server {
        listen          *:443 spdy ssl;
        listen          [::]:443 spdy ssl;
        server_name     step.sandbox.yandex-team.ru;
        access_log      /var/log/nginx/step_access.log stat;
        error_log       /var/log/nginx/step_error.log error;
        
        ssl on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_ciphers kEECDH+AESGCM+AES128:kEECDH+AES128:kRSA+AESGCM+AES128:kRSA+AES128:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!MD5:!EXPORT:!LOW:!SEED:!CAMELLIA:!IDEA:!PSK:!SRP:!SSLv2;
        ssl_certificate     /etc/certs/step.sandbox.yandex-team.ru.pem;
        ssl_certificate_key /etc/certs/step.sandbox.yandex-team.ru.pem;

        ssl_client_certificate /etc/ssl/certs/allCAs.pem;
        ssl_verify_client optional;
        ssl_verify_depth 3;

        ssl_session_cache   shared:SSL:128m;
        ssl_session_timeout 12h;
        
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Scheme $scheme;
        
        location = /nginx_status {
            stub_status     on;
            access_log      off;
            allow           127.0.0.1;
            deny            all;
        }

        location ~ ^/dostup/(.*)$ {
            if ($ssl_client_verify != SUCCESS) {
                return 403;
            }
            if ($ssl_client_i_dn != "/DC=ru/DC=yandex/DC=ld/CN=YandexInternalCA") {
                return 403;
            }
            if ($ssl_client_s_dn != "/C=RU/ST=Moscow/L=Moscow/O=Yandex LLC/OU=ITO/CN=idm.yandex-team.ru/emailAddress=pki@yandex-team.ru") {
                return 403;
            }
            proxy_pass http://127.0.0.1:9989;
        }
        
        location / {
            proxy_pass http://127.0.0.1:9989;
        }
}
