package com.zimbra.cs.util;

import com.zimbra.common.account.Key;
import com.zimbra.common.service.ServiceException;
import com.zimbra.common.util.CliUtil;
import com.zimbra.common.util.Log;
import com.zimbra.common.util.LogFactory;
import com.zimbra.common.util.StringUtil;
import com.zimbra.cs.account.NamedEntry;
import com.zimbra.cs.account.Provisioning;
import com.zimbra.cs.account.Server;
import com.zimbra.cs.account.ldap.LdapProv;
import com.zimbra.cs.account.oauth.OAuthTokenCache;
import com.zimbra.cs.httpclient.URLUtil;
import com.zimbra.cs.index.LuceneViewer;
import com.zimbra.cs.ldap.LdapConstants;
import com.zimbra.cs.mailbox.Metadata;
import com.zimbra.cs.util.IPModeEnablerVar;
import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.File;
import java.io.FileReader;
import java.io.FileWriter;
import java.io.IOException;
import java.net.Inet4Address;
import java.net.Inet6Address;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.TreeSet;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.GnuParser;
import org.apache.commons.cli.HelpFormatter;
import org.apache.commons.cli.Option;
import org.apache.commons.cli.Options;
import org.apache.commons.cli.ParseException;

/* loaded from: input_file:com/zimbra/cs/util/ProxyConfGen.class */
public class ProxyConfGen {
    private static final int DEFAULT_SERVERS_NAME_HASH_MAX_SIZE = 512;
    private static final int DEFAULT_SERVERS_NAME_HASH_BUCKET_SIZE = 64;
    static List<DomainAttrItem> mDomainReverseProxyAttrs;
    static final String ZIMBRA_UPSTREAM_NAME = "zimbra";
    static final String ZIMBRA_UPSTREAM_WEBCLIENT_NAME = "zimbra_webclient";
    static final String ZIMBRA_SSL_UPSTREAM_NAME = "zimbra_ssl";
    static final String ZIMBRA_SSL_UPSTREAM_WEBCLIENT_NAME = "zimbra_ssl_webclient";
    static final String ZIMBRA_ADMIN_CONSOLE_UPSTREAM_NAME = "zimbra_admin";
    static final String ZIMBRA_ADMIN_CONSOLE_CLIENT_UPSTREAM_NAME = "zimbra_adminclient";
    static final String ZIMBRA_UPSTREAM_EWS_NAME = "zimbra_ews";
    static final String ZIMBRA_SSL_UPSTREAM_EWS_NAME = "zimbra_ews_ssl";
    static final String ZIMBRA_UPSTREAM_LOGIN_NAME = "zimbra_login";
    static final String ZIMBRA_SSL_UPSTREAM_LOGIN_NAME = "zimbra_login_ssl";
    private static Log mLog = LogFactory.getLog(ProxyConfGen.class);
    private static Options mOptions = new Options();
    private static boolean mDryRun = false;
    private static String mWorkingDir = "/opt/zimbra";
    private static String mTemplateDir = mWorkingDir + "/conf/nginx/templates";
    private static String mConfDir = mWorkingDir + "/conf";
    private static String mResolverfile = mConfDir + "/nginx/resolvers.conf";
    private static String mIncDir = "nginx/includes";
    private static String mDomainSSLDir = mConfDir + File.separator + "domaincerts";
    private static String mSSLCrtExt = ".crt";
    private static String mSSLKeyExt = ".key";
    private static String mSSLClientCertCaExt = ".client.ca.crt";
    private static String mDefaultSSLCrt = mConfDir + File.separator + "nginx.crt";
    private static String mDefaultSSLKey = mConfDir + File.separator + "nginx.key";
    private static String mDefaultSSLClientCertCa = mConfDir + File.separator + "nginx.client.ca.crt";
    private static String mDefaultDhParamFile = mConfDir + File.separator + "dhparam.pem";
    private static String mConfIncludesDir = mConfDir + File.separator + mIncDir;
    private static String mConfPrefix = "nginx.conf";
    private static String mTemplatePrefix = mConfPrefix;
    private static String mTemplateSuffix = ".template";
    private static Provisioning mProv = null;
    private static String mHost = null;
    private static Server mServer = null;
    private static boolean mGenConfPerVhn = false;
    private static Map<String, ProxyConfVar> mConfVars = new HashMap();
    private static Map<String, String> mVars = new HashMap();
    private static Map<String, ProxyConfVar> mDomainConfVars = new HashMap();
    private static Pattern cmdPattern = Pattern.compile("(.*)\\!\\{([^\\}]+)\\}(.*)", 32);

    private static void usage(String str) {
        if (str != null) {
            System.out.println(str);
        }
        new HelpFormatter().printHelp("ProxyConfGen [options] ", "where [options] are one of:", mOptions, "ProxyConfGen generates the NGINX Proxy configuration files");
    }

    private static CommandLine parseArgs(String[] strArr) {
        CommandLine commandLine = null;
        try {
            commandLine = new GnuParser().parse(mOptions, strArr, false);
            return commandLine;
        } catch (ParseException e) {
            usage(e.getMessage());
            return commandLine;
        }
    }

    private static List<DomainAttrItem> loadDomainReverseProxyAttrs() throws ServiceException {
        if (!mGenConfPerVhn) {
            return Collections.emptyList();
        }
        if (!(mProv instanceof LdapProv)) {
            throw ServiceException.INVALID_REQUEST("The method can work only when LDAP is available", (Throwable) null);
        }
        HashSet hashSet = new HashSet();
        hashSet.add("zimbraVirtualHostname");
        hashSet.add("zimbraVirtualIPAddress");
        hashSet.add("zimbraSSLCertificate");
        hashSet.add("zimbraSSLPrivateKey");
        hashSet.add("zimbraReverseProxyClientCertMode");
        hashSet.add("zimbraReverseProxyClientCertCA");
        hashSet.add("zimbraWebClientLoginURL");
        hashSet.add("zimbraReverseProxyResponseHeaders");
        final ArrayList arrayList = new ArrayList();
        mProv.getAllDomains(new NamedEntry.Visitor() { // from class: com.zimbra.cs.util.ProxyConfGen.1
            @Override // com.zimbra.cs.account.NamedEntry.Visitor
            public void visit(NamedEntry namedEntry) throws ServiceException {
                String attr = namedEntry.getAttr("zimbraDomainName");
                String[] multiAttr = namedEntry.getMultiAttr("zimbraVirtualHostname");
                String[] multiAttr2 = namedEntry.getMultiAttr("zimbraVirtualIPAddress");
                String attr2 = namedEntry.getAttr("zimbraSSLCertificate");
                String attr3 = namedEntry.getAttr("zimbraSSLPrivateKey");
                String attr4 = namedEntry.getAttr("zimbraReverseProxyClientCertMode");
                String attr5 = namedEntry.getAttr("zimbraReverseProxyClientCertCA");
                String[] multiAttr3 = namedEntry.getMultiAttr("zimbraReverseProxyResponseHeaders");
                if (multiAttr.length != 0) {
                    if (attr2 == null && attr3 == null && attr4 == null && attr5 == null) {
                        return;
                    }
                    boolean z = true;
                    if (multiAttr2.length > 0) {
                        if (multiAttr2.length != multiAttr.length) {
                            arrayList.add(new DomainAttrExceptionItem(new ProxyConfException("The configurations of zimbraVirtualHostname and zimbraVirtualIPAddress are mismatched", null)));
                            return;
                        }
                        z = false;
                    }
                    for (int i = 0; i < multiAttr.length; i++) {
                        String str = z ? null : multiAttr2[i];
                        if (!ProxyConfUtil.isEmptyString(attr5)) {
                            ProxyConfGen.createDomainSSLDirIfNotExists();
                        }
                        arrayList.add(new DomainAttrItem(attr, multiAttr[i], str, attr2, attr3, attr4, attr5, multiAttr3));
                    }
                }
            }
        }, (String[]) hashSet.toArray(new String[hashSet.size()]));
        return arrayList;
    }

    private static String loadAllClientCertCA() {
        HashSet hashSet = new HashSet();
        String attr = ProxyConfVar.serverSource.getAttr("zimbraReverseProxyClientCertCA", "");
        if (!ProxyConfUtil.isEmptyString(attr)) {
            hashSet.add(attr);
        }
        for (DomainAttrItem domainAttrItem : mDomainReverseProxyAttrs) {
            if (!ProxyConfUtil.isEmptyString(domainAttrItem.clientCertCa)) {
                hashSet.add(domainAttrItem.clientCertCa);
            }
        }
        StringBuilder sb = new StringBuilder();
        String property = System.getProperty("line.separator");
        Iterator it = hashSet.iterator();
        while (it.hasNext()) {
            sb.append((String) it.next());
            sb.append(property);
        }
        if (sb.length() > property.length()) {
            sb.setLength(sb.length() - property.length());
        }
        return sb.toString();
    }

    public static void createDomainSSLDirIfNotExists() {
        File file = new File(mDomainSSLDir);
        if (file.exists()) {
            return;
        }
        file.mkdirs();
    }

    public static Key.ServerBy guessServerBy(String str) {
        return Provisioning.isUUID(str) ? Key.ServerBy.id : Key.ServerBy.name;
    }

    public static Server getServer(String str) throws ProxyConfException {
        try {
            Server server = mProv.get(guessServerBy(str), str);
            if (server == null) {
                throw new ProxyConfException("Cannot find server: " + str);
            }
            return server;
        } catch (ServiceException e) {
            throw new ProxyConfException("Error getting server: " + e.getMessage());
        }
    }

    private static String getCoreConf() {
        return mConfPrefix;
    }

    private static String getCoreConfTemplate() {
        return mTemplatePrefix + mTemplateSuffix;
    }

    private static String getConfFileName(String str) {
        return mConfPrefix + "." + str;
    }

    private static String getConfTemplateFileName(String str) {
        return mTemplatePrefix + "." + str + mTemplateSuffix;
    }

    private static String getWebHttpModeConf(String str) {
        return mConfPrefix + ".web.http.mode-" + str;
    }

    private static String getWebHttpModeConfTemplate(String str) {
        return mTemplatePrefix + ".web.http.mode-" + str + mTemplateSuffix;
    }

    private static String getWebHttpSModeConf(String str) {
        return mConfPrefix + ".web.https.mode-" + str;
    }

    public static String getWebHttpSModeConfTemplate(String str) {
        return mTemplatePrefix + ".web.https.mode-" + str + mTemplateSuffix;
    }

    public static String getClientCertCaPathByDomain(String str) {
        return mDomainSSLDir + File.separator + str + mSSLClientCertCaExt;
    }

    public static String getDefaultClientCertCaPath() {
        return mDefaultSSLClientCertCa;
    }

    public static void expandTemplate(File file, File file2) throws ProxyConfException {
        BufferedReader bufferedReader = null;
        BufferedWriter bufferedWriter = null;
        try {
            try {
                String absolutePath = file.getAbsolutePath();
                String absolutePath2 = file2.getAbsolutePath();
                if (mDryRun) {
                    mLog.info("Would expand template:" + absolutePath + " to file:" + absolutePath2);
                    if (0 != 0) {
                        try {
                            bufferedWriter.close();
                        } catch (IOException e) {
                            throw new ProxyConfException("Cannot expand template file: " + e.getMessage());
                        }
                    }
                    if (0 != 0) {
                        bufferedReader.close();
                    }
                    return;
                }
                mLog.info("Expanding template:" + absolutePath + " to file:" + absolutePath2);
                if (!file.exists()) {
                    throw new ProxyConfException("Template file " + absolutePath + " does not exist");
                }
                BufferedReader bufferedReader2 = new BufferedReader(new FileReader(absolutePath));
                BufferedWriter bufferedWriter2 = new BufferedWriter(new FileWriter(absolutePath2));
                bufferedReader2.mark(100);
                String readLine = bufferedReader2.readLine();
                if (readLine.equalsIgnoreCase("!{explode vhn_vip_ssl}")) {
                    expandTemplateExplodeSSLConfigsForAllVhnsAndVIPs(bufferedReader2, bufferedWriter2);
                    if (bufferedWriter2 != null) {
                        try {
                            bufferedWriter2.close();
                        } catch (IOException e2) {
                            throw new ProxyConfException("Cannot expand template file: " + e2.getMessage());
                        }
                    }
                    if (bufferedReader2 != null) {
                        bufferedReader2.close();
                    }
                    return;
                }
                Matcher matcher = cmdPattern.matcher(readLine);
                if (matcher.matches()) {
                    String[] split = matcher.group(2).split("[ \t]+", 2);
                    if (split.length != 2 || split[0].compareTo("explode") != 0) {
                        throw new ProxyConfException("Illegal custom header command: " + matcher.group(2));
                    }
                    if (!mGenConfPerVhn) {
                        if (bufferedWriter2 != null) {
                            try {
                                bufferedWriter2.close();
                            } catch (IOException e3) {
                                throw new ProxyConfException("Cannot expand template file: " + e3.getMessage());
                            }
                        }
                        if (bufferedReader2 != null) {
                            bufferedReader2.close();
                        }
                        return;
                    }
                    if (!split[1].startsWith("domain(") || !split[1].endsWith(")")) {
                        throw new ProxyConfException("Illegal custom header command: " + matcher.group(2));
                    }
                    String substring = split[1].substring("domain(".length(), split[1].length() - 1);
                    expandTemplateByExplodeDomain(bufferedReader2, bufferedWriter2, substring.equals("") ? new String[0] : substring.split(",( |\t)*"));
                } else {
                    bufferedReader2.reset();
                    expandTemplateSimple(bufferedReader2, bufferedWriter2);
                }
                if (bufferedWriter2 != null) {
                    try {
                        bufferedWriter2.close();
                    } catch (IOException e4) {
                        throw new ProxyConfException("Cannot expand template file: " + e4.getMessage());
                    }
                }
                if (bufferedReader2 != null) {
                    bufferedReader2.close();
                }
            } catch (Throwable th) {
                if (0 != 0) {
                    try {
                        bufferedWriter.close();
                    } catch (IOException e5) {
                        throw new ProxyConfException("Cannot expand template file: " + e5.getMessage());
                    }
                }
                if (0 != 0) {
                    bufferedReader.close();
                }
                throw th;
            }
        } catch (IOException e6) {
            throw new ProxyConfException("Cannot expand template file: " + e6.getMessage());
        } catch (SecurityException e7) {
            throw new ProxyConfException("Cannot expand template: " + e7.getMessage());
        }
    }

    @Deprecated
    private static void expandTemplateExplodeSSLConfigsForAllVhnsAndVIPs(BufferedReader bufferedReader, BufferedWriter bufferedWriter) throws IOException, ProxyConfException {
        if (mDomainReverseProxyAttrs.size() > 0) {
            Iterator<DomainAttrItem> it = mDomainReverseProxyAttrs.iterator();
            fillVarsWithDomainAttrs(it.next());
            List<String> expandTemplateAndCache = expandTemplateAndCache(bufferedReader, bufferedWriter);
            bufferedWriter.newLine();
            while (it.hasNext()) {
                fillVarsWithDomainAttrs(it.next());
                expandTempateFromCache(expandTemplateAndCache, bufferedWriter);
                bufferedWriter.newLine();
            }
        }
    }

    private static void expandTemplateByExplodeDomain(BufferedReader bufferedReader, BufferedWriter bufferedWriter, String[] strArr) throws IOException, ProxyConfException {
        List<String> list = null;
        if (mDomainReverseProxyAttrs.size() > 0) {
            Iterator<DomainAttrItem> it = mDomainReverseProxyAttrs.iterator();
            while (list == null && it.hasNext()) {
                DomainAttrItem next = it.next();
                if (next instanceof DomainAttrExceptionItem) {
                    throw ((DomainAttrExceptionItem) next).exception;
                }
                if (isRequiredAttrsValid(next, strArr)) {
                    fillVarsWithDomainAttrs(next);
                    list = expandTemplateAndCache(bufferedReader, bufferedWriter);
                    bufferedWriter.newLine();
                }
            }
            while (it.hasNext()) {
                DomainAttrItem next2 = it.next();
                if (next2 instanceof DomainAttrExceptionItem) {
                    throw ((DomainAttrExceptionItem) next2).exception;
                }
                if (isRequiredAttrsValid(next2, strArr)) {
                    fillVarsWithDomainAttrs(next2);
                    expandTempateFromCache(list, bufferedWriter);
                    bufferedWriter.newLine();
                }
            }
        }
    }

    private static boolean isRequiredAttrsValid(DomainAttrItem domainAttrItem, String[] strArr) {
        for (String str : strArr) {
            if (str.equals("vhn")) {
                if (domainAttrItem.virtualHostname == null || domainAttrItem.virtualHostname.equals("")) {
                    return false;
                }
            } else if (str.equals("sso") && (domainAttrItem.clientCertMode == null || domainAttrItem.clientCertMode.equals("") || domainAttrItem.clientCertMode.equals("off"))) {
                return false;
            }
        }
        return true;
    }

    private static void fillVarsWithDomainAttrs(DomainAttrItem domainAttrItem) throws UnknownHostException, ProxyConfException {
        mVars.put("vhn", domainAttrItem.virtualHostname);
        try {
            InetAddress byName = domainAttrItem.virtualIPAddress == null ? InetAddress.getByName(domainAttrItem.virtualHostname) : InetAddress.getByName(domainAttrItem.virtualIPAddress);
            if (IPModeEnablerVar.getZimbraIPMode() != IPModeEnablerVar.IPMode.BOTH) {
                if (IPModeEnablerVar.getZimbraIPMode() == IPModeEnablerVar.IPMode.IPV4_ONLY && (byName instanceof Inet6Address)) {
                    String str = byName.getHostAddress() + " is an IPv6 address but zimbraIPMode is 'ipv4'";
                    mLog.error(str);
                    throw new ProxyConfException(str);
                }
                if (IPModeEnablerVar.getZimbraIPMode() == IPModeEnablerVar.IPMode.IPV6_ONLY && (byName instanceof Inet4Address)) {
                    String str2 = byName.getHostAddress() + " is an IPv4 address but zimbraIPMode is 'ipv6'";
                    mLog.error(str2);
                    throw new ProxyConfException(str2);
                }
            }
            boolean booleanAttr = ProxyConfVar.serverSource.getBooleanAttr("zimbraReverseProxySNIEnabled", false);
            if (byName instanceof Inet6Address) {
                if (booleanAttr) {
                    mVars.put("vip", "[::]:");
                } else {
                    mVars.put("vip", "[" + byName.getHostAddress() + "]:");
                }
            } else if (booleanAttr) {
                mVars.put("vip", "");
            } else {
                mVars.put("vip", byName.getHostAddress() + ":");
            }
            ArrayList arrayList = new ArrayList();
            for (int i = 0; i < domainAttrItem.rspHeaders.length; i++) {
                arrayList.add(domainAttrItem.rspHeaders[i]);
            }
            mDomainConfVars.put("web.add.headers.vhost", new AddHeadersVar("web.add.headers.vhost", arrayList, "add_header directive for vhost web proxy"));
            mLog.debug("Updating Default Domain Variable Map");
            try {
                updateDefaultDomainVars();
            } catch (ProxyConfException e) {
                handleException(e);
            } catch (ServiceException e2) {
                handleException(e2);
            }
            if (domainAttrItem.sslCertificate != null) {
                mVars.put("ssl.crt", mDomainSSLDir + File.separator + domainAttrItem.domainName + mSSLCrtExt);
            } else {
                mVars.put("ssl.crt", mVars.get("ssl.crt.default"));
            }
            if (domainAttrItem.sslPrivateKey != null) {
                mVars.put("ssl.key", mDomainSSLDir + File.separator + domainAttrItem.domainName + mSSLKeyExt);
            } else {
                mVars.put("ssl.key", mVars.get("ssl.key.default"));
            }
            if (domainAttrItem.clientCertMode != null) {
                mVars.put("ssl.clientcertmode", domainAttrItem.clientCertMode);
                if (domainAttrItem.clientCertMode.equals("on") || domainAttrItem.clientCertMode.equals("optional")) {
                    mVars.put("web.sso.certauth.enabled", "");
                } else {
                    mVars.put("web.sso.certauth.enabled", "#");
                }
            } else {
                mVars.put("ssl.clientcertmode", mVars.get("ssl.clientcertmode.default"));
            }
            if (domainAttrItem.clientCertCa != null) {
                mVars.put("ssl.clientcertca", getClientCertCaPathByDomain(domainAttrItem.domainName));
            } else {
                mVars.put("ssl.clientcertca", mVars.get("ssl.clientcertca.default"));
            }
        } catch (UnknownHostException e3) {
            throw new ProxyConfException("virtual host name \"" + domainAttrItem.virtualHostname + "\" is not resolvable", e3);
        }
    }

    private static List<String> expandTemplateAndCache(BufferedReader bufferedReader, BufferedWriter bufferedWriter) throws IOException {
        ArrayList arrayList = new ArrayList(50);
        while (true) {
            String readLine = bufferedReader.readLine();
            if (readLine == null) {
                return arrayList;
            }
            if (!readLine.startsWith("#")) {
                arrayList.add(readLine);
            }
            bufferedWriter.write(StringUtil.fillTemplate(readLine, mVars));
            bufferedWriter.newLine();
        }
    }

    private static void expandTemplateSimple(BufferedReader bufferedReader, BufferedWriter bufferedWriter) throws IOException {
        while (true) {
            String readLine = bufferedReader.readLine();
            if (readLine == null) {
                return;
            }
            bufferedWriter.write(StringUtil.fillTemplate(readLine, mVars));
            bufferedWriter.newLine();
        }
    }

    private static void expandTempateFromCache(List<String> list, BufferedWriter bufferedWriter) throws IOException {
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            bufferedWriter.write(StringUtil.fillTemplate(it.next(), mVars));
            bufferedWriter.newLine();
        }
    }

    public static void displayDefaultVariables() throws ProxyConfException {
        for (ProxyConfVar proxyConfVar : mConfVars.values()) {
            if (proxyConfVar instanceof TimeInSecVarWrapper) {
                proxyConfVar = ((TimeInSecVarWrapper) proxyConfVar).mVar;
            }
            proxyConfVar.write(System.out);
        }
    }

    public static void displayVariables() throws ProxyConfException {
        Iterator it = new TreeSet(mVars.keySet()).iterator();
        while (it.hasNext()) {
            ProxyConfVar proxyConfVar = mConfVars.get((String) it.next());
            if (proxyConfVar instanceof TimeInSecVarWrapper) {
                proxyConfVar = ((TimeInSecVarWrapper) proxyConfVar).mVar;
            }
            proxyConfVar.write(System.out);
        }
    }

    public static void buildDefaultVars() {
        mConfVars.put("core.workdir", new ProxyConfVar("core.workdir", null, mWorkingDir, ProxyConfValueType.STRING, ProxyConfOverride.NONE, "Working Directory for NGINX worker processes"));
        mConfVars.put("core.includes", new ProxyConfVar("core.includes", null, mConfIncludesDir, ProxyConfValueType.STRING, ProxyConfOverride.NONE, "Include directory (relative to ${core.workdir}/conf)"));
        mConfVars.put("core.cprefix", new ProxyConfVar("core.cprefix", null, mConfPrefix, ProxyConfValueType.STRING, ProxyConfOverride.NONE, "Common config file prefix"));
        mConfVars.put("core.tprefix", new ProxyConfVar("core.tprefix", null, mTemplatePrefix, ProxyConfValueType.STRING, ProxyConfOverride.NONE, "Common template file prefix"));
        mConfVars.put("core.ipv4only.enabled", new IPv4OnlyEnablerVar());
        mConfVars.put("core.ipv6only.enabled", new IPv6OnlyEnablerVar());
        mConfVars.put("core.ipboth.enabled", new IPBothEnablerVar());
        mConfVars.put("ssl.crt.default", new ProxyConfVar("ssl.crt.default", null, mDefaultSSLCrt, ProxyConfValueType.STRING, ProxyConfOverride.NONE, "default nginx certificate file path"));
        mConfVars.put("ssl.key.default", new ProxyConfVar("ssl.key.default", null, mDefaultSSLKey, ProxyConfValueType.STRING, ProxyConfOverride.NONE, "default nginx private key file path"));
        mConfVars.put("ssl.clientcertmode.default", new ProxyConfVar("ssl.clientcertmode.default", "zimbraReverseProxyClientCertMode", "off", ProxyConfValueType.STRING, ProxyConfOverride.SERVER, "enable authentication via X.509 Client Certificate in nginx proxy (https only)"));
        mConfVars.put("ssl.clientcertca.default", new ClientCertAuthDefaultCAVar());
        mConfVars.put("ssl.clientcertdepth.default", new ProxyConfVar("ssl.clientcertdepth.default", "zimbraReverseProxyClientCertDepth", new Integer(10), ProxyConfValueType.INTEGER, ProxyConfOverride.NONE, "indicate how depth the verification will load the ca chain. This is useful when client crt is signed by multiple intermediate ca"));
        mConfVars.put("main.user", new ProxyConfVar("main.user", null, "zimbra", ProxyConfValueType.STRING, ProxyConfOverride.NONE, "The user as which the worker processes will run"));
        mConfVars.put("main.group", new ProxyConfVar("main.group", null, "zimbra", ProxyConfValueType.STRING, ProxyConfOverride.NONE, "The group as which the worker processes will run"));
        mConfVars.put("main.workers", new ProxyConfVar("main.workers", "zimbraReverseProxyWorkerProcesses", new Integer(4), ProxyConfValueType.INTEGER, ProxyConfOverride.SERVER, "Number of worker processes"));
        mConfVars.put("main.pidfile", new ProxyConfVar("main.pidfile", null, mWorkingDir + "/log/nginx.pid", ProxyConfValueType.STRING, ProxyConfOverride.NONE, "PID file path (relative to ${core.workdir})"));
        mConfVars.put("main.logfile", new ProxyConfVar("main.logfile", null, mWorkingDir + "/log/nginx.log", ProxyConfValueType.STRING, ProxyConfOverride.NONE, "Log file path (relative to ${core.workdir})"));
        mConfVars.put("main.loglevel", new ProxyConfVar("main.loglevel", "zimbraReverseProxyLogLevel", "info", ProxyConfValueType.STRING, ProxyConfOverride.SERVER, "Log level - can be debug|info|notice|warn|error|crit"));
        mConfVars.put("main.connections", new ProxyConfVar("main.connections", "zimbraReverseProxyWorkerConnections", new Integer(10240), ProxyConfValueType.INTEGER, ProxyConfOverride.SERVER, "Maximum number of simultaneous connections per worker process"));
        mConfVars.put("main.krb5keytab", new ProxyConfVar("main.krb5keytab", "krb5_keytab", "/opt/zimbra/conf/krb5.keytab", ProxyConfValueType.STRING, ProxyConfOverride.LOCALCONFIG, "Path to kerberos keytab file used for GSSAPI authentication"));
        mConfVars.put("memcache.:servers", new MemcacheServersVar());
        mConfVars.put("memcache.timeout", new ProxyConfVar("memcache.timeout", "zimbraReverseProxyCacheFetchTimeout", new Long(3000L), ProxyConfValueType.TIME, ProxyConfOverride.CONFIG, "Time (ms) given to a cache-fetch operation to complete"));
        mConfVars.put("memcache.reconnect", new ProxyConfVar("memcache.reconnect", "zimbraReverseProxyCacheReconnectInterval", new Long(60000L), ProxyConfValueType.TIME, ProxyConfOverride.CONFIG, "Time (ms) after which NGINX will attempt to re-establish a broken connection to a memcache server"));
        mConfVars.put("memcache.ttl", new ProxyConfVar("memcache.ttl", "zimbraReverseProxyCacheEntryTTL", new Long(3600000L), ProxyConfValueType.TIME, ProxyConfOverride.CONFIG, "Time interval (ms) for which cached entries remain in memcache"));
        mConfVars.put("mail.ctimeout", new ProxyConfVar("mail.ctimeout", "zimbraReverseProxyConnectTimeout", new Long(120000L), ProxyConfValueType.TIME, ProxyConfOverride.SERVER, "Time interval (ms) after which a POP/IMAP proxy connection to a remote host will give up"));
        mConfVars.put("mail.pop3.timeout", new ProxyConfVar("mail.pop3.timeout", "pop3_max_idle_time", 60, ProxyConfValueType.INTEGER, ProxyConfOverride.LOCALCONFIG, "pop3 network timeout before authentication"));
        mConfVars.put("mail.pop3.proxytimeout", new ProxyConfVar("mail.pop3.proxytimeout", "pop3_max_idle_time", 60, ProxyConfValueType.INTEGER, ProxyConfOverride.LOCALCONFIG, "pop3 network timeout after authentication"));
        mConfVars.put("mail.imap.timeout", new ProxyConfVar("mail.imap.timeout", "imap_max_idle_time", 60, ProxyConfValueType.INTEGER, ProxyConfOverride.LOCALCONFIG, "imap network timeout before authentication"));
        mConfVars.put("mail.imap.proxytimeout", new TimeoutVar("mail.imap.proxytimeout", "imap_authenticated_max_idle_time", 1800, ProxyConfOverride.LOCALCONFIG, OAuthTokenCache.OAUTH_TOKEN_EXPIRY, "imap network timeout after authentication"));
        mConfVars.put("mail.passerrors", new ProxyConfVar("mail.passerrors", "zimbraReverseProxyPassErrors", true, ProxyConfValueType.BOOLEAN, ProxyConfOverride.SERVER, "Indicates whether mail proxy will pass any protocol specific errors from the upstream server back to the downstream client"));
        mConfVars.put("mail.auth_http_timeout", new ProxyConfVar("mail.auth_http_timeout", "zimbraReverseProxyRouteLookupTimeout", new Long(15000L), ProxyConfValueType.TIME, ProxyConfOverride.SERVER, "Time interval (ms) given to mail route lookup handler to respond to route lookup request (after this time elapses, Proxy fails over to next handler, or fails the request if there are no more lookup handlers)"));
        mConfVars.put("mail.authwait", new ProxyConfVar("mail.authwait", "zimbraReverseProxyAuthWaitInterval", new Long(10000L), ProxyConfValueType.TIME, ProxyConfOverride.CONFIG, "Time delay (ms) after which an incorrect POP/IMAP login attempt will be rejected"));
        mConfVars.put("mail.pop3capa", new Pop3CapaVar());
        mConfVars.put("mail.imapcapa", new ImapCapaVar());
        mConfVars.put("mail.imapid", new ProxyConfVar("mail.imapid", null, "\"NAME\" \"Zimbra\" \"VERSION\" \"" + BuildInfo.VERSION + "\" \"RELEASE\" \"" + BuildInfo.RELEASE + "\"", ProxyConfValueType.STRING, ProxyConfOverride.CONFIG, "NGINX response to IMAP ID command"));
        mConfVars.put("mail.defaultrealm", new ProxyConfVar("mail.defaultrealm", "zimbraReverseProxyDefaultRealm", "", ProxyConfValueType.STRING, ProxyConfOverride.SERVER, "Default SASL realm used in case Kerberos principal does not contain realm information"));
        mConfVars.put("mail.sasl_host_from_ip", new SaslHostFromIPVar());
        mConfVars.put("mail.saslapp", new ProxyConfVar("mail.saslapp", null, "nginx", ProxyConfValueType.STRING, ProxyConfOverride.CONFIG, "Application name used by NGINX to initialize SASL authentication"));
        mConfVars.put("mail.ipmax", new ProxyConfVar("mail.ipmax", "zimbraReverseProxyIPLoginLimit", new Integer(0), ProxyConfValueType.INTEGER, ProxyConfOverride.CONFIG, "IP Login Limit (Throttle) - 0 means infinity"));
        mConfVars.put("mail.ipttl", new ProxyConfVar("mail.ipttl", "zimbraReverseProxyIPLoginLimitTime", new Long(3600000L), ProxyConfValueType.TIME, ProxyConfOverride.CONFIG, "Time interval (ms) after which IP Login Counter is reset"));
        mConfVars.put("mail.imapmax", new ProxyConfVar("mail.imapmax", "zimbraReverseProxyIPLoginImapLimit", new Integer(0), ProxyConfValueType.INTEGER, ProxyConfOverride.CONFIG, "IMAP Login Limit (Throttle) - 0 means infinity"));
        mConfVars.put("mail.imapttl", new ProxyConfVar("mail.imapttl", "zimbraReverseProxyIPLoginImapLimitTime", new Long(3600000L), ProxyConfValueType.TIME, ProxyConfOverride.CONFIG, "Time interval (ms) after which IMAP Login Counter is reset"));
        mConfVars.put("mail.pop3max", new ProxyConfVar("mail.pop3max", "zimbraReverseProxyIPLoginPop3Limit", new Integer(0), ProxyConfValueType.INTEGER, ProxyConfOverride.CONFIG, "POP3 Login Limit (Throttle) - 0 means infinity"));
        mConfVars.put("mail.pop3ttl", new ProxyConfVar("mail.pop3ttl", "zimbraReverseProxyIPLoginPop3LimitTime", new Long(3600000L), ProxyConfValueType.TIME, ProxyConfOverride.CONFIG, "Time interval (ms) after which POP3 Login Counter is reset"));
        mConfVars.put("mail.iprej", new ProxyConfVar("mail.iprej", "zimbraReverseProxyIpThrottleMsg", "Login rejected from this IP", ProxyConfValueType.STRING, ProxyConfOverride.CONFIG, "Rejection message for IP throttle"));
        mConfVars.put("mail.usermax", new ProxyConfVar("mail.usermax", "zimbraReverseProxyUserLoginLimit", new Integer(0), ProxyConfValueType.INTEGER, ProxyConfOverride.CONFIG, "User Login Limit (Throttle) - 0 means infinity"));
        mConfVars.put("mail.userttl", new ProxyConfVar("mail.userttl", "zimbraReverseProxyUserLoginLimitTime", new Long(3600000L), ProxyConfValueType.TIME, ProxyConfOverride.CONFIG, "Time interval (ms) after which User Login Counter is reset"));
        mConfVars.put("mail.userrej", new ProxyConfVar("mail.userrej", "zimbraReverseProxyUserThrottleMsg", "Login rejected for this user", ProxyConfValueType.STRING, ProxyConfOverride.CONFIG, "Rejection message for User throttle"));
        mConfVars.put("mail.upstream.pop3xoip", new ProxyConfVar("mail.upstream.pop3xoip", "zimbraReverseProxySendPop3Xoip", true, ProxyConfValueType.BOOLEAN, ProxyConfOverride.CONFIG, "Whether NGINX issues the POP3 XOIP command to the upstream server prior to logging in (audit purpose)"));
        mConfVars.put("mail.upstream.imapid", new ProxyConfVar("mail.upstream.imapid", "zimbraReverseProxySendImapId", true, ProxyConfValueType.BOOLEAN, ProxyConfOverride.CONFIG, "Whether NGINX issues the IMAP ID command to the upstream server prior to logging in (audit purpose)"));
        mConfVars.put("mail.ssl.protocols", new MailSSLProtocolsVar());
        mConfVars.put("mail.ssl.preferserverciphers", new ProxyConfVar("mail.ssl.preferserverciphers", null, true, ProxyConfValueType.BOOLEAN, ProxyConfOverride.CONFIG, "Requires TLS protocol server ciphers be preferred over the client's ciphers"));
        mConfVars.put("mail.ssl.ciphers", new ProxyConfVar("mail.ssl.ciphers", "zimbraReverseProxySSLCiphers", "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4", ProxyConfValueType.STRING, ProxyConfOverride.CONFIG, "Permitted ciphers for mail proxy"));
        mConfVars.put("mail.ssl.ecdh.curve", new ProxyConfVar("mail.ssl.ecdh.curve", "zimbraReverseProxySSLECDHCurve", "prime256v1", ProxyConfValueType.STRING, ProxyConfOverride.CONFIG, "SSL ECDH cipher curve for mail proxy"));
        mConfVars.put("mail.imap.authplain.enabled", new ProxyConfVar("mail.imap.authplain.enabled", "zimbraReverseProxyImapSaslPlainEnabled", true, ProxyConfValueType.ENABLER, ProxyConfOverride.SERVER, "Whether SASL PLAIN is enabled for IMAP"));
        mConfVars.put("mail.imap.authgssapi.enabled", new ProxyConfVar("mail.imap.authgssapi.enabled", "zimbraReverseProxyImapSaslGssapiEnabled", false, ProxyConfValueType.ENABLER, ProxyConfOverride.SERVER, "Whether SASL GSSAPI is enabled for IMAP"));
        mConfVars.put("mail.pop3.authplain.enabled", new ProxyConfVar("mail.pop3.authplain.enabled", "zimbraReverseProxyPop3SaslPlainEnabled", true, ProxyConfValueType.ENABLER, ProxyConfOverride.SERVER, "Whether SASL PLAIN is enabled for POP3"));
        mConfVars.put("mail.pop3.authgssapi.enabled", new ProxyConfVar("mail.pop3.authgssapi.enabled", "zimbraReverseProxyPop3SaslGssapiEnabled", false, ProxyConfValueType.ENABLER, ProxyConfOverride.SERVER, "Whether SASL GSSAPI is enabled for POP3"));
        mConfVars.put("mail.imap.literalauth", new ProxyConfVar("mail.imap.literalauth", null, true, ProxyConfValueType.BOOLEAN, ProxyConfOverride.CONFIG, "Whether NGINX uses literal strings for user name/password when logging in to upstream IMAP server - if false, NGINX uses quoted strings"));
        mConfVars.put("mail.imap.port", new ProxyConfVar("mail.imap.port", "zimbraImapProxyBindPort", new Integer(143), ProxyConfValueType.INTEGER, ProxyConfOverride.SERVER, "Mail Proxy IMAP Port"));
        mConfVars.put("mail.imap.tls", new ProxyConfVar("mail.imap.tls", "zimbraReverseProxyImapStartTlsMode", "only", ProxyConfValueType.STRING, ProxyConfOverride.SERVER, "TLS support for IMAP - can be on|off|only - on indicates TLS support present, off indicates TLS support absent, only indicates TLS is enforced on unsecure channel"));
        mConfVars.put("mail.imaps.port", new ProxyConfVar("mail.imaps.port", "zimbraImapSSLProxyBindPort", new Integer(993), ProxyConfValueType.INTEGER, ProxyConfOverride.SERVER, "Mail Proxy IMAPS Port"));
        mConfVars.put("mail.pop3.port", new ProxyConfVar("mail.pop3.port", "zimbraPop3ProxyBindPort", new Integer(110), ProxyConfValueType.INTEGER, ProxyConfOverride.SERVER, "Mail Proxy POP3 Port"));
        mConfVars.put("mail.pop3.tls", new ProxyConfVar("mail.pop3.tls", "zimbraReverseProxyPop3StartTlsMode", "only", ProxyConfValueType.STRING, ProxyConfOverride.SERVER, "TLS support for POP3 - can be on|off|only - on indicates TLS support present, off indicates TLS support absent, only indicates TLS is enforced on unsecure channel"));
        mConfVars.put("mail.pop3s.port", new ProxyConfVar("mail.pop3s.port", "zimbraPop3SSLProxyBindPort", new Integer(995), ProxyConfValueType.INTEGER, ProxyConfOverride.SERVER, "Mail Proxy POP3S Port"));
        mConfVars.put("mail.imap.greeting", new ImapGreetingVar());
        mConfVars.put("mail.pop3.greeting", new Pop3GreetingVar());
        mConfVars.put("mail.enabled", new ProxyConfVar("mail.enabled", "zimbraReverseProxyMailEnabled", true, ProxyConfValueType.ENABLER, ProxyConfOverride.SERVER, "Indicates whether Mail Proxy is enabled"));
        mConfVars.put("mail.imap.enabled", new ProxyConfVar("mail.imap.enabled", "zimbraReverseProxyMailImapEnabled", true, ProxyConfValueType.ENABLER, ProxyConfOverride.SERVER, "Indicates whether Imap Mail Proxy is enabled"));
        mConfVars.put("mail.imaps.enabled", new ProxyConfVar("mail.imaps.enabled", "zimbraReverseProxyMailImapsEnabled", true, ProxyConfValueType.ENABLER, ProxyConfOverride.SERVER, "Indicates whether Imaps Mail Proxy is enabled"));
        mConfVars.put("mail.pop3.enabled", new ProxyConfVar("mail.pop3.enabled", "zimbraReverseProxyMailPop3Enabled", true, ProxyConfValueType.ENABLER, ProxyConfOverride.SERVER, "Indicates whether Pop Mail Proxy is enabled"));
        mConfVars.put("mail.pop3s.enabled", new ProxyConfVar("mail.pop3s.enabled", "zimbraReverseProxyMailPop3sEnabled", true, ProxyConfValueType.ENABLER, ProxyConfOverride.SERVER, "Indicates whether Pops Mail Proxy is enabled"));
        mConfVars.put("mail.proxy.ssl", new ProxyConfVar("mail.proxy.ssl", "zimbraReverseProxySSLToUpstreamEnabled", true, ProxyConfValueType.BOOLEAN, ProxyConfOverride.SERVER, "Indicates whether using SSL to connect to upstream mail server"));
        mConfVars.put("mail.whitelistip.:servers", new ReverseProxyIPThrottleWhitelist());
        mConfVars.put("mail.whitelist.ttl", new TimeInSecVarWrapper(new ProxyConfVar("mail.whitelist.ttl", "zimbraReverseProxyIPThrottleWhitelistTime", new Long(300000L), ProxyConfValueType.TIME, ProxyConfOverride.CONFIG, "Time-to-live, in seconds, of the list of servers for which IP throttling is disabled")));
        mConfVars.put("web.logfile", new ProxyConfVar("web.logfile", null, mWorkingDir + "/log/nginx.access.log", ProxyConfValueType.STRING, ProxyConfOverride.NONE, "Access log file path (relative to ${core.workdir})"));
        mConfVars.put("web.mailmode", new ProxyConfVar("web.mailmode", "zimbraReverseProxyMailMode", "both", ProxyConfValueType.STRING, ProxyConfOverride.SERVER, "Reverse Proxy Mail Mode - can be http|https|both|redirect|mixed"));
        mConfVars.put("web.server_name.default", new ProxyConfVar("web.server_name.default", "zimbra_server_hostname", "localhost", ProxyConfValueType.STRING, ProxyConfOverride.LOCALCONFIG, "The server name for default server config"));
        mConfVars.put("web.upstream.name", new ProxyConfVar("web.upstream.name", null, "zimbra", ProxyConfValueType.STRING, ProxyConfOverride.CONFIG, "Symbolic name for HTTP upstream cluster"));
        mConfVars.put("web.upstream.webclient.name", new ProxyConfVar("web.upstream.webclient.name", null, ZIMBRA_UPSTREAM_WEBCLIENT_NAME, ProxyConfValueType.STRING, ProxyConfOverride.CONFIG, "Symbolic name for HTTP upstream webclient cluster"));
        mConfVars.put("web.ssl.upstream.name", new ProxyConfVar("web.ssl.upstream.name", null, ZIMBRA_SSL_UPSTREAM_NAME, ProxyConfValueType.STRING, ProxyConfOverride.CONFIG, "Symbolic name for HTTPS upstream cluster"));
        mConfVars.put("web.ssl.upstream.webclient.name", new ProxyConfVar("web.ssl.upstream.webclient.name", null, ZIMBRA_SSL_UPSTREAM_WEBCLIENT_NAME, ProxyConfValueType.STRING, ProxyConfOverride.CONFIG, "Symbolic name for HTTPS upstream webclient cluster"));
        mConfVars.put("web.upstream.:servers", new WebUpstreamServersVar());
        mConfVars.put("web.upstream.webclient.:servers", new WebUpstreamClientServersVar());
        mConfVars.put("web.server_names.max_size", new ProxyConfVar("web.server_names.max_size", "proxy_server_names_hash_max_size", 512, ProxyConfValueType.INTEGER, ProxyConfOverride.LOCALCONFIG, "the server names hash max size, needed to be increased if too many virtual host names are added"));
        mConfVars.put("web.server_names.bucket_size", new ProxyConfVar("web.server_names.bucket_size", "proxy_server_names_hash_bucket_size", 64, ProxyConfValueType.INTEGER, ProxyConfOverride.LOCALCONFIG, "the server names hash bucket size, needed to be increased if too many virtual host names are added"));
        mConfVars.put("web.ssl.upstream.:servers", new WebSSLUpstreamServersVar());
        mConfVars.put("web.ssl.upstream.webclient.:servers", new WebSSLUpstreamClientServersVar());
        mConfVars.put("web.uploadmax", new ProxyConfVar("web.uploadmax", "zimbraFileUploadMaxSize", new Long(10485760L), ProxyConfValueType.LONG, ProxyConfOverride.SERVER, "Maximum accepted client request body size (indicated by Content-Length) - if content length exceeds this limit, then request fails with HTTP 413"));
        mConfVars.put("web.:error_pages", new ErrorPagesVar());
        mConfVars.put("web.http.port", new ProxyConfVar("web.http.port", "zimbraMailProxyPort", new Integer(0), ProxyConfValueType.INTEGER, ProxyConfOverride.SERVER, "Web Proxy HTTP Port"));
        mConfVars.put("web.http.maxbody", new ProxyConfVar("web.http.maxbody", "zimbraFileUploadMaxSize", new Long(10485760L), ProxyConfValueType.LONG, ProxyConfOverride.SERVER, "Maximum accepted client request body size (indicated by Content-Length) - if content length exceeds this limit, then request fails with HTTP 413"));
        mConfVars.put("web.https.port", new ProxyConfVar("web.https.port", "zimbraMailSSLProxyPort", new Integer(0), ProxyConfValueType.INTEGER, ProxyConfOverride.SERVER, "Web Proxy HTTPS Port"));
        mConfVars.put("web.https.maxbody", new ProxyConfVar("web.https.maxbody", "zimbraFileUploadMaxSize", new Long(10485760L), ProxyConfValueType.LONG, ProxyConfOverride.SERVER, "Maximum accepted client request body size (indicated by Content-Length) - if content length exceeds this limit, then request fails with HTTP 413"));
        mConfVars.put("web.ssl.protocols", new WebSSLProtocolsVar());
        mConfVars.put("web.ssl.preferserverciphers", new ProxyConfVar("web.ssl.preferserverciphers", null, true, ProxyConfValueType.BOOLEAN, ProxyConfOverride.CONFIG, "Requires TLS protocol server ciphers be preferred over the client's ciphers"));
        mConfVars.put("web.ssl.ciphers", new ProxyConfVar("web.ssl.ciphers", "zimbraReverseProxySSLCiphers", "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4", ProxyConfValueType.STRING, ProxyConfOverride.CONFIG, "Permitted ciphers for web proxy"));
        mConfVars.put("web.ssl.ecdh.curve", new ProxyConfVar("web.ssl.ecdh.curve", "zimbraReverseProxySSLECDHCurve", "prime256v1", ProxyConfValueType.STRING, ProxyConfOverride.CONFIG, "SSL ECDH cipher curve for web proxy"));
        mConfVars.put("web.http.uport", new ProxyConfVar("web.http.uport", "zimbraMailPort", new Integer(80), ProxyConfValueType.INTEGER, ProxyConfOverride.SERVER, "Web upstream server port"));
        mConfVars.put("web.upstream.connect.timeout", new ProxyConfVar("web.upstream.connect.timeout", "zimbraReverseProxyUpstreamConnectTimeout", new Integer(25), ProxyConfValueType.INTEGER, ProxyConfOverride.SERVER, "upstream connect timeout"));
        mConfVars.put("web.upstream.read.timeout", new TimeInSecVarWrapper(new ProxyConfVar("web.upstream.read.timeout", "zimbraReverseProxyUpstreamReadTimeout", new Long(60L), ProxyConfValueType.TIME, ProxyConfOverride.SERVER, "upstream read timeout")));
        mConfVars.put("web.upstream.send.timeout", new TimeInSecVarWrapper(new ProxyConfVar("web.upstream.send.timeout", "zimbraReverseProxyUpstreamSendTimeout", new Long(60L), ProxyConfValueType.TIME, ProxyConfOverride.SERVER, "upstream send timeout")));
        mConfVars.put("web.upstream.polling.timeout", new TimeInSecVarWrapper(new ProxyConfVar("web.upstream.polling.timeout", "zimbraReverseProxyUpstreamPollingTimeout", new Long(3600L), ProxyConfValueType.TIME, ProxyConfOverride.SERVER, "the response timeout for Microsoft Active Sync polling")));
        mConfVars.put("web.enabled", new ProxyConfVar("web.enabled", "zimbraReverseProxyHttpEnabled", false, ProxyConfValueType.ENABLER, ProxyConfOverride.SERVER, "Indicates whether HTTP proxying is enabled"));
        mConfVars.put("web.upstream.exactversioncheck", new ProxyConfVar("web.upstream.exactversioncheck", "zimbraReverseProxyExactServerVersionCheck", "on", ProxyConfValueType.STRING, ProxyConfOverride.SERVER, "Indicates whether nginx will match exact server version against the version received in the client request"));
        mConfVars.put("web.http.enabled", new HttpEnablerVar());
        mConfVars.put("web.https.enabled", new HttpsEnablerVar());
        mConfVars.put("web.upstream.target", new WebProxyUpstreamTargetVar());
        mConfVars.put("web.upstream.webclient.target", new WebProxyUpstreamClientTargetVar());
        mConfVars.put("lookup.available", new ZMLookupAvailableVar());
        mConfVars.put("web.available", new ZMWebAvailableVar());
        mConfVars.put("zmlookup.:handlers", new ZMLookupHandlerVar());
        mConfVars.put("zmlookup.timeout", new ProxyConfVar("zmlookup.timeout", "zimbraReverseProxyRouteLookupTimeout", new Long(15000L), ProxyConfValueType.TIME, ProxyConfOverride.SERVER, "Time interval (ms) given to lookup handler to respond to route lookup request (after this time elapses, Proxy fails over to next handler, or fails the request if there are no more lookup handlers)"));
        mConfVars.put("zmlookup.retryinterval", new ProxyConfVar("zmlookup.retryinterval", "zimbraReverseProxyRouteLookupTimeoutCache", new Long(60000L), ProxyConfValueType.TIME, ProxyConfOverride.SERVER, "Time interval (ms) given to lookup handler to cache a failed response to route a previous lookup request (after this time elapses, Proxy retries this host)"));
        mConfVars.put("zmlookup.dpasswd", new ProxyConfVar("zmlookup.dpasswd", "ldap_nginx_password", "zmnginx", ProxyConfValueType.STRING, ProxyConfOverride.LOCALCONFIG, "Password for master credentials used by NGINX to log in to upstream for GSSAPI authentication"));
        mConfVars.put("zmlookup.caching", new ProxyConfVar("zmlookup.caching", "zimbraReverseProxyZmlookupCachingEnabled", true, ProxyConfValueType.BOOLEAN, ProxyConfOverride.SERVER, "Whether to turn on nginx lookup caching"));
        mConfVars.put("zmprefix.url", new ProxyConfVar("zmprefix.url", "zimbraMailURL", "/", ProxyConfValueType.STRING, ProxyConfOverride.CONFIG, "http URL prefix for where the zimbra app resides on upstream server"));
        mConfVars.put("web.sso.certauth.port", new ProxyConfVar("web.sso.certauth.port", "zimbraMailSSLProxyClientCertPort", new Integer(0), ProxyConfValueType.INTEGER, ProxyConfOverride.SERVER, "reverse proxy client cert auth port"));
        mConfVars.put("web.sso.certauth.default.enabled", new ZMSSOCertAuthDefaultEnablerVar());
        mConfVars.put("web.sso.enabled", new ZMSSOEnablerVar());
        mConfVars.put("web.sso.default.enabled", new ZMSSODefaultEnablerVar());
        mConfVars.put("web.admin.default.enabled", new ProxyConfVar("web.admin.default.enabled", "zimbraReverseProxyAdminEnabled", new Boolean(false), ProxyConfValueType.ENABLER, ProxyConfOverride.SERVER, "Inidicate whether admin console proxy is enabled"));
        mConfVars.put("web.admin.port", new ProxyConfVar("web.admin.port", "zimbraAdminProxyPort", new Integer(9071), ProxyConfValueType.INTEGER, ProxyConfOverride.SERVER, "Admin console proxy port"));
        mConfVars.put("web.admin.uport", new ProxyConfVar("web.admin.uport", "zimbraAdminPort", new Integer(7071), ProxyConfValueType.INTEGER, ProxyConfOverride.SERVER, "Admin console upstream port"));
        mConfVars.put("web.admin.upstream.name", new ProxyConfVar("web.admin.upstream.name", null, ZIMBRA_ADMIN_CONSOLE_UPSTREAM_NAME, ProxyConfValueType.STRING, ProxyConfOverride.CONFIG, "Symbolic name for admin console upstream cluster"));
        mConfVars.put("web.admin.upstream.adminclient.name", new ProxyConfVar("web.admin.upstream.adminclient.name", null, ZIMBRA_ADMIN_CONSOLE_CLIENT_UPSTREAM_NAME, ProxyConfValueType.STRING, ProxyConfOverride.CONFIG, "Symbolic name for admin client console upstream cluster"));
        mConfVars.put("web.admin.upstream.:servers", new WebAdminUpstreamServersVar());
        mConfVars.put("web.admin.upstream.adminclient.:servers", new WebAdminUpstreamAdminClientServersVar());
        mConfVars.put("web.upstream.noop.timeout", new TimeoutVar("web.upstream.noop.timeout", "zimbra_noop_max_timeout", 1200, ProxyConfOverride.LOCALCONFIG, 20, "the response timeout for NoOpRequest"));
        mConfVars.put("web.upstream.waitset.timeout", new TimeoutVar("web.upstream.waitset.timeout", "zimbra_waitset_max_request_timeout", 1200, ProxyConfOverride.LOCALCONFIG, 20, "the response timeout for WaitSetRequest"));
        mConfVars.put("main.accept_mutex", new ProxyConfVar("main.accept_mutex", "zimbraReverseProxyAcceptMutex", "on", ProxyConfValueType.STRING, ProxyConfOverride.SERVER, "accept_mutex flag for NGINX - can be on|off - on indicates regular distribution, off gets better distribution of client connections between workers"));
        mConfVars.put("web.ews.upstream.disable", new EwsEnablerVar());
        mConfVars.put("web.upstream.ewsserver.:servers", new WebEwsUpstreamServersVar());
        mConfVars.put("web.ssl.upstream.ewsserver.:servers", new WebEwsSSLUpstreamServersVar());
        mConfVars.put("web.ews.upstream.name", new ProxyConfVar("web.ews.upstream.name", null, ZIMBRA_UPSTREAM_EWS_NAME, ProxyConfValueType.STRING, ProxyConfOverride.CONFIG, "Symbolic name for ews upstream server cluster"));
        mConfVars.put("web.ssl.ews.upstream.name", new ProxyConfVar("web.ssl.ews.upstream.name", null, ZIMBRA_SSL_UPSTREAM_EWS_NAME, ProxyConfValueType.STRING, ProxyConfOverride.CONFIG, "Symbolic name for https ews upstream server cluster"));
        mConfVars.put("web.login.upstream.disable", new LoginEnablerVar());
        mConfVars.put("web.upstream.loginserver.:servers", new WebLoginUpstreamServersVar());
        mConfVars.put("web.ssl.upstream.loginserver.:servers", new WebLoginSSLUpstreamServersVar());
        mConfVars.put("web.login.upstream.name", new ProxyConfVar("web.login.upstream.name", null, ZIMBRA_UPSTREAM_LOGIN_NAME, ProxyConfValueType.STRING, ProxyConfOverride.CONFIG, "Symbolic name for upstream login server cluster"));
        mConfVars.put("web.ssl.login.upstream.name", new ProxyConfVar("web.ssl.login.upstream.name", null, ZIMBRA_SSL_UPSTREAM_LOGIN_NAME, ProxyConfValueType.STRING, ProxyConfOverride.CONFIG, "Symbolic name for https upstream login server cluster"));
        mConfVars.put("web.login.upstream.url", new ProxyConfVar("web.login.upstream.url", "zimbraMailURL", "/", ProxyConfValueType.STRING, ProxyConfOverride.SERVER, "Zimbra Login URL"));
        mConfVars.put("web.upstream.login.target", new WebProxyUpstreamLoginTargetVar());
        mConfVars.put("web.upstream.ews.target", new WebProxyUpstreamEwsTargetVar());
        mConfVars.put("ssl.session.timeout", new TimeInSecVarWrapper(new ProxyConfVar("ssl.session.timeout", "zimbraReverseProxySSLSessionTimeout", new Long(600L), ProxyConfValueType.TIME, ProxyConfOverride.SERVER, "SSL session timeout value for the proxy in secs")));
        mConfVars.put("ssl.session.cachesize", new WebSSLSessionCacheSizeVar());
        mConfVars.put("web.xmpp.upstream.proto", new XmppBoshProxyUpstreamProtoVar());
        mConfVars.put("web.xmpp.bosh.upstream.disable", new WebXmppBoshEnablerVar());
        mConfVars.put("web.xmpp.bosh.enabled", new ProxyConfVar("web.xmpp.bosh.enabled", "zimbraReverseProxyXmppBoshEnabled", true, ProxyConfValueType.ENABLER, ProxyConfOverride.SERVER, "Indicates whether XMPP/Bosh Reverse Proxy is enabled"));
        mConfVars.put("web.xmpp.local.bind.url", new ProxyConfVar("web.xmpp.local.bind.url", "zimbraReverseProxyXmppBoshLocalHttpBindURL", "/http-bind", ProxyConfValueType.STRING, ProxyConfOverride.SERVER, "Local HTTP-BIND URL prefix where ZWC sends XMPP over BOSH requests"));
        mConfVars.put("web.xmpp.remote.bind.url", new ProxyConfVar("web.xmpp.remote.bind.url", "zimbraReverseProxyXmppBoshRemoteHttpBindURL", "", ProxyConfValueType.STRING, ProxyConfOverride.SERVER, "Remote HTTP-BIND URL prefix for an external XMPP server where XMPP over BOSH requests need to be proxied"));
        mConfVars.put("web.xmpp.bosh.hostname", new ProxyConfVar("web.xmpp.bosh.hostname", "zimbraReverseProxyXmppBoshHostname", "", ProxyConfValueType.STRING, ProxyConfOverride.SERVER, "Hostname of the external XMPP server where XMPP over BOSH requests need to be proxied"));
        mConfVars.put("web.xmpp.bosh.port", new ProxyConfVar("web.xmpp.bosh.port", "zimbraReverseProxyXmppBoshPort", new Integer(0), ProxyConfValueType.INTEGER, ProxyConfOverride.SERVER, "Port number of the external XMPP server where XMPP over BOSH requests need to be proxied"));
        mConfVars.put("web.xmpp.bosh.timeout", new TimeInSecVarWrapper(new ProxyConfVar("web.xmpp.bosh.timeout", "zimbraReverseProxyXmppBoshTimeout", new Long(60L), ProxyConfValueType.TIME, ProxyConfOverride.SERVER, "the response timeout for an external XMPP/BOSH server")));
        mConfVars.put("web.xmpp.bosh.use_ssl", new ProxyConfVar("web.xmpp.bosh.use_ssl", "zimbraReverseProxyXmppBoshSSL", true, ProxyConfValueType.ENABLER, ProxyConfOverride.SERVER, "Indicates whether XMPP/Bosh uses SSL"));
        ProxyConfVar proxyConfVar = new ProxyConfVar("web.ssl.dhparam.file", null, mDefaultDhParamFile, ProxyConfValueType.STRING, ProxyConfOverride.NONE, "Filename with DH parameters for EDH ciphers to be used by the proxy");
        mConfVars.put("web.ssl.dhparam.enabled", new WebSSLDhparamEnablerVar(proxyConfVar));
        mConfVars.put("web.ssl.dhparam.file", proxyConfVar);
        String[] multiAttr = ProxyConfVar.configSource.getMultiAttr("zimbraReverseProxyResponseHeaders");
        ArrayList arrayList = new ArrayList();
        for (String str : multiAttr) {
            arrayList.add(str);
        }
        mConfVars.put("web.add.headers.default", new AddHeadersVar("web.add.headers.default", arrayList, "add_header directive for default web proxy"));
    }

    public static void updateDefaultVars() throws ServiceException, ProxyConfException {
        for (String str : mConfVars.keySet()) {
            mConfVars.get(str).update();
            mVars.put(str, mConfVars.get(str).confValue());
        }
    }

    public static void updateDefaultDomainVars() throws ServiceException, ProxyConfException {
        for (String str : mDomainConfVars.keySet()) {
            mDomainConfVars.get(str).update();
            mVars.put(str, mDomainConfVars.get(str).confValue());
        }
    }

    public static void overrideDefaultVars(CommandLine commandLine) {
        String[] optionValues = commandLine.getOptionValues('c');
        if (optionValues != null) {
            for (String str : optionValues) {
                mLog.debug("Processing config override " + str);
                int indexOf = str.indexOf(LdapConstants.FILTER_TYPE_EQUAL);
                if (indexOf <= 0) {
                    mLog.info("Ignoring config override " + str + " because it is not of the form name=value");
                } else {
                    String substring = str.substring(0, indexOf);
                    String substring2 = str.substring(indexOf + 1);
                    if (mVars.containsKey(substring)) {
                        mLog.info("Overriding config variable " + substring + " with " + substring2);
                        mVars.put(substring, substring2);
                    } else {
                        mLog.info("Ignoring non-existent config variable " + substring);
                    }
                }
            }
        }
    }

    public static boolean isWorkableConf() {
        boolean z = true;
        boolean booleanValue = ((Boolean) mConfVars.get("web.enabled").rawValue()).booleanValue();
        boolean booleanValue2 = ((Boolean) mConfVars.get("mail.enabled").rawValue()).booleanValue();
        ArrayList arrayList = (ArrayList) mConfVars.get("web.upstream.:servers").rawValue();
        ArrayList arrayList2 = (ArrayList) mConfVars.get("web.upstream.webclient.:servers").rawValue();
        ArrayList arrayList3 = (ArrayList) mConfVars.get("web.ssl.upstream.:servers").rawValue();
        ArrayList arrayList4 = (ArrayList) mConfVars.get("web.ssl.upstream.webclient.:servers").rawValue();
        ArrayList arrayList5 = (ArrayList) mConfVars.get("zmlookup.:handlers").rawValue();
        if (booleanValue && (arrayList.size() == 0 || arrayList2.size() == 0)) {
            mLog.info("Web is enabled but there are no HTTP upstream webclient/mailclient servers");
            z = false;
        }
        if (booleanValue && (arrayList3.size() == 0 || arrayList4.size() == 0)) {
            mLog.info("Web is enabled but there are no HTTPS upstream webclient/mailclient servers");
            z = false;
        }
        if ((booleanValue || booleanValue2) && arrayList5.size() == 0) {
            mLog.info("Proxy is enabled but there are no lookup handlers");
            z = false;
        }
        return z;
    }

    public static int createConf(String[] strArr) throws ServiceException, ProxyConfException {
        File file;
        String absolutePath;
        int i = 0;
        CommandLine parseArgs = parseArgs(strArr);
        if (parseArgs == null) {
            return 1;
        }
        if (parseArgs.hasOption('v')) {
            CliUtil.toolSetup("DEBUG");
        } else {
            CliUtil.toolSetup("INFO");
        }
        mProv = Provisioning.getInstance();
        ProxyConfVar.configSource = mProv.getConfig();
        ProxyConfVar.serverSource = mProv.getLocalServer();
        if (parseArgs.hasOption('h')) {
            usage(null);
            return 0;
        }
        if (parseArgs.hasOption('n')) {
            mDryRun = true;
        }
        if (parseArgs.hasOption('w')) {
            mWorkingDir = parseArgs.getOptionValue('w');
            mConfDir = mWorkingDir + "/conf";
            mTemplateDir = mWorkingDir + "/conf/nginx/templates";
            mConfIncludesDir = mConfDir + "/" + mIncDir;
        }
        if (parseArgs.hasOption('i')) {
            mIncDir = parseArgs.getOptionValue('i');
            mConfIncludesDir = mConfDir + "/" + mIncDir;
        }
        if (parseArgs.hasOption('t')) {
            mTemplateDir = parseArgs.getOptionValue('t');
        }
        mLog.debug("Working Directory: " + mWorkingDir);
        mLog.debug("Template Directory: " + mTemplateDir);
        mLog.debug("Config Includes Directory: " + mConfIncludesDir);
        if (parseArgs.hasOption('p')) {
            mConfPrefix = parseArgs.getOptionValue('p');
            mTemplatePrefix = mConfPrefix;
        }
        if (parseArgs.hasOption('P')) {
            mTemplatePrefix = parseArgs.getOptionValue('P');
        }
        mLog.debug("Config File Prefix: " + mConfPrefix);
        mLog.debug("Template File Prefix: " + mTemplatePrefix);
        mLog.debug("Building Default Variable Map");
        buildDefaultVars();
        if (parseArgs.hasOption('d')) {
            displayDefaultVariables();
            return 0;
        }
        if (parseArgs.hasOption('s')) {
            mHost = parseArgs.getOptionValue('s');
            mLog.info("Loading server object: " + mHost);
            try {
                mServer = getServer(mHost);
                ProxyConfVar.serverSource = mServer;
            } catch (ProxyConfException e) {
                mLog.error("Cannot load server object. Make sure the server specified with -s exists");
                return 1;
            }
        }
        mGenConfPerVhn = ProxyConfVar.serverSource.getBooleanAttr("zimbraReverseProxyGenConfigPerVirtualHostname", false);
        try {
            mLog.debug("Loading Attrs in Domain Level");
            mDomainReverseProxyAttrs = loadDomainReverseProxyAttrs();
            mLog.debug("Updating Default Variable Map");
            updateDefaultVars();
            mLog.debug("Processing Config Overrides");
            overrideDefaultVars(parseArgs);
            writeClientCAtoFile(loadAllClientCertCA());
        } catch (ServiceException e2) {
            handleException(e2);
            i = 1;
        } catch (ProxyConfException e3) {
            handleException(e3);
            i = 1;
        }
        if (i > 0) {
            mLog.info("Proxy configuration files generation is interrupted by errors");
            return i;
        }
        if (parseArgs.hasOption('D')) {
            displayVariables();
            return 0;
        }
        if (parseArgs.getArgs().length > 0) {
            usage(null);
            return 0;
        }
        if (!isWorkableConf()) {
            mLog.warn("Configuration is not valid because no route lookup handlers exist, or because no HTTP/HTTPS upstream servers were found");
            mLog.warn("Please ensure that the output of 'zmprov garpu/garpb' returns at least one entry");
        }
        int i2 = 0;
        try {
            file = new File(mConfDir, "");
            absolutePath = file.getAbsolutePath();
        } catch (ProxyConfException e4) {
            handleException(e4);
            i2 = 1;
        } catch (SecurityException e5) {
            handleException(e5);
            i2 = 1;
        }
        if (!file.canRead()) {
            throw new ProxyConfException("Cannot read configuration directory " + absolutePath);
        }
        if (!file.canWrite()) {
            throw new ProxyConfException("Cannot write to configuration directory " + absolutePath);
        }
        if (!file.exists()) {
            throw new ProxyConfException("Configuration directory " + file.getAbsolutePath() + " does not exist");
        }
        expandTemplate(new File(mTemplateDir, getCoreConfTemplate()), new File(mConfDir, getCoreConf()));
        expandTemplate(new File(mTemplateDir, getConfTemplateFileName("main")), new File(mConfIncludesDir, getConfFileName("main")));
        expandTemplate(new File(mTemplateDir, getConfTemplateFileName("memcache")), new File(mConfIncludesDir, getConfFileName("memcache")));
        expandTemplate(new File(mTemplateDir, getConfTemplateFileName("zmlookup")), new File(mConfIncludesDir, getConfFileName("zmlookup")));
        expandTemplate(new File(mTemplateDir, getConfTemplateFileName("mail")), new File(mConfIncludesDir, getConfFileName("mail")));
        expandTemplate(new File(mTemplateDir, getConfTemplateFileName("mail.imap")), new File(mConfIncludesDir, getConfFileName("mail.imap")));
        expandTemplate(new File(mTemplateDir, getConfTemplateFileName("mail.imap.default")), new File(mConfIncludesDir, getConfFileName("mail.imap.default")));
        expandTemplate(new File(mTemplateDir, getConfTemplateFileName("mail.imaps")), new File(mConfIncludesDir, getConfFileName("mail.imaps")));
        expandTemplate(new File(mTemplateDir, getConfTemplateFileName("mail.imaps.default")), new File(mConfIncludesDir, getConfFileName("mail.imaps.default")));
        expandTemplate(new File(mTemplateDir, getConfTemplateFileName("mail.pop3")), new File(mConfIncludesDir, getConfFileName("mail.pop3")));
        expandTemplate(new File(mTemplateDir, getConfTemplateFileName("mail.pop3.default")), new File(mConfIncludesDir, getConfFileName("mail.pop3.default")));
        expandTemplate(new File(mTemplateDir, getConfTemplateFileName("mail.pop3s")), new File(mConfIncludesDir, getConfFileName("mail.pop3s")));
        expandTemplate(new File(mTemplateDir, getConfTemplateFileName("mail.pop3s.default")), new File(mConfIncludesDir, getConfFileName("mail.pop3s.default")));
        expandTemplate(new File(mTemplateDir, getConfTemplateFileName("web")), new File(mConfIncludesDir, getConfFileName("web")));
        expandTemplate(new File(mTemplateDir, getConfTemplateFileName("web.http")), new File(mConfIncludesDir, getConfFileName("web.http")));
        expandTemplate(new File(mTemplateDir, getConfTemplateFileName("web.http.default")), new File(mConfIncludesDir, getConfFileName("web.http.default")));
        expandTemplate(new File(mTemplateDir, getConfTemplateFileName("web.https")), new File(mConfIncludesDir, getConfFileName("web.https")));
        expandTemplate(new File(mTemplateDir, getConfTemplateFileName("web.https.default")), new File(mConfIncludesDir, getConfFileName("web.https.default")));
        expandTemplate(new File(mTemplateDir, getConfTemplateFileName("web.sso")), new File(mConfIncludesDir, getConfFileName("web.sso")));
        expandTemplate(new File(mTemplateDir, getConfTemplateFileName("web.sso.default")), new File(mConfIncludesDir, getConfFileName("web.sso.default")));
        expandTemplate(new File(mTemplateDir, getConfTemplateFileName("web.admin")), new File(mConfIncludesDir, getConfFileName("web.admin")));
        expandTemplate(new File(mTemplateDir, getConfTemplateFileName("web.admin.default")), new File(mConfIncludesDir, getConfFileName("web.admin.default")));
        expandTemplate(new File(mTemplateDir, getWebHttpModeConfTemplate(URLUtil.PROTO_HTTP)), new File(mConfIncludesDir, getWebHttpModeConf(URLUtil.PROTO_HTTP)));
        expandTemplate(new File(mTemplateDir, getWebHttpModeConfTemplate(URLUtil.PROTO_HTTPS)), new File(mConfIncludesDir, getWebHttpModeConf(URLUtil.PROTO_HTTPS)));
        expandTemplate(new File(mTemplateDir, getWebHttpModeConfTemplate("both")), new File(mConfIncludesDir, getWebHttpModeConf("both")));
        expandTemplate(new File(mTemplateDir, getWebHttpModeConfTemplate("redirect")), new File(mConfIncludesDir, getWebHttpModeConf("redirect")));
        expandTemplate(new File(mTemplateDir, getWebHttpModeConfTemplate("mixed")), new File(mConfIncludesDir, getWebHttpModeConf("mixed")));
        expandTemplate(new File(mTemplateDir, getWebHttpSModeConfTemplate(URLUtil.PROTO_HTTP)), new File(mConfIncludesDir, getWebHttpSModeConf(URLUtil.PROTO_HTTP)));
        expandTemplate(new File(mTemplateDir, getWebHttpSModeConfTemplate(URLUtil.PROTO_HTTPS)), new File(mConfIncludesDir, getWebHttpSModeConf(URLUtil.PROTO_HTTPS)));
        expandTemplate(new File(mTemplateDir, getWebHttpSModeConfTemplate("both")), new File(mConfIncludesDir, getWebHttpSModeConf("both")));
        expandTemplate(new File(mTemplateDir, getWebHttpSModeConfTemplate("redirect")), new File(mConfIncludesDir, getWebHttpSModeConf("redirect")));
        expandTemplate(new File(mTemplateDir, getWebHttpSModeConfTemplate("mixed")), new File(mConfIncludesDir, getWebHttpSModeConf("mixed")));
        if (!mDryRun) {
            if (i2 == 0) {
                mLog.info("Proxy configuration files are generated successfully");
                appendConfGenResultToConf("__SUCCESS__");
            } else {
                mLog.info("Proxy configuration files generation is interrupted by errors");
            }
        }
        return i2;
    }

    private static void handleException(Exception exc) {
        mLog.error("Error while expanding templates: " + exc.getMessage());
        appendConfGenResultToConf("__CONF_GEN_ERROR__:" + exc.getMessage());
    }

    private static void appendConfGenResultToConf(String str) {
        File file = new File(mConfDir, getCoreConf());
        if (file.exists()) {
            try {
                FileWriter fileWriter = new FileWriter(file, true);
                fileWriter.write("\n#" + str + "\n");
                fileWriter.close();
            } catch (IOException e) {
            }
        }
    }

    private static void writeClientCAtoFile(String str) throws ServiceException {
        ProxyConfVar proxyConfVar;
        if (ProxyConfUtil.isEmptyString(str)) {
            proxyConfVar = new ProxyConfVar("ssl.clientcertca.enabled", null, false, ProxyConfValueType.ENABLER, ProxyConfOverride.CUSTOM, "is there valid client ca cert");
            if (isClientCertVerifyEnabled() || isDomainClientCertVerifyEnabled()) {
                mLog.error("Client certificate verification is enabled but no client cert ca is provided");
                System.exit(1);
            }
        } else {
            proxyConfVar = new ProxyConfVar("ssl.clientcertca.enabled", null, true, ProxyConfValueType.ENABLER, ProxyConfOverride.CUSTOM, "is there valid client ca cert");
            mLog.debug("Write Client CA file");
            ProxyConfUtil.writeContentToFile(str, getDefaultClientCertCaPath());
        }
        mConfVars.put("ssl.clientcertca.enabled", proxyConfVar);
        try {
            mVars.put("ssl.clientcertca.enabled", proxyConfVar.confValue());
        } catch (ProxyConfException e) {
            mLog.error("ProxyConfException during format ssl.clientcertca.enabled", e);
            System.exit(1);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isClientCertVerifyEnabled() {
        String attr = ProxyConfVar.serverSource.getAttr("zimbraReverseProxyClientCertMode", "off");
        return attr.equals("on") || attr.equals("optional");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isDomainClientCertVerifyEnabled() {
        for (DomainAttrItem domainAttrItem : mDomainReverseProxyAttrs) {
            if (domainAttrItem.clientCertMode != null && (domainAttrItem.clientCertMode.equals("on") || domainAttrItem.clientCertMode.equals("optional"))) {
                return true;
            }
        }
        return false;
    }

    public static void main(String[] strArr) throws ServiceException, ProxyConfException {
        System.exit(createConf(strArr));
    }

    static {
        mOptions.addOption("h", "help", false, "show this usage text");
        mOptions.addOption("v", "verbose", false, "be verbose");
        mOptions.addOption("w", "workdir", true, "Proxy Working Directory (defaults to /opt/zimbra)");
        mOptions.addOption("t", "templatedir", true, "Proxy Template Directory (defaults to $workdir/conf/nginx/templates)");
        mOptions.addOption("n", "dry-run", false, "Do not write any configuration, just show which files would be written");
        mOptions.addOption(Metadata.FN_DRAFT, "defaults", false, "Print default variable map");
        mOptions.addOption("D", "definitions", false, "Print variable map Definitions after loading LDAP configuration (and processing overrides). -D requires -s upstream server. If \"-s upstream server\" is not specified, it just dumps the default varaible map");
        mOptions.addOption(Metadata.FN_PREFIX, "prefix", true, "Config File prefix (defaults to nginx.conf)");
        mOptions.addOption("P", "template-prefix", true, "Template File prefix (defaults to $prefix)");
        mOptions.addOption(LuceneViewer.CLI.O_INPUT, "include-dir", true, "Directory Path (relative to $workdir/conf), where included configuration files will be written. Defaults to nginx/includes");
        mOptions.addOption("s", "server", true, "If provided, this should be the name of a valid server object. Configuration will be generated based on server attributes. Otherwise, if not provided, Configuration will be generated based on Global configuration values");
        Option option = new Option(Metadata.FN_COLOR, "config", true, "Override a config variable. Argument format must be name=value. For list of names, run with -d or -D");
        option.setArgs(-2);
        mOptions.addOption(option);
    }
}
