upstream service {
  ip_hash;
  server {{ docker_pep_upstream_service }};
}

# added to import pep script
js_import pep.js;

# added to bind enforce function 
js_set $authorization pep.enforce;

# variables computed by njs and which may possibly be passed among locations
js_var $auth_token;
js_var $account_record;

proxy_cache_path /tmp levels=1:2 keys_zone=social_cache:10m max_size=10g inactive=60m use_temp_path=off;

server {
  listen *:80;
  server_name {{ docker_service_host }};
  subrequest_output_buffer_size 200k;

  client_max_body_size {{ docker_pep_max_body_size | default('100M') }};

  {% if docker_pep_xss_protection | default(True) %}
  proxy_hide_header X-XSS-Protection;
  add_header X-XSS-Protection "1; mode=block;";
  {% endif %}
  {% if docker_pep_frame_origin | default(False) %}
  proxy_hide_header X-Frame-Options;
  add_header X-Frame-Options "{{ docker_pep_x_frame_options }}";
  {% endif %}
  {% if docker_pep_set_content_security_options | default(False) %}
  proxy_hide_header Content-Security-Policy;
  {% if docker_pep_disable_content_security_options | default(False) %}
  add_header Content-Security-Policy "";
  {% else %}
  add_header Content-Security-Policy "frame-src{% for s in docker_pep_content_security_src_acl %} {{ s }}{% endfor %}; frame-ancestors{% for l in docker_pep_content_security_ancestor_acl %} {{ l }}{% endfor %};";
  {% endif %}
  {% endif %}

  server_tokens off;

  proxy_http_version 1.1;
  proxy_set_header Connection "";
  proxy_set_header Host $http_host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-Host $remote_addr;
  proxy_set_header X-Forwarded-Server $host;
  proxy_set_header nginx-request-uri $request_uri;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto https;
  proxy_buffering on;
  proxy_buffer_size 8k;
  proxy_buffers 4 8k;
  proxy_busy_buffers_size 16k;
  proxy_temp_file_write_size 16k;
  proxy_redirect off;
  proxy_connect_timeout 30s;
  proxy_read_timeout 480s;
  proxy_send_timeout 120s;

  location = /robots.txt {
      allow all;
      log_not_found off;
      access_log off;
  }

  location /health {
    add_header Content-Length 0;
    add_header Content-Type "text/plain";
	return 200;
  }

{% for l in docker_pep_unauthorized_locations %}

  location {{ l }} {
     gunzip on;
     proxy_read_timeout 300;
     proxy_send_timeout 300;
     resolver 146.48.122.10;
     proxy_http_version 1.1;
     proxy_pass http://service$request_uri;
  }

{% endfor %}

{% for auth_l in docker_pep_authorized_locations %}

  location {{ auth_l }} {
  	proxy_read_timeout 300;
    proxy_send_timeout 300;
    js_content pep.enforce;
  }

{% endfor %}

  location /gcube_user_info {
     internal;
     gunzip on;
     proxy_method      GET;
     proxy_http_version 1.1;
     proxy_set_header  gcube-token "$auth_token";
     proxy_pass        https://api.d4science.org/rest/2/people/profile;
  
     proxy_cache social_cache;
     proxy_cache_key $auth_token;
  }
 
  location /_backend {
     internal;
     gunzip on;
     proxy_read_timeout 300;
     proxy_send_timeout 300;
     resolver 146.48.122.10;
     proxy_http_version 1.1;
     proxy_set_header gcube-token "$auth_token";
     proxy_pass http://service$request_uri;
  }

  location /_accounting {
    internal;
    proxy_method      POST;
    proxy_http_version 1.1;
    proxy_set_header  gcube-token "$auth_token";
    proxy_set_header  Content-Type "application/json";
    proxy_pass        https://accounting-service.d4science.org/accounting-service/record;
  }
}