server { server_name {{domain}}; {% if applications | is_feature_enabled('oauth2',application_id) %} {% include 'roles/docker-oauth2-proxy/templates/endpoint.conf.j2'%} {% endif %} {% include 'roles/nginx-modifier-all/templates/global.includes.conf.j2'%} {% if nginx_docker_reverse_proxy_extra_configuration is defined %} {# Additional Domain Specific Configuration #} {{nginx_docker_reverse_proxy_extra_configuration}} {% endif %} {% include 'roles/letsencrypt/templates/ssl_header.j2' %} {% if applications | is_feature_enabled('oauth2', application_id) %} {% set acl = applications[application_id].oauth2_proxy.acl | default({}) %} {% if acl.blacklist is defined %} {# 1. Expose everything by default, then protect blacklisted paths #} {% set oauth2_proxy_enabled = false %} {% set location = "/" %} {% include 'roles/nginx-docker-reverse-proxy/templates/location/proxy_basic.conf.j2' %} {% for loc in acl.blacklist %} {% set oauth2_proxy_enabled = true %} {% set location = loc %} {% include 'roles/nginx-docker-reverse-proxy/templates/location/proxy_basic.conf.j2' %} {% endfor %} {% elif acl.whitelist is defined %} {# 2. Protect everything by default, then expose whitelisted paths #} {% set oauth2_proxy_enabled = true %} {% set location = "/" %} {% include 'roles/nginx-docker-reverse-proxy/templates/location/proxy_basic.conf.j2' %} {% for loc in acl.whitelist %} {% set oauth2_proxy_enabled = false %} {% set location = loc %} {% include 'roles/nginx-docker-reverse-proxy/templates/location/proxy_basic.conf.j2' %} {% endfor %} {% else %} {# 3. OAuth2 enabled but no (or empty) ACL — protect all #} {% set oauth2_proxy_enabled = true %} {% set location = "/" %} {% include 'roles/nginx-docker-reverse-proxy/templates/location/proxy_basic.conf.j2' %} {% endif %} {% else %} {# 4. OAuth2 completely disabled — expose all #} {% set oauth2_proxy_enabled = false %} {% set location = "/" %} {% include 'roles/nginx-docker-reverse-proxy/templates/location/proxy_basic.conf.j2' %} {% endif %} }