map $ssl_client_s_dn $ssl_client_s_dn_cn {
	default "no_client_cert";
	~(^|,)CN=(?<CN>[^,]+) $CN;
}

server {
    listen 443 ssl default_server;
    server_name _;
    root /dev/null;
    
    # next 3 lines force clients to provide a client cert, and ensure that the
    # cert is trusted by the chain in clientssl.crt.
    ssl_verify_client on;
    ssl_client_certificate /etc/ssl/clientssl.crt;
    ssl_verify_depth 2;

    # Don't advertise
    server_tokens off;

    # Don't merge slashes
    merge_slashes off;

    location / {
        proxy_set_header  X-Real-IP        $remote_addr;
        proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_set_header  Host             $http_host;
        proxy_set_header  X-Forwarded-Proto $scheme;
        proxy_set_header  X-Forwarded-Ssl on;
        proxy_set_header  X-Forwarded-Port $server_port;
        proxy_set_header  X-Forwarded-Host $host;

        # these next two headers are consumed by Nantum VTN to validate client cert
        # CN vs. VEN Common Name, and client cert fingerprint vs. VenID.
        proxy_set_header  SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;
        proxy_set_header  SSL_CLIENT_CERTIFICATE $ssl_client_escaped_cert;

        proxy_redirect    off;
        proxy_pass http://nantum-vtn-nodejs:8080;
    }

    ssl_certificate /etc/ssl/ssl.crt;
    ssl_certificate_key /etc/ssl/ssl.key;
}