nginx

####
lua_package_path '/opt/portier/nginx/?.lua;/usr/share/lua/5.1/?.lua;;';
init_by_lua_file /opt/portier/nginx/i.lua;

limit_req_zone $binary_remote_addr zone=portier_nginx_login:10m rate=5r/m;

proxy_cache_path /var/cache/nginx keys_zone=broker:64k;
####

server {
	listen 80 default_server;
	listen [::]:80 default_server;

	server_name _;

	access_log off;

	####
	limit_req_status 429;

	location /.portier/login {
		limit_req zone=portier_nginx_login burst=5 nodelay;

		limit_except HEAD GET {
			deny all;
		}

		access_by_lua_file /opt/portier/nginx/l.lua;

		alias /opt/portier/nginx/webroot;
		index index.html;
	}

	location = /.portier/verify {
		limit_except POST {
			deny all;
		}

		access_by_lua_file /opt/portier/nginx/v.lua;
	}

	location = /.portier/logout {
		limit_except HEAD GET {
			deny all;
		}

		add_header Set-Cookie "portier_nginx_email=; Path=/; HttpOnly; Expires=Mon, 11 Jan 2010 00:00:00 GMT";

		return 302 $scheme://$http_host;
	}

	location ~ ^/.portier/proxy/(?<proxy_scheme>[^/]+)/(?<proxy_host>[^/]+)(?<proxy_url>.*)$ {
		internal;

		resolver 1.1.1.1 1.0.0.1;

		proxy_http_version 1.1;
		proxy_pass_request_headers off;
		proxy_pass_request_body off;

		proxy_set_header Accept "application/json";

		# we set a variable as apparently otherwise the DNS lookup is on each request
		set $proxy_backend "$proxy_scheme://$proxy_host$proxy_url$is_args$args";
		proxy_pass $proxy_backend;

		proxy_ssl_verify on;
		proxy_ssl_verify_depth 10;
		proxy_ssl_server_name on;
		proxy_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;

		proxy_cache_lock on;
		proxy_cache_use_stale error timeout updating;
		proxy_cache broker;
	}
	####

	location / {
		set $portier_nginx_email "";
		access_by_lua_file /opt/portier/nginx/a.lua;

		#include fastcgi_params;
		#fastcgi_param REMOTE_USER $portier_nginx_email;
		#fastcgi_pass unix:/var/run/fcgi.sock;

		proxy_set_header X-Portier-Nginx-Email $portier_nginx_email;
		proxy_pass http://127.0.0.1:8000;
	}
}