{% if access_list_id > 0 %}
    set $auth_basic "Authorization required";
    {% if access_list.satisfy_any == 1 %}
    # Satisfy Any - any check can succeed - so look for success
    if ( $access_list_{{ access_list_id }} = 1) {
    set $auth_basic off;
    }
    if ( $ssl_client_verify = "SUCCESS" ) {
    set $auth_basic off;
    }
    {% else %}
    # Satisfy All - all checks must succeed (so handle fails)
    if ( $access_list_{{ access_list_id }} = 0) {
        return {% if drop_unauthorized == 1 %}444{% else %}403{% endif %};
    }
    if ( $ssl_client_verify != "SUCCESS" ) {
        return {% if drop_unauthorized == 1 %}444{% else %}403{% endif %};
    }
    {% endif %}

    {% if access_list.items.length > 0 %}
    # Basic Auth is enabled
    # Authorization
    auth_basic            $auth_basic;
    auth_basic_user_file  /data/access/{{ access_list_id }};
        {% if access_list.pass_auth == 0 %}
    proxy_set_header Authorization "";
        {% endif %}
    {% else %}
        {% if access_list.satisfy_any == 1 %}
    # Satisfy Any without Basic Auth
    if ( $auth_basic != "off" ) {
        return {% if drop_unauthorized == 1 %}444{% else %}403{% endif %};
    }
        {% endif %}
    {% endif %}
{% endif %}