server {

  error_log logs/error.log debug;
  access_log logs/access.log storm;

  listen 443 ssl;
  server_name storm.example;

  ssl on;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

  ssl_certificate      /certs/cert.pem;
  ssl_certificate_key  /certs/key.pem;
  ssl_client_certificate  /etc/pki/tls/certs/ca-bundle.crt;

  ssl_verify_client optional;
  ssl_verify_depth 100;
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 10m;

  location /srm {

    proxy_pass              http://fe:8080;

    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto https;
    proxy_set_header        Host $http_host;

    # Simple tracing via request_id
    proxy_set_header        X-Request-Id $request_id;

    # VOMS headers
    proxy_set_header        x-voms_fqans $voms_fqans;
    proxy_set_header        x-voms_user $voms_user;
    proxy_set_header        x-voms_user_ca $voms_user_ca;
    proxy_set_header        x-voms_vo $voms_vo;
    proxy_set_header        x-voms_not_before $voms_not_before;
    proxy_set_header        x-voms_not_after $voms_not_after;
    proxy_set_header        x-voms_generic_attributes $voms_generic_attributes;
    proxy_set_header        x-voms_serial $voms_serial;
  }
}