log_format abusesa '$remote_addr - $http_x_forwarded_user [$time_local] '
                   '"$request" $status $body_bytes_sent '
                   '"$http_referer" "$http_user_agent" "$ssl_client_s_dn"';

server {
    listen 8443;

    access_log <%= scope.lookupvar('nginx::logdir') %>/abusesa.log abusesa;

    ssl on;
    ssl_verify_client on;
    ssl_certificate <%= @puppet_ssldir %>/certs/<%= @homename %>.pem;
    ssl_certificate_key <%= @puppet_ssldir %>/private_keys/<%= @homename %>.pem;
    ssl_client_certificate <%= @puppet_ssldir %>/certs/ca.pem;

    proxy_buffering off;

<% if @allow_dn -%>
    if ($ssl_client_s_dn != "<%= @allow_dn %>") {
        return 403;
    }

<% end -%>
<% @services.each do |service|
     dir, sep, sock = service.rpartition('/')
     dir = @socketdir if dir.empty?
     sockpath = File.join(dir, sock)
     location = sock.gsub('.', '/')
-%>
    location /<%= location %>/ {
        proxy_pass http://unix:<%= sockpath %>:/;
    }

<% end -%>
    location / {
        deny all;
    }

}