# This configuration file was auto-generated by the Puppet configuration
# management system.  Any changes you make to this file will be overwritten
# the next time Puppet runs.  Please make configuration changes to this
# service in Puppet.

server {
    listen                       <%= scope.lookupvar('nginx::puppetmaster::ssl_port') %>;
    ssl_verify_client            on;
    root                         /var/empty;
    access_log                   /var/log/nginx/access-<%= scope.lookupvar('nginx::puppetmaster::ssl_port') %>.log;
    rewrite_log                  on;
    large_client_header_buffers  16 4k;

    # Variables
    # $ssl_cipher returns the line of those utilized it is cipher for established SSL-connection
    # $ssl_client_serial returns the series number of client certificate for established SSL-connection
    # $ssl_client_s_dn returns line subject DN of client certificate for established SSL-connection
    # $ssl_client_i_dn returns line issuer DN of client certificate for established SSL-connection
    # $ssl_protocol returns the protocol of established SSL-connection

    location / {
        proxy_pass                   http://puppet-production;
        proxy_redirect               off;
        proxy_set_header             Host             $host;
        proxy_set_header             X-Real-IP        $remote_addr;
        proxy_set_header             X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_set_header             X-Client-Verify  SUCCESS;
        proxy_set_header             X-SSL-Subject    $ssl_client_s_dn;
        proxy_set_header             X-SSL-Issuer     $ssl_client_i_dn;
        proxy_connect_timeout        90;
        proxy_send_timeout           180;
        proxy_read_timeout           180;
        proxy_buffer_size            16k;
        proxy_busy_buffers_size      32k;
        proxy_intercept_errors       on;
        proxy_buffers                128 4k;
    }
}

server {
    listen                       <%= scope.lookupvar('nginx::puppetmaster::non_ssl_port') %>;
    ssl_verify_client            off;
    root                         /var/empty;
    access_log                   /var/log/nginx/access-<%= scope.lookupvar('nginx::puppetmaster::non_ssl_port') %>.log;
    rewrite_log                  on;
    large_client_header_buffers  16 4k;

    location / {
        proxy_pass                   http://puppet-production;
        proxy_redirect               off;
        proxy_set_header             Host             $host;
        proxy_set_header             X-Real-IP        $remote_addr;
        proxy_set_header             X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_set_header             X-Client-Verify  FAILURE;
        proxy_set_header             X-SSL-Subject    $ssl_client_s_dn;
        proxy_set_header             X-SSL-Issuer     $ssl_client_i_dn;
        proxy_connect_timeout        90;
        proxy_send_timeout           180;
        proxy_read_timeout           180;
        proxy_buffer_size            16k;
        proxy_busy_buffers_size      32k;
        proxy_intercept_errors       on;
        proxy_buffers                128 4k;
    }
}