default-ssl

upstream tomcats {
  server dspace:8009;
  keepalive 10;
}

server {
  listen 80;
  listen [::]:80;
  server_name clarin-dev.eurac.edu;

  location /repository/oai {

    client_body_buffer_size 32K;

    client_max_body_size 4G;

    sendfile on;
    send_timeout 300s;

    ajp_keep_conn on;
    ajp_pass tomcats;

  }

  location / {
    return 301 https://$server_name$request_uri;
  }
}

server {
  listen 443;
  server_name clarin-dev.eurac.edu localhost;

  root  /opt/nginx/html;
  index index.html index.htm;

  ssl on;
  ssl_certificate /etc/ssl/clarin/clarin-dev_eurac_edu.crt;
  ssl_certificate_key /etc/ssl/clarin/clarin-dev.key;

  ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers RC4:HIGH:!aNULL:!MD5;
  ssl_prefer_server_ciphers on;
  keepalive_timeout    70;
  ssl_session_cache    shared:SSL:10m;
  ssl_session_timeout  10m;

  add_header 'Access-Control-Allow-Origin' "*";
  add_header 'Access-Control-Allow-Credentials' 'true';

  # redirect different legacy forms to repository/xmlui
  # changed 'redirect' to 'permanent'
  rewrite ^/xmlui(.*)$ /repository/xmlui$1 permanent;
  rewrite ^/repository.?$ /repository/xmlui/ permanent;
  rewrite ^/solr(.*)$ /repository/solr$1 permanent;
  rewrite ^/handle/(.*)$ /repository/xmlui/handle/$1 permanent;

  set $oai_index /repository/oai/request?verb=Identify;
  rewrite ^/oai$ $oai_index permanent;
  location /oai {
    return 301 https://$http_host/repository$request_uri;
  }
  rewrite ^/repository/oai/?$ $oai_index permanent;

  # kept 'redirect' to be sure that this keeps working
  if ($http_accept ~ "(.*xml.cmdi.*)"){
    rewrite ^/(.*)/xmlui/handle/(.*)$ https://$http_host/repository/oai/cite?metadataPrefix=cmdi&handle=$2? redirect;
  }

  if ($query_string ~* "format=cmdi"){
    rewrite ^/(.*)/xmlui/handle/(.*)$ https://$http_host/repository/oai/cite?metadataPrefix=cmdi&handle=$2? redirect;
  }

  if ($query_string ~* "format=cite_(cmdi|bibtex|html)"){
    rewrite ^/(.*)/xmlui/handle/(.*)$ https://$http_host/repository/oai/cite?metadataPrefix=%1&handle=$2? redirect;
  }

  # location = / {
  #   return 301 /repository;
  # }

  location / {
    index index.html index.htm;

    if ($HTTP_X_SCHEME = "http") {
        rewrite ^ https://$http_host$request_uri permanent;
    }
  }

  location /php/aa-statistics.php {
    shib_request /shibauthorizer;
    shib_request_use_headers on;
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    fastcgi_param  SCRIPT_FILENAME /opt/nginx/html$fastcgi_script_name;
    fastcgi_param  PATH_INFO $fastcgi_script_name;
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    include fastcgi_params;
  }

  location /repository {

    client_body_buffer_size 32K;

    client_max_body_size 4G;

    sendfile on;
    send_timeout 300s;

    ajp_keep_conn on;
    ajp_pass tomcats;

    location /repository/solr {
      satisfy any;

      auth_basic           "Restricted App";
      auth_basic_user_file /etc/apache2/passwd/passwords;

      allow 127.0.0.1;
      deny all;

      ajp_keep_conn on;
      ajp_pass tomcats;
    }

    location /repository/JSON/solr/ {
      rewrite /repository/JSON/solr/(.*) /repository/solr/search/select/?q=*:*&rows=0&facet=on&wt=json&indent=true&facet.field=$1 break;

      proxy_pass http://localhost:8080;
    }

  }

  # define aai location
  location /aai {
    alias /opt/repository/sources/lindat-aai-discovery; }

  # add path your repository path that will be protected by shibboleth
  location /repository/xmlui/shibboleth-login {
    include repository_auth;
    ajp_keep_conn on;
    ajp_pass tomcats;
  }

  location /xmlui/shibboleth-login            {
    include repository_auth;
    ajp_keep_conn on;
    ajp_pass tomcats;
  }

  # remove the robots and favicon from the logs
  location ~ /robots.txt$  { access_log off; }
  location ~ ^/favicon.ico$ { access_log off; log_not_found off; }

  # this prevents hidden files (beginning with a period) from being served
  location ~ /\.           { access_log off; log_not_found off; deny all; }

  # FastCGI authorizer for Auth Request module
  location = /shibauthorizer {
    internal;
    include fastcgi_params;
    fastcgi_pass unix:/opt/shibboleth-sp-fastcgi/shibauthorizer.sock;
  }

  # FastCGI responder
  location /Shibboleth.sso {
    include fastcgi_params;
    fastcgi_pass unix:/opt/shibboleth-sp-fastcgi/shibresponder.sock;
  }

  # Resources for the Shibboleth error pages
  location /shibboleth-sp {
    alias /opt/shibboleth-sp-fastcgi/share/shibboleth/;
  }

  location /secure {
    # include shib_clear_headers;
    # Add your attributes here. They get introduced as headers
    # by the FastCGI authorizer so we must prevent spoofing.
    # more_clear_input_headers 'displayName' 'mail' 'persistent-id';
    shib_request /shibauthorizer;
    shib_request_use_headers on;
    gzip off;
    include shib_fastcgi_params;
    fastcgi_pass unix:/tmp/fcgiwrap.socket;
    fastcgi_param SCRIPT_FILENAME /opt/nginx/html$fastcgi_script_name;
  }

  include /opt/nginx/conf/proxies-enabled/*;
}