log_format abusesa '$remote_addr - $http_x_forwarded_user [$time_local] '
                   '"$request" $status $body_bytes_sent '
                   '"$http_referer" "$http_user_agent" "$ssl_client_s_dn"';

server {
    listen 8443;

    access_log <%= scope.lookupvar('nginx::logdir') %>/abusesa.log abusesa;

    ssl on;
    ssl_verify_client on;
    ssl_certificate <%= @puppet_ssldir %>/certs/<%= @homename %>.pem;
    ssl_certificate_key <%= @puppet_ssldir %>/private_keys/<%= @homename %>.pem;
    ssl_client_certificate <%= @puppet_ssldir %>/certs/ca.pem;

    ssl_protocols TLSv1.2;
    ssl_ciphers <%= scope.lookupvar('ssl::ciphersuites::mozilla_modern_ciphersuites') %>;
    ssl_prefer_server_ciphers on;

    add_header Strict-Transport-Security max-age=15768000;

    proxy_buffering off;

<% if @allow_dn -%>
    if ($ssl_client_s_dn != "<%= @allow_dn %>") {
        return 403;
    }

<% end -%>
<% @paths.each do |path|
     filep, sep, urlp = path.partition(':')
     continue if filep.empty? or urlp.empty?
-%>
    location <%= urlp %> {
        alias <%= filep %>;
        autoindex on;
    }

<% end -%>
<% @services.each do |service|
     dir, sep, sock = service.rpartition('/')
     dir = @socketdir if dir.empty?
     sockpath = File.join(dir, sock)
     location = sock.gsub('.', '/')
-%>
    location /<%= location %>/ {
        proxy_pass http://unix:<%= sockpath %>:/;
    }

<% end -%>
    location / {
        deny all;
    }

}