nginx_conf.in

worker_processes {{ param_nginx_frontend['nb_workers'] }};

pid {{ param_nginx_frontend['path_pid'] }};
error_log {{ param_nginx_frontend['path_error_log'] }};

daemon off;

events {
  worker_connections 1024;
  accept_mutex off;
}

http {
     default_type application/octet-stream;
     access_log {{ param_nginx_frontend['path_access_log'] }} combined;
     client_max_body_size 10M;
     map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
     }

     server {
        listen [{{ param_nginx_frontend['global-ip'] }}]:{{ param_nginx_frontend['global-port'] }} ssl;
        server_name _;
        ssl_certificate     {{ param_nginx_frontend['ssl-certificate'] }};
        ssl_certificate_key {{ param_nginx_frontend['ssl-key'] }};
        ssl_protocols       SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers         HIGH:!aNULL:!MD5;
        keepalive_timeout 90s;
        client_body_temp_path {{ param_tempdir['client_body_temp_path'] }};
        proxy_temp_path {{ param_tempdir['proxy_temp_path'] }};
        fastcgi_temp_path {{ param_tempdir['fastcgi_temp_path'] }};
        uwsgi_temp_path {{ param_tempdir['uwsgi_temp_path'] }};
        scgi_temp_path {{ param_tempdir['scgi_temp_path'] }};

        location / {
            # When no .htpasswd exist, redirect the user to account creation page
            if ( !-f {{ param_nginx_frontend['etc_dir'] }}/.htpasswd ) {
                # redirect URL is different wether nginx is accessed directly or behind apache.
                # nginx does not support nested if or multiple conditions, so we use this well known hack.
                set $test no_htpasswd;
            }
            if ( $host = [{{ param_nginx_frontend['global-ip'] }}] ) {
                set $test "${test}_backend_access";
            }
            if ( $test = no_htpasswd) {
                return 301 $scheme://$host/setAccount ;
            }
            if ( $test = no_htpasswd_backend_access) {
                return 301 /setAccount ;
            }
            auth_basic "Restricted";
            auth_basic_user_file {{ param_nginx_frontend['etc_dir'] }}/.htpasswd;
            proxy_redirect off;
            proxy_set_header   X-Forwarded-Proto $scheme;
            proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Host  $http_host;
            proxy_set_header   X-Accel-Mapping   /private/;

            proxy_pass http://unix:{{ socket }};
        }
        location ~ ^(/login|/doLogin|/static|/setAccount|/configAccount|/slapgridResult|/isSRReady) {
            proxy_redirect off;
            proxy_set_header   X-Forwarded-Proto $scheme;
            proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
            proxy_set_header   X-Forwarded-Host  $http_host;
            proxy_set_header   X-Accel-Mapping   /private/;

            proxy_pass http://unix:{{ socket }};
        }
        location /shellinabox {
            proxy_pass http://unix:{{ shellinabox_socket }}:/;
            proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
            auth_basic "Restricted";
            auth_basic_user_file {{ param_nginx_frontend['etc_dir'] }}/.htpasswd;
            proxy_redirect off;
            proxy_buffering off;
            proxy_set_header        X-Real-IP         $remote_addr;
            proxy_set_header        X-Forwarded-Proto $scheme;
            proxy_set_header        X-Forwarded-For   $proxy_add_x_forwarded_for;
            proxy_set_header        X-Forwarded-Host  $http_host;
      }
    }
}