# Protected application
server {
    listen 443 ssl;
    listen 80;
    server_name  httpbin.localhost.pomerium.io;
    ssl_certificate /etc/nginx/nginx.pem;
    ssl_certificate_key /etc/nginx/nginx-key.pem;

    location / {
      proxy_pass http://httpbin;
    }

    ### External Authorization

    # Send auth check to /authorize location.
    auth_request /authorize;

    # Set cookies we get back from the auth check
    auth_request_set $saved_set_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $saved_set_cookie;

    # If we get a 401, respond with a named location
    error_page 401 = @error401;
    # On 401, redirect the user to forward auth to start authentication flow
    location @error401 {
        return 302 https://fwdauth.localhost.pomerium.io/?uri=$scheme://$http_host$request_uri;
    }

    # The auth request must be a subpath of the server
    location /authorize {
      proxy_pass http://pomerium/verify?uri=$scheme://$http_host$request_uri;
      proxy_set_header Host fwdauth.localhost.pomerium.io;
      proxy_http_version 1.1;
    }

    ### End External Authorization
}