nginx.conf

user nginx;
worker_processes auto;
pcre_jit on;
error_log /var/log/nginx/error.log warn;
include /etc/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    server_tokens off;
    client_max_body_size 100m;
    keepalive_timeout 65;
    sendfile on;
    tcp_nodelay on;
    gzip_vary on;
    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
            '$status $body_bytes_sent "$http_referer" '
            '"$http_user_agent" "$http_x_forwarded_for"';

    access_log /var/log/nginx/access.log main;

    #HTTPS Proxy
    server {
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;

	#catch-all server name, handle all requests
        server_name _;

        ssl_certificate /cert/fullchain.pem;
        ssl_certificate_key /cert/privkey.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;
        ssl_prefer_server_ciphers on;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
        ssl_dhparam /cert/dhparam.pem;

	# client certificate ca, the client certificate will be validated against this Certificate Authority
	ssl_client_certificate /ca-cert/nginx_ssl_client_certificate.pem;

        # make verification optional, so we can display a 403 message to those
        # who fail authentication
        ssl_verify_client optional;

        ssl_verify_depth 2;

	# Backend (a.k.a Controller)
    	location /backend/ {
    	    proxy_set_header x-ssl_client_s_dn $ssl_client_s_dn;
            proxy_pass http://backend:80/;
        }

	# Adaguc dataset viewer
	location /adaguc-viewer/ {
	    proxy_pass http://adaguc-viewer:80/adaguc-viewer/;
	}

    # c3s-magic-wps
	location /wps/ {
	    proxy_pass http://wps:5000/;
	}

	# Frontend
        location / {
            proxy_pass http://frontend:80/;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $remote_addr;
            proxy_redirect http://$host https://$host;
        }

        # ESGF Search
        location /esgfsearch/ {
            proxy_pass http://esgfsearch:80/;
            proxy_intercept_errors on;
            error_page 301 302 307 = @handle_redirect;
        }

        # OAuth callback to Backend (a.k.a Controller)
        location /oauth {
            proxy_set_header x-ssl_client_s_dn $ssl_client_s_dn;
            proxy_pass http://backend:80/oauth;
        }


        location /data {
          root /publicdata;
          rewrite ^/data(.*) /$1 break;
          autoindex on;
          add_header 'Access-Control-Allow-Origin' '*';
        }

    }


    # HTTP Catch all + Certbot challenge response
    server {
        listen 0.0.0.0:80 default_server;
        listen [::]:80 default_server;

	#catch-all server name, handle all requests
        server_name _;

        location /.well-known {
            alias /acme/.well-known;
        }
        location / {
            return 301 https://$host$request_uri;
        }
    }

}