user nobody nogroup;
worker_processes auto;

events {
  worker_connections 512;
}

http {
  upstream app {
    server app:4567;
  }

  server {
    listen *:443;
    ssl on;
    server_name "";

    ssl_certificate        /etc/nginx/certs/server.crt;
    ssl_certificate_key    /etc/nginx/certs/server.key;
    ssl_client_certificate /etc/nginx/certs/ca.crt;
    # @todo    this could be made 'optional' so taht
    #          some connections are allowed to public
    #          endpooints
    ssl_verify_client      on;

    root /usr/share/nginx/html;

    location /app/ {
      proxy_pass http://app/;
      proxy_set_header X-ClientCert-DN $ssl_client_s_dn;
    }
  }
}