server {
  listen 443      ssl default_server;
  listen [::]:443 ssl default_server;
  http2 on;

  root ${ttrss_repo_dir};
  index index.php index.html;

  ssl_certificate      ${ttrss_https_cert};
  ssl_certificate_key  ${ttrss_https_key};

  add_header Strict-Transport-Security "max-age=63072000" always;

  auth_gss_keytab ${ttrss_keytab};
  auth_gss_allow_basic_fallback off;

  location ~ ^/index\.php$ {
    auth_gss on;
    satisfy any;
$(printf '    deny %s;\n' $kerberized_cidrs)
    allow all;

    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    if (!-f \$document_root\$fastcgi_script_name) {
      return 404;
    }
    fastcgi_index index.php;
    fastcgi_intercept_errors on;
    include fastcgi_params;
    fastcgi_pass unix:${ttrss_fpm_socket};
  }

  location ~ [^/]\.php(/|$) {
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    if (!-f \$document_root\$fastcgi_script_name) {
      return 404;
    }
    fastcgi_index index.php;
    fastcgi_intercept_errors on;
    include fastcgi_params;
    fastcgi_pass unix:${ttrss_fpm_socket};
  }
}