server {
  listen 443      ssl default_server;
  listen [::]:443 ssl default_server;
  http2 on;

  root ${davical_webroot};
  index index.html index.php;

  ssl_certificate      ${davical_https_cert};
  ssl_certificate_key  ${davical_https_key};

  add_header Strict-Transport-Security "max-age=63072000" always;

  auth_gss_keytab ${davical_keytab};
  auth_gss_allow_basic_fallback off;

  client_max_body_size ${webdav_upload_sizelimit};

  location / {
    auth_gss on;
    satisfy any;
    auth_request /authenticate;
$(printf '    deny %s;\n' $kerberized_cidrs)
    allow all;
    try_files \$uri \$uri/ /caldav.php\$uri?\$query_string;
  }

  location /.well-known/ {
    try_files \$uri \$uri/ /caldav.php\$uri?\$query_string;
  }

  location /authenticate {
    if (\$http_user_agent ~ 'Thunderbird') {
      return 200;
    }
    return 403;
  }

  location ~ ^/webdav($|/(?<dav_path>.*)$) {
    auth_gss on;
    auth_gss_allow_basic_fallback on;
    alias ${webdav_dir}/\$remote_user/\$dav_path;
    create_full_put_path on;
    dav_methods PUT DELETE MKCOL COPY MOVE;
    dav_ext_methods PROPFIND OPTIONS;
    autoindex on;
  }

  location ~ ^/caldav\.php/\.well-known/ {
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    if (!-f \$document_root\$fastcgi_script_name) {
      return 404;
    }
    fastcgi_index index.php;
    fastcgi_intercept_errors on;
    include fastcgi_params;
    fastcgi_pass unix:${davical_fpm_socket};
  }

  location ~ [^/]\.php(/|$) {
    auth_gss on;
    satisfy any;
    auth_request /authenticate;
$(printf '    deny %s;\n' $kerberized_cidrs)
    allow all;

    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    if (!-f \$document_root\$fastcgi_script_name) {
      return 404;
    }
    fastcgi_index index.php;
    fastcgi_intercept_errors on;
    include fastcgi_params;
    fastcgi_pass unix:${davical_fpm_socket};
  }
}