upstream conductor_server {
  ip_hash;
  server conductor-server:8080;
}

map $http_authorization $source_auth {
  default "";
}

js_var $auth_token;
js_var $pep_credentials;

server {  
  listen 80;
  server_name conductor conductor-dev.int.d4science.net;

  location / {
    # This would be the directory where your React app's static files are stored at
    root /usr/share/nginx/html;
    try_files $uri /index.html;
  }

  location /health {
     proxy_set_header Host $host;
     proxy_pass http://conductor_server;
  }

  location /actuator/prometheus {
     proxy_set_header Host $host;
     proxy_pass http://conductor_server;
  }

  location /api/ {
    js_content pep.enforce;
  }

  location @backend {
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-NginX-Proxy true;
    proxy_cache_bypass $http_upgrade;
    proxy_redirect off;
    proxy_pass http://conductor_server;
  }

  location /jwt_verify_request {
    internal;
    proxy_method      POST;
    proxy_http_version 1.1;
    proxy_set_header  Authorization $pep_credentials;
    proxy_set_header  Content-Type "application/x-www-form-urlencoded";
    proxy_pass        "https://accounts.dev.d4science.org/auth/realms/d4science/protocol/openid-connect/token/introspect";
    
    proxy_ignore_headers  Cache-Control Expires Set-Cookie;
    gunzip on;
 
    proxy_cache           token_responses; # Enable caching
    proxy_cache_key       $source_auth;    # Cache for each source authentication
    proxy_cache_lock      on;              # Duplicate tokens must wait
    proxy_cache_valid     200 10s;         # How long to use each response
  }
  
  location /jwt_request {
    internal;
    proxy_method      POST;
    proxy_http_version 1.1;
    proxy_set_header  Authorization $pep_credentials;
    proxy_set_header  Content-Type "application/x-www-form-urlencoded";
    proxy_pass        "https://accounts.dev.d4science.org/auth/realms/d4science/protocol/openid-connect/token";
    gunzip on;
  }
  
  location /permission_request {
    internal;
    proxy_method      POST;
    proxy_http_version 1.1;
    proxy_set_header  Content-Type "application/x-www-form-urlencoded";
    proxy_set_header  Authorization "Bearer $auth_token";
    proxy_pass        "https://accounts.dev.d4science.org/auth/realms/d4science/protocol/openid-connect/token";
    gunzip on;
  }

}