---
apiVersion: v1
kind: ConfigMap
metadata:
  name: atst-nginx
  namespace: atat
data:
  nginx-config: |-
    server {
        server_name aws.atat.code.mil;
        # access_log /var/log/nginx/access.log json;
        listen 8442;
        listen [::]:8442 ipv6only=on;
        # if ($http_x_forwarded_proto != 'https') {
        #     return 301 https://$host$request_uri;
        # }
        location /login-redirect {
            return 301 https://auth-aws.atat.code.mil$request_uri;
        }
        location /login-dev {
            try_files $uri @appbasicauth;
        }
        location / {
            try_files $uri @app;
        }
        location @app {
            include uwsgi_params;
            uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
            uwsgi_param HTTP_X_REQUEST_ID $request_id;
        }
        location @appbasicauth {
            include uwsgi_params;
            uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
            auth_basic "Developer Access";
            auth_basic_user_file /etc/nginx/.htpasswd;
            uwsgi_param HTTP_X_REQUEST_ID $request_id;
        }
    }
    server {
        # access_log /var/log/nginx/access.log json;
        server_name auth-aws.atat.code.mil;
        listen 8443;
        listen [::]:8443 ipv6only=on;
        # SSL server certificate and private key
        # ssl_certificate /etc/ssl/private/auth.atat.crt;
        # ssl_certificate_key /etc/ssl/private/auth.atat.key;
        # Set SSL protocols, ciphers, and related options
        # ssl_protocols TLSv1.3 TLSv1.2;
        # ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
        # ssl_prefer_server_ciphers on;
        # ssl_ecdh_curve secp384r1;
        # ssl_dhparam /etc/ssl/dhparam.pem;
        # SSL session options
        # ssl_session_timeout 4h;
        # ssl_session_cache shared:SSL:10m;   # 1mb = ~4000 sessions
        # ssl_session_tickets off;
        # OCSP Stapling
        # ssl_stapling on;
        # ssl_stapling_verify on;
        # resolver 8.8.8.8 8.8.4.4;
        # Request and validate client certificate
        # ssl_verify_client on;
        # ssl_verify_depth 10;
        # ssl_client_certificate /etc/ssl/client-ca-bundle.pem;
        # Guard against HTTPS -> HTTP downgrade
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always";
        location / {
            return 301 https://aws.atat.code.mil$request_uri;
        }
        location /login-redirect {
            try_files $uri @app;
        }
        location @app {
            include uwsgi_params;
            uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
            # uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify;
            # uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert;
            # uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn;
            # uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy;
            # uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn;
            # uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy;
            uwsgi_param HTTP_X_REQUEST_ID $request_id;
        }
    }