# NGINX must disable hidden file serving  
location ~ /\. {
	deny all;
	# 421: Misdirected Request
	return 421; 
}

# Server header must be blank
add_header Server '';


# Deny certain User-Agents 
# Refer valid_user_agent defined in ${NGX_CONF_DIR}/maps
if ($invalid_user_agent = 1) {
	# 412 Precondition Failed
    return 412;
}

# Below list will define the valid referrers which can access proxy.

## MUST CHANGE ##
# saproxy.cisco.com, saproxy125.cisco.com to be replaced with reverse proxy hosts
# ids.autobot.cvp to be replaced with internal IdS host

# This list should contain all (primary/secondary cluster) reverse proxy host along with IdS hosts
# If proxy is intended to be accessed from CORS domain, those also must be appended to the list as valid referers

# NOTE: Internal IdS hosts need to be added here to test the IdS Admin test SSO flow

valid_referers none blocked server_names 
	~(${NGX_VALID_REFERRERS});

if ($invalid_referer) {
	# 417:Expectation Failed The server cannot meet the requirements of the Expect request-header field.
    return 417;
}
