# This configuration file was auto-generated by the Puppet configuration
# management system.  Any changes you make to this file will be overwritten
# the next time Puppet runs.  Please make configuration changes to this
# service in Puppet.

user www-data www-data;
worker_processes  <%= worker_processes %>;

error_log       /var/log/nginx-puppet.log notice;
pid             /var/run/nginx-puppet.pid;

events {
    worker_connections  <%= worker_connections %>;
}

http {
    # include /etc/mime.types;
    default_type  application/octet-stream;

    # no sendfile on OSX uncomment 
    #this if your on linux or bsd
    sendfile        on;
    tcp_nopush      on;
    
    # Look at TLB size in /proc/cpuinfo (Linux) for the 4k pagesize
    large_client_header_buffers     16      4k;
    proxy_buffers                   128     4k;

    # if you adjust this setting to something higher
    # you should as well update the proxy_read_timeout 
    # in the server config part (see below)
    # Otherwise nginx will rerequest a manifest compile.
    keepalive_timeout  65;
    tcp_nodelay        on;

    ssl                     on;
    ssl_certificate         /Library/Puppet/Generated/Server/SSL/host_cert.pem;
    ssl_certificate_key     /Library/Puppet/Generated/Server/SSL/host_key.pem;
    ssl_client_certificate  /Library/Puppet/Generated/Server/SSL/ca/ca_crt.pem;
    ssl_ciphers             SSLv2:-LOW:-EXPORT:RC4+RSA;
    ssl_session_cache       shared:SSL:8m;
    ssl_session_timeout     5m;

    upstream puppet-production {
      <% puppetmaster_servers.each do |upstream| -%>
        server <%= upstream %>;
      <% end -%>
    }

    server {
        listen                  <%= ssl_port %>;
        ssl_verify_client       on;
        root                    /var/empty;
        access_log              /var/log/nginx/access-<%= ssl_port %>.log;
        rewrite_log             /var/log/nginx/rewrite-<%= ssl_port %>.log;

        # Variables
        # $ssl_cipher returns the line of those utilized it is cipher for established SSL-connection
        # $ssl_client_serial returns the series number of client certificate for established SSL-connection
        # $ssl_client_s_dn returns line subject DN of client certificate for established SSL-connection
        # $ssl_client_i_dn returns line issuer DN of client certificate for established SSL-connection
        # $ssl_protocol returns the protocol of established SSL-connection

        location / {
            proxy_pass          http://puppet-production;
            proxy_redirect      off;
            proxy_set_header    Host             $host;
            proxy_set_header    X-Real-IP        $remote_addr;
            proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
            proxy_set_header    X-Client-Verify  SUCCESS;
            proxy_set_header    X-SSL-Subject    $ssl_client_s_dn;
            proxy_set_header    X-SSL-Issuer     $ssl_client_i_dn;
            proxy_read_timeout  65;
        }
    }

    server {
        listen                  <%= non_ssl_port %>;
        ssl_verify_client       off;
        root                    /var/empty;
        access_log              /var/log/nginx/access-<%= non_ssl_port %>.log;
        rewrite_log             /var/log/nginx/rewrite-<%= non_ssl_port %>.log;

        location / {
            proxy_pass  http://puppet-production;
            proxy_redirect     off;
            proxy_set_header   Host             $host;
            proxy_set_header   X-Real-IP        $remote_addr;
            proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
            proxy_set_header   X-Client-Verify  FAILURE;
            proxy_set_header   X-SSL-Subject    $ssl_client_s_dn;
            proxy_set_header   X-SSL-Issuer     $ssl_client_i_dn;
            proxy_read_timeout  65;
        }
    }
}