nginx.conf

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    server {
        listen       80;
        server_name  revproxy;

        listen 443 ssl;

        ssl_certificate /etc/nginx/ssl/nginx.crt;
        ssl_certificate_key /etc/nginx/ssl/nginx.key;

        set $access_token "";
        set $csrf_check "ok-tokenauth";
        if ($cookie_access_token) {
                set $access_token "bearer $cookie_access_token";
                # cookie auth requires csrf check
                set $csrf_check "fail";
        }
        if ($http_authorization) {
                # Authorization header is present - prefer that token over cookie token
                set $access_token "$http_authorization";
        }

        proxy_set_header   Authorization "$access_token";
        # proxy_set_header   X-Forwarded-For "$realip";
        # proxy_set_header   X-UserId "$userid";

        #
        # CSRF check
        # This block requires a csrftoken for all POST requests.
        #
        if ($cookie_csrftoken = $http_x_csrf_token) {
          # this will fail further below if cookie_csrftoken is empty
          set $csrf_check "ok-$cookie_csrftoken";
        }
        if ($request_method != "POST") {
          set $csrf_check "ok-$request_method";
        }
        if ($cookie_access_token = "") {
          # do this again here b/c empty cookie_csrftoken == empty http_x_csrf_token - ugh  
          set $csrf_check "ok-tokenauth";
        }

        location / {
                proxy_pass http://dataportal/;
        }

        location /user/ {
                proxy_pass http://fence/;
        }

        location /api/ {
                proxy_pass http://sheepdog/;
        }

        location /index/ {
                proxy_pass http://indexd/;
        }

        location /coremetadata/ {
                proxy_pass http://coremetadata/;
        }

        location /api/v0/submission/getschema {
                proxy_pass http://peregrine/v0/submission/getschema;
        }

        location /api/v0/submission/graphql {
                if ($cookie_csrftoken = "") {
                        add_header Set-Cookie "csrftoken=$request_id$request_length$request_time$time_iso8601;Path=/";
                }
                proxy_next_upstream off;
                # Forward the host and set Subdir header so api
                # knows the original request path for hmac signing
                proxy_set_header   Host $host;
                proxy_set_header   Subdir /api;
                proxy_set_header   Authorization "$access_token";
                proxy_connect_timeout 300;
                proxy_send_timeout 300;
                proxy_read_timeout 300;
                send_timeout 300;
                proxy_pass http://peregrine/v0/submission/graphql;
        }
    }
}