worker_processes  auto;

error_log  {{ nomad_root_dir }}/log/jwks-proxy-error.log notice;
pid        /run/nomad/nomad-jwks-proxy.pid;


events {
    worker_connections  1024;
}


http {
  proxy_temp_path {{ nomad_root_dir }}/tmp/proxy_temp;
  client_body_temp_path {{ nomad_root_dir }}/tmp/client_temp;
  fastcgi_temp_path {{ nomad_root_dir }}/tmp/fastcgi_temp;
  uwsgi_temp_path {{ nomad_root_dir }}/tmp/uwsgi_temp;
  scgi_temp_path {{ nomad_root_dir }}/tmp/scgi_temp;

  include       /etc/nginx/mime.types;
  default_type  application/octet-stream;

  log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                    '$status $body_bytes_sent "$http_referer" '
                    '"$http_user_agent" "$http_x_forwarded_for"';

  access_log  {{ nomad_root_dir }}/log/jwks-proxy-access.log  main;

  sendfile        on;
  #tcp_nopush     on;

  keepalive_timeout  65;

  server {
    listen {{ nomad_services.jwks_proxy.port }} ssl;
  
    proxy_ssl_certificate {{ nomad_conf.tls.cert_file }};
    proxy_ssl_certificate_key {{ nomad_conf.tls.key_file }};
    proxy_ssl_verify on;
    proxy_ssl_name localhost;
    proxy_ssl_trusted_certificate {{ nomad_conf.tls.ca_file }};
      
    ssl_certificate {{ nomad_conf.tls.cert_file }};
    ssl_certificate_key {{ nomad_conf.tls.key_file }};
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1h;
    ssl_session_tickets off;
    gzip on;
    gzip_types
      text/plain;
    gzip_vary on;
  
    server_tokens off;
  
    if ($request_method !~ ^(GET|HEAD|OPTIONS)$ ) {
      return 405;
    }
    location / {
      proxy_pass https://localhost:{{ nomad_services.http.port }}/.well-known/jwks.json;
      proxy_cache off;
    }
  }
}