upstream pwapub {
    server pwa-pub1:8080;
#    server pwa-pub2:8080;
#    server pwa-pub3:8080;
}

server {
    listen       80;

    location / {
	return 301 https://$host/;
    }
    location /pub/ {
        proxy_pass http://pwapub/;
    }
}

server {
    listen       443 ssl;

    ssl     on;
    ssl_certificate /etc/nginx/certs/cert.pem;
    ssl_certificate_key /etc/nginx/certs/key.pem;

    proxy_redirect off;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto  https;

    location / {
        proxy_pass http://pwa-admin1:80/;
    }
    location /pub/ {
        proxy_pass http://pwa-pub1:8080/;
    }
    location /auth/ {
	proxy_pass http://sca-auth:80/;
    }
    location /shared/ {
	alias /shared/;
    }

    location /auth/config.js {
	alias /shared/auth.ui.js;
    }
    location /config.js {
	alias /shared/pwa.ui.js;
    }

    location /api/auth/ {
	proxy_pass http://sca-auth:8080/;
    }
    location /api/pwa/ {
	proxy_pass http://pwa-admin1:8080/;
    }
}

server {
    listen 9443 ssl;

    ssl     on;
    ssl_certificate /etc/nginx/certs/cert.pem;
    ssl_certificate_key /etc/nginx/certs/key.pem;

    # Turn off ssl cert validation 
    ssl_verify_client off;
    # If desired, you can enable cert validation, in which case you must provide trusted.pem
    #ssl_client_certificate /etc/nginx/certs/trusted.pem;
    #ssl_verify_client on;
    #ssl_verify_depth 5;

    proxy_redirect off;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto  https;
    proxy_set_header DN $ssl_client_s_dn;

    location / {
        proxy_pass http://sca-auth:8080/;
    }
}