# Si la requête vient d'une origine ou d'un referer assurtech.org, facebook.com, api.wave.com ou api.orange.com, on la bypass
map $http_origin $auth_bypass_origin {
    default 0;
    "~*dev\.assurtech\.org" 1;
    "~*assurtech\.org" 1;
    "~*graph\.facebook\.com" 1;
    "~*facebook\.com" 1;
    "~*api\.wave\.com" 1;
    "~*api\.orange\.sn" 1;
}

map $http_referer $auth_bypass_referer {
    default 0;
    "~*dev\.assurtech\.org" 1;
    "~*assurtech\.org" 1;
    "~*graph\.facebook\.com" 1;
    "~*facebook\.com" 1;
    "~*api\.wave\.com" 1;
    "~*api\.orange\.sn" 1;
}

# Si la requête vient de l’IP 145.239.2.117, on ignore le bypass
map $remote_addr $is_special_ip {
    default 0;
    145.239.2.117 1;
}

# Logique combinée
map "$auth_bypass_origin$auth_bypass_referer$is_special_ip" $auth_basic_value {
    default "Restricted";
    "110" off;
    "100" off;
    "010" off;
    "000" "Restricted";
    # si IP spéciale → on ne bypass JAMAIS
    "111" "Restricted";
    "101" "Restricted";
    "011" "Restricted";
    "001" "Restricted";
}