worker_processes 1; events { worker_connections 1024; } http { server { listen 443 ssl; server_name login.example.com; resolver 127.0.0.11 ipv6=off; set $upstream_endpoint http://nginx-authelia; ssl on; ssl_certificate /etc/ssl/server.crt; ssl_certificate_key /etc/ssl/server.key; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options "SAMEORIGIN"; location / { proxy_set_header Host $http_host; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_intercept_errors on; proxy_pass $upstream_endpoint; if ($request_method !~ ^(POST)$){ error_page 401 = /error/401; error_page 403 = /error/403; error_page 404 = /error/404; } } } server { listen 443 ssl; server_name home.example.com; resolver 127.0.0.11 ipv6=off; set $upstream_endpoint http://nginx-backend; ssl on; ssl_certificate /etc/ssl/server.crt; ssl_certificate_key /etc/ssl/server.key; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options "SAMEORIGIN"; location / { proxy_set_header Host $http_host; proxy_pass $upstream_endpoint; } } server { listen 443 ssl; server_name public.example.com; resolver 127.0.0.11 ipv6=off; set $upstream_verify http://nginx-authelia/api/verify; set $upstream_endpoint http://nginx-backend; set $upstream_headers http://httpbin:8000/headers; ssl on; ssl_certificate /etc/ssl/server.crt; ssl_certificate_key /etc/ssl/server.key; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options "SAMEORIGIN"; location /auth_verify { internal; proxy_set_header Host $http_host; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Content-Length ""; proxy_pass $upstream_verify; } location / { auth_request /auth_verify; auth_request_set $redirect $upstream_http_redirect; auth_request_set $user $upstream_http_remote_user; proxy_set_header X-Forwarded-User $user; auth_request_set $groups $upstream_http_remote_groups; proxy_set_header Remote-Groups $groups; proxy_set_header Host $http_host; error_page 401 =302 https://login.example.com:8080?redirect=$redirect; error_page 403 = https://login.example.com:8080/error/403; proxy_pass $upstream_endpoint; } location /headers { auth_request /auth_verify; auth_request_set $redirect $upstream_http_redirect; auth_request_set $user $upstream_http_remote_user; proxy_set_header Custom-Forwarded-User $user; auth_request_set $groups $upstream_http_remote_groups; proxy_set_header Custom-Forwarded-Groups $groups; error_page 401 =302 https://login.example.com:8080?redirect=$redirect; error_page 403 = https://login.example.com:8080/error/403; proxy_pass $upstream_headers; } } server { listen 443 ssl; server_name admin.example.com; resolver 127.0.0.11 ipv6=off; set $upstream_verify http://nginx-authelia/api/verify; set $upstream_endpoint http://nginx-backend; ssl on; ssl_certificate /etc/ssl/server.crt; ssl_certificate_key /etc/ssl/server.key; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options "SAMEORIGIN"; location /auth_verify { internal; proxy_set_header Host $http_host; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Content-Length ""; proxy_pass $upstream_verify; } location / { auth_request /auth_verify; auth_request_set $redirect $upstream_http_redirect; auth_request_set $user $upstream_http_remote_user; proxy_set_header X-Forwarded-User $user; auth_request_set $groups $upstream_http_remote_groups; proxy_set_header Remote-Groups $groups; proxy_set_header Host $http_host; error_page 401 =302 https://login.example.com:8080?redirect=$redirect; error_page 403 = https://login.example.com:8080/error/403; proxy_pass $upstream_endpoint; } } server { listen 443 ssl; server_name dev.example.com; resolver 127.0.0.11 ipv6=off; set $upstream_verify http://nginx-authelia/api/verify; set $upstream_endpoint http://nginx-backend; ssl on; ssl_certificate /etc/ssl/server.crt; ssl_certificate_key /etc/ssl/server.key; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options "SAMEORIGIN"; location /auth_verify { internal; proxy_set_header Host $http_host; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Content-Length ""; proxy_pass $upstream_verify; } location / { auth_request /auth_verify; auth_request_set $redirect $upstream_http_redirect; auth_request_set $user $upstream_http_remote_user; proxy_set_header X-Forwarded-User $user; auth_request_set $groups $upstream_http_remote_groups; proxy_set_header Remote-Groups $groups; proxy_set_header Host $http_host; error_page 401 =302 https://login.example.com:8080?redirect=$redirect; error_page 403 = https://login.example.com:8080/error/403; proxy_pass $upstream_endpoint; } } server { listen 443 ssl; server_name mx1.mail.example.com mx2.mail.example.com; resolver 127.0.0.11 ipv6=off; set $upstream_verify http://nginx-authelia/api/verify; set $upstream_endpoint http://nginx-backend; ssl on; ssl_certificate /etc/ssl/server.crt; ssl_certificate_key /etc/ssl/server.key; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options "SAMEORIGIN"; location /auth_verify { internal; proxy_set_header Host $http_host; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Content-Length ""; proxy_pass $upstream_verify; } location / { auth_request /auth_verify; auth_request_set $redirect $upstream_http_redirect; auth_request_set $user $upstream_http_remote_user; proxy_set_header X-Forwarded-User $user; auth_request_set $groups $upstream_http_remote_groups; proxy_set_header Remote-Groups $groups; proxy_set_header Host $http_host; error_page 401 =302 https://login.example.com:8080?redirect=$redirect; error_page 403 = https://login.example.com:8080/error/403; proxy_pass $upstream_endpoint; } } server { listen 443 ssl; server_name single_factor.example.com; resolver 127.0.0.11 ipv6=off; set $upstream_verify http://nginx-authelia/api/verify; set $upstream_endpoint http://nginx-backend; set $upstream_headers http://httpbin:8000/headers; ssl on; ssl_certificate /etc/ssl/server.crt; ssl_certificate_key /etc/ssl/server.key; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; add_header X-Frame-Options "SAMEORIGIN"; location /auth_verify { internal; proxy_set_header Host $http_host; proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Content-Length ""; proxy_set_header Proxy-Authorization $http_authorization; proxy_pass $upstream_verify; } location / { auth_request /auth_verify; auth_request_set $redirect $upstream_http_redirect; auth_request_set $user $upstream_http_remote_user; proxy_set_header X-Forwarded-User $user; auth_request_set $groups $upstream_http_remote_groups; proxy_set_header Remote-Groups $groups; proxy_set_header Host $http_host; error_page 401 =302 https://login.example.com:8080?redirect=$redirect; error_page 403 = https://login.example.com:8080/error/403; proxy_pass $upstream_endpoint; } location /headers { auth_request /auth_verify; auth_request_set $redirect $upstream_http_redirect; auth_request_set $user $upstream_http_remote_user; proxy_set_header Custom-Forwarded-User $user; auth_request_set $groups $upstream_http_remote_groups; proxy_set_header Custom-Forwarded-Groups $groups; error_page 401 =302 https://login.example.com:8080?redirect=$redirect; error_page 403 = https://login.example.com:8080/error/403; proxy_pass $upstream_headers; } } }