server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name cert.libraryofcode.org;

    ssl_certificate /etc/nginx/ssl/org.chain.crt;
    ssl_certificate_key /etc/nginx/ssl/org.key.pem;
    ssl_verify_client optional_no_ca;

    location / {
        proxy_pass https://offsite-ejbca.mracs.dev;
        proxy_set_header X-SSL-CERT $ssl_client_cert;
        proxy_set_header X-Client-Verify $ssl_client_verify;
        proxy_set_header X-Client-DN $ssl_client_s_dn;
        proxy_set_header X-Client-Serial $ssl_client_serial;
    }

    location /test-headers {
        return 200 "X-SSL-CERT: $ssl_client_cert\nX-Client-Verify: $ssl_client_verify\nX-Client-DN: $ssl_client_s_dn\nX-Client-Serial: $ssl_client_serial\n";
        add_header Content-Type text/plain;
    }
}