msc {
  hscale = 1,
  width = "700";

  c [ label="client"  ],
  n [ label="nginx"   ],
  k [ label="/check"  ],
  a [ label="/auth"   ],
  d [ label="/"       ];

  ---         [ label="unknown user, redirect to login page" ];
  c -> n      [ label="GET / HTTP/1.1" ];
       n -> k [ label="GET / HTTP/1.1" ];
       n <- k [ label="403 Forbidden" ];
       n -> n [ label="error_page /auth" ];
       n -> a [ label="GET /auth" ];
       n <- a [ label="200 OK (pages/stage1)"];
  c <- n      [ label="200 OK (pages/stage1)"];

  ---         [ label="send auth data, stage 1 (user+pass)" ];
  c -> n      [ label="POST /auth (user+pass)" ];
       n -> a [ label="POST /auth (user+pass)" ];
       n <- a [ label="200 OK (pages/stage2)" ];
  c <- n      [ label="200 OK (pages/stage2)" ];

  ---         [ label="send auth data, stage 2 (user+code)" ];
  c -> n      [ label="POST /auth (user+code)" ];
       n -> a [ label="POST /auth (user+code)" ];
       n <- a [ label="302 / +Set-Cookie: hmac(base64({user=$user}))" ];
  c <- n      [ label="302 / +Set-Cookie: hmac(base64({user=$user}))" ];

  ---         [ label="authorized user" ];
  c -> n      [ label="GET / HTTP/1.1" ];
       n -> k [ label="GET / HTTP/1.1" ];
       n <- k [ label="200 OK" ];
       n -> d [ label="GET / HTTP/1.1" ];
       n <- d [ label="200 OK" ];
  c <- n      [ label="200 OK" ];
}