map $ssl_client_s_dn $ssl_client_s_dn_cn {
	default "no_client_cert";
	~(^|,)CN=(?<CN>[^,]+) $CN;
}

server {
    listen 443 ssl;
    server_name localhost;
    root /dev/null;
    
    # TODO: once the JACE sends an official Kyrio cert, this can be set to 
    # 'on' so the trust-chain is verified against the CA certs in ssl.crt.
    # Also may require tuning of ssl_verify_depth directive.

    # In its current state EPRI will validate that the client cert's CN
    # is correct, but in theory someone could spoof it with a self-signed
    # certificate containing the "correct" CN.

    # Also note that webui admin routes will likely be hit without a client
    # cert, so you will probably want to either:
    # a) have a seperate server/vhost for VEN traffic vs. admin traffic
    # b) leave ssl_verify_client at optional or optional_no_ca, and match
    #    on $ssl_client_verify in a location block.

    ssl_verify_client optional_no_ca;

    # Don't advertise
    server_tokens off;

    # Don't merge slashes
    merge_slashes off;

    location / {
        proxy_set_header  X-Real-IP        $remote_addr;
        proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_set_header  Host             $http_host;
        proxy_set_header  X-Forwarded-Proto $scheme;
        proxy_set_header  X-Forwarded-Ssl on;
        proxy_set_header  X-Forwarded-Port $server_port;
        proxy_set_header  X-Forwarded-Host $host;

        # these next two headers are consumed by EPRI to validate client cert
        # CN vs. EPRI VEN Common Name.
        proxy_set_header  SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn; 
        proxy_set_header  HTTPS true;
        
        proxy_redirect    off;
        proxy_pass http://vtn-rails:8080;
    }

    ssl_certificate /etc/ssl/ssl.crt;
    ssl_certificate_key /etc/ssl/ssl.key;
}