSTATICDIR__;
  }

  # DEBIAN
  # If install was made with USEDEBIANLIBS (official releases), uncomment this
  #location /javascript/ {
  #  alias /usr/share/javascript/;
  #}
}