# (c) cavaliba.com - # nginx.conf

### ########################################################################
### SEE CAVALIBA DOCUMENTATION TO CONFIGURE APPROPRIATE AUTHENTICATION MODE
### default = Local Web Authentication Form
### ########################################################################


upstream cavaliba_app {
    server cavaliba_app:8001;
}

# uncomment to enable OAUTH2 authentication
#upstream cavaliba_oa2p {
#    server cavaliba_oa2p:4180;
#}


## Log format
## ----------
# $http_x_forwarded_for
# $http_referer
# $http_user_agent
log_format cavaliba '$remote_addr - $remote_user [$time_local] "$request" $status $request_time $bytes_sent';


server {

    listen 80;
    server_name  localhost;

    #error_log /var/log/nginx/error.log debug;
    #access_log  /var/log/nginx/access.log  cavaliba;
    access_log /dev/stdout cavaliba;

    server_tokens off;

    # --------------------------------------------------------
    # oauth2_proxy endpoints
    # --------------------------------------------------------
    # uncomment to enable OAUTH2 authentication

#    location /oauth2 {
#        # BEWARE - DO NOT CONFIG internal !!    
#        #internal; 
#        expires epoch;
#        proxy_pass http://cavaliba_oa2p;
#        proxy_set_header Host                    $host;
#        proxy_set_header X-Real-IP               $remote_addr;
#        proxy_set_header X-Scheme                $scheme;
#        proxy_set_header X-Auth-Request-Redirect $request_uri;
#    }

#    # BEWARE, no trailing / !!!
#    location = /oauth2/auth {
#        internal; 
#        proxy_pass http://cavaliba_oa2p;
#        proxy_set_header Host             $host;
#        proxy_set_header X-Real-IP        $remote_addr;
#        proxy_set_header X-Scheme         $scheme;
#        proxy_set_header X-Auth-Request-Redirect $request_uri;
#       # nginx auth_request includes headers but not body
#        proxy_set_header Content-Length   "";
#        proxy_pass_request_body           off;
#    }

#    location = /oauth2/sign_out { 
#        # Sign-out mutates the session, only allow POST requests
#        if ($request_method != POST) {
#            return 405;
#        }
#        proxy_pass http://cavaliba_oa2p;
#        #proxy_pass http://cavaliba_oa2p/;
#        proxy_set_header Host                    $host;
#        proxy_set_header X-Real-IP               $remote_addr;
#        proxy_set_header X-Scheme                $scheme;
#    }

    # -----------------------
    # no auth locations
    # -----------------------

    # use django collectstatic before
    # (if not using docker entry point)

    location /static/ {
        alias /static_collect/;
    }

    location /logo/ {
        alias /logo/;
    }

    # -----------------------
    # cavaliba public
    # -----------------------

    location / {
        proxy_pass http://cavaliba_app;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        real_ip_header X-Real-IP;
        #proxy_set_header X-Real-IP $remote_addr;
        proxy_redirect off;
        proxy_http_version 1.1;
    }

    # -----------------------
    # cavaliba authenticated
    # -----------------------

    location ~* ^\/([a-zA-Z0-9_]+)\/private\/ {

        ## auth mode #1 : default (web form)
        ## ---------------------------------
        
        ## auth mode #2 : HTTP basic
        ## -------------------------
        ## uncomment to enable
        ## don't forget to select approprite auth mode in Cavaliba Configuration
        
        # auth_basic           "Cavaliba Private";
        # auth_basic_user_file /etc/nginx/htpasswd; 

        ## auth_mode #3 : oauth2
        ## ---------------------
        ## uncomment to enable oauth2 authentication (see doc)
        ## don't forget to select appropriate auth mode in Cavalibva configuration

        # auth_request /oauth2/auth;
        # error_page 401 = /oauth2/sign_in;

        # auth_request_set $auth_cookie $upstream_http_set_cookie;
        # add_header Set-Cookie $auth_cookie;
        
        # auth_request_set $user   $upstream_http_x_auth_request_preferred_username;
        # proxy_set_header X-User  $user;

        # auth_request_set $email  $upstream_http_x_auth_request_email;
        # proxy_set_header X-Email $email;

        # auth_request_set $groups  $upstream_http_x_auth_request_groups;
        # proxy_set_header X-Groups $groups;

        # auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;
        # if ($auth_cookie ~* "(; .*)") {
        #    set $auth_cookie_name_0 $auth_cookie;
        #    set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
        # }
        # if ($auth_cookie_name_upstream_1) {
        #    add_header Set-Cookie $auth_cookie_name_0;
        #    add_header Set-Cookie $auth_cookie_name_1;
        # }
        
        # OIDC ID Token from oauth2_proxy
        # auth_request_set $token2 $upstream_http_authorization;
        # add_header Authorization $token2;
        # proxy_set_header Authorization $token2;

        # OIDC JWT Access Token
        # auth_request_set $accesstoken $upstream_http_x_auth_request_access_token;
        # proxy_set_header X-Access-Token $accesstoken;


    # proxy pass
    # ----------

        proxy_pass http://cavaliba_app;

        # BEWARE mandatory !!!!
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        real_ip_header X-Real-IP;
        #proxy_set_header X-Real-IP $remote_addr;
        proxy_redirect off;
        proxy_http_version 1.1;
    }

}