# If you want to forward http request to https enable the
# following virtual server.
#server {
#        listen  80;
#        server_name     $hostname;
#        return 301 https://$hostname$request_uri;
#}

server {
        listen 443 ssl;
        server_name     $hostname;
        ssl_certificate /etc/ssl/certs/privacyidea-bundle.crt;
        ssl_certificate_key /etc/ssl/private/privacyidea.key;
	ssl_prefer_server_ciphers On; 
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
	ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS;

        access_log      /var/log/privacyidea/access.log;
        error_log       /var/log/privacyidea/error.log info;

        location / {
                uwsgi_pass      unix:/run/uwsgi/app/privacyidea/privacyidea.socket;
                include         uwsgi_params;
                uwsgi_param     UWSGI_SCHEME $scheme;
                uwsgi_param     SERVER_SOFTWARE nginx/$nginx_version;
                uwsgi_param SCRIPT_NAME '';
        }

        # Yubico servers use /wsapi/2.0/verify as the path in the
        # validation URL. Some tools (e.g. Kolab 2fa) let the 
        # user/admin change the api host, but not the rest of
        # the URL. Uncomment the following two lines to reroute 
        # the api URL internally to privacyideas /ttype/yubikey.
        #rewrite ^/wsapi/2.0/verify(.*)  /ttype/yubikey$1 last;

}

