upstream _conductor-server {
  ip_hash;
  server conductor-server:8080;
}

upstream _conductor-ui {
  ip_hash;
  server conductor-ui:5000;
}

map $http_authorization $source_auth {
  default "";
}

js_var $auth_token;
js_var $pep_credentials;

server {

  listen *:80;
  listen [::]:80;
  server_name {{ conductor_server_name }};

{% if conductor_server_name != conductor_ui_server_name %}
  # When there is the possibility to separate vhosts for ui and apis as in local-site deployment forward also / to swagger docs
  location / {
    proxy_pass http://_conductor-server;
  }
{% endif %}

  location /api/ {
    js_content pep.enforce;
  }

  location @backend {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Original-URI $request_uri;
    proxy_pass http://_conductor-server;
  }

  location /jwt_verify_request {
    internal;
    proxy_method      POST;
    proxy_http_version 1.1;
    proxy_set_header  Authorization $pep_credentials;
    proxy_set_header  Content-Type "application/x-www-form-urlencoded";
    proxy_pass        "{{ iam_host }}/auth/realms/d4science/protocol/openid-connect/token/introspect";
  
    proxy_cache           token_responses; # Enable caching
    proxy_cache_key       $source_auth;    # Cache for each source authentication
    proxy_cache_lock      on;              # Duplicate tokens must wait
    proxy_cache_valid     200 10s;         # How long to use each response
    proxy_ignore_headers  Cache-Control Expires Set-Cookie;
  }
  
  location /jwt_request {
    internal;
    proxy_method      POST;
    proxy_http_version 1.1;
    proxy_set_header  Authorization $pep_credentials;
    proxy_set_header  Content-Type "application/x-www-form-urlencoded";
    proxy_pass        "{{ iam_host }}/auth/realms/d4science/protocol/openid-connect/token";
  }
  
  location /permission_request {
    internal;
    proxy_method      POST;
    proxy_http_version 1.1;
    proxy_set_header  Content-Type "application/x-www-form-urlencoded";
    proxy_set_header  Authorization "Bearer $auth_token";
    proxy_pass        "{{ iam_host }}/auth/realms/d4science/protocol/openid-connect/token";
  }

}

server {

  listen *:80 default_server;
  listen [::]:80 default_server;
  server_name {{ conductor_ui_server_name }};

  location / {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass http://_conductor-ui;
  }

}