include ${NGX_CONF_DIR}/common-includes/server_filters;
include ${NGX_CONF_DIR}/components/${NGX_COMP_DIR_NAME}/ssl_config;
include ${NGX_CONF_DIR}/components/${NGX_COMP_DIR_NAME}/config_override;
include ${NGX_CONF_DIR}/components/${NGX_COMP_DIR_NAME}/proxy_headers;

# allowed methods
if ($request_method !~ ^(GET|DELETE|OPTIONS|POST|PUT)$) {
	# Method not supported
	return 405;
}

# Deny access to all ids endpoints
location / {
	deny all;
	# 421 Misdirected Request
	return 421;
}

# Allow access to only IdS saml/relay/status/oauth end points
location ~ ^/ids/(v1/status|relay|saml/login|v1/oauth/authorize)(/)?$ {

	proxy_pass $scheme://$backend;

	proxy_no_cache 1;
	proxy_cache_bypass 1;
}

# IdS saml response endpoint with custom client body buffers
location ~ ^/ids/saml/response(/)?(/metaAlias/sp.*?)?$ {

	if ($request_method = POST) {
        more_clear_headers 'X-Frame-Options';
    }
	client_body_buffer_size 32k;
	proxy_pass $scheme://$backend;

	proxy_no_cache 1;
	proxy_cache_bypass 1;
}



# Allow access to only IdS saml/relay/status/oauth end points
location ~ ^/ids/v1/keys/token/public(/)?$ {

        # Allow access to users api from localhost only
        # Usually called from lua scripts
        if ($is_accessed_locally = "false") { return 403; }

        proxy_pass $scheme://$backend;

        proxy_no_cache 1;
        proxy_cache_bypass 1;
}