# Reverse proxy to oauth2-proxy
server {
  listen       80;
  server_name  oauth2-proxy.oauth2-proxy.localhost;

  location / {
    proxy_set_header Host       $host;
    proxy_set_header X-Real-IP  $remote_addr;

    proxy_pass http://oauth2-proxy:4180/;
  }
}

# Reverse proxy to httpbin
server {
  listen      80;
  server_name httpbin.oauth2-proxy.localhost;

  auth_request /internal-auth/oauth2/auth;

  # If the auth_request denies the request (401), redirect to the sign_in page
  # and include the final rd URL back to the user's original request.
  error_page 401 = http://oauth2-proxy.oauth2-proxy.localhost/oauth2/sign_in?rd=$scheme://$host$request_uri;

  # Alternatively send the request to `start` to skip the provider button
  # error_page 401 = http://oauth2-proxy.oauth2-proxy.localhost/oauth2/start?rd=$scheme://$host$request_uri;

  location / {
    proxy_pass http://httpbin/;
  }

  # auth_request must be a URI so this allows an internal path to then proxy to
  # the real auth_request path.
  # The trailing /'s are required so that nginx strips the prefix before proxying.
  location /internal-auth/ {
    internal; # Ensure external users can't access this path

    # Make sure the OAuth2 Proxy knows where the original request came from.
    proxy_set_header Host       $host;
    proxy_set_header X-Real-IP  $remote_addr;

    proxy_pass http://oauth2-proxy:4180/;
  }
}

# Statically serve the nginx welcome
server {
  listen       80;
  server_name  oauth2-proxy.localhost;

  location / {
    auth_request /internal-auth/oauth2/auth;

    # If the auth_request denies the request (401), redirect to the sign_in page
    # and include the final rd URL back to the user's original request.
    error_page 401 = http://oauth2-proxy.oauth2-proxy.localhost/oauth2/sign_in?rd=$scheme://$host$request_uri;

    # Alternatively send the request to `start` to skip the provider button
    # error_page 401 = http://oauth2-proxy.oauth2-proxy.localhost/oauth2/start?rd=$scheme://$host$request_uri;


    root   /usr/share/nginx/html;
    index  index.html index.htm;
  }

  # redirect server error pages to the static page /50x.html
  error_page   500 502 503 504  /50x.html;
  location = /50x.html {
    root   /usr/share/nginx/html;
  }

  # auth_request must be a URI so this allows an internal path to then proxy to
  # the real auth_request path.
  # The trailing /'s are required so that nginx strips the prefix before proxying.
  location /internal-auth/ {
    internal; # Ensure external users can't access this path

    # Make sure the OAuth2 Proxy knows where the original request came from.
    proxy_set_header Host       $host;
    proxy_set_header X-Real-IP  $remote_addr;

    proxy_pass http://oauth2-proxy:4180/;
  }
}