# {{ ansible_managed }}
server {

    listen {{ keystone_web_server_bind_address }}:{{ keystone_nginx_ports[item] }};

    {% if keystone_ssl | bool and keystone_service_adminuri_proto == "https" %}
    ssl                     on;
    ssl_protocols           {{ keystone_ssl_protocol }};
    ssl_certificate         {{ keystone_ssl_cert }};
    ssl_certificate_key     {{ keystone_ssl_key }};
    ssl_trusted_certificate {{ keystone_ssl_ca_cert }};
    ssl_ciphers             {{ keystone_ssl_cipher_suite }};
    ssl_prefer_server_ciphers on;
    ssl_session_cache   shared:SSL:2m;
    ssl_session_timeout 2m;
    {%- endif %}

    {% for line in keystone_nginx_extra_conf %}
    {{ line }}
    {%- endfor %}

    error_log   syslog:server=unix:/dev/log;
    access_log  syslog:server=unix:/dev/log;

    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header Content-Security-Policy "default-src 'self' https: wss:;";
    add_header X-Frame-Options {{ keystone_x_frame_options | default ('DENY') }};

    real_ip_header   X-Forwarded-For;
    {% for ip in keystone_set_real_ip_from %}
    set_real_ip_from {{ ip }};
    {%- endfor %}

    {% if keystone_security_txt_content is defined %}
    location /security.txt {
        alias {{ keystone_security_txt_dir }}/security.txt;
    }

    location /.well-known/security.txt {
        alias {{ keystone_security_txt_dir }}/security.txt;
    }
    {%- endif %}

    location / {
        try_files   $uri @yourapplication;
    }

    location @yourapplication {
        include     /etc/nginx/uwsgi_params;
        uwsgi_pass  127.0.0.1:{{ keystone_uwsgi_ports[item]['socket'] }};
        uwsgi_param SCRIPT_NAME '';
{% for header in keystone_extra_headers %}
        add_header "{{ header['parameter'] }}" "{{ header['value'] }}";
{% endfor %}
    }
}