worker_processes  1;

events {
    worker_connections  1024;
}

http {
    server {
        listen 443 ssl;
        server_name     login.example.com;

        resolver 127.0.0.11 ipv6=off;
        set $upstream_endpoint http://authelia:8080;

        ssl on;
        ssl_certificate     /etc/ssl/server.crt;
        ssl_certificate_key /etc/ssl/server.key;

        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header X-Frame-Options "SAMEORIGIN";

        location / {
            proxy_set_header  Host $http_host;
            proxy_set_header  X-Original-URI $request_uri;
            proxy_set_header  X-Real-IP $remote_addr;
            proxy_set_header  X-Forwarded-Proto $scheme;
            proxy_intercept_errors on;

            proxy_pass        $upstream_endpoint;

            if ($request_method !~ ^(POST)$){
              error_page 401 = /error/401;
              error_page 403 = /error/403;
              error_page 404 = /error/404;
            }
        }
    }

    server {
        listen 443 ssl;
        server_name     home.example.com;

        resolver 127.0.0.11 ipv6=off;
        set $upstream_endpoint http://nginx-backend;

        root /usr/share/nginx/html/home;

        ssl on;
        ssl_certificate     /etc/ssl/server.crt;
        ssl_certificate_key /etc/ssl/server.key;

        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header X-Frame-Options "SAMEORIGIN";
    }

    server {
        listen 443 ssl; 
        server_name     admin.example.com;

        root /usr/share/nginx/html/admin;

        resolver 127.0.0.11 ipv6=off;
        set $upstream_verify http://authelia:8080/api/verify;

        ssl on;
        ssl_certificate     /etc/ssl/server.crt;
        ssl_certificate_key /etc/ssl/server.key;

        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
        add_header X-Frame-Options "SAMEORIGIN";

        location /auth_verify {
            internal;
            proxy_set_header            Host $http_host;

            proxy_set_header            X-Original-URI $request_uri;
            proxy_set_header            X-Original-URL $scheme://$http_host$request_uri;
            proxy_set_header            X-Real-IP $remote_addr;
            proxy_set_header            X-Forwarded-Proto $scheme;

            proxy_pass_request_body     off;
            proxy_set_header            Content-Length "";

            proxy_pass        $upstream_verify;
        }

        location / {
            auth_request /auth_verify;

            auth_request_set $redirect $upstream_http_redirect;
            auth_request_set $user $upstream_http_remote_user;
            auth_request_set $groups $upstream_http_remote_groups;

            error_page 401 =302 https://login.example.com:8080?rd=$redirect;
            error_page 403 = https://login.example.com:8080/error/403;
        }
    }
}