Skip to content

Instantly share code, notes, and snippets.

@binary1230

binary1230/nginx-ssl-server.conf

Created September 10, 2015 19:31
Show Gist options
  • Save binary1230/8e5ba715d4100161f708 to your computer and use it in GitHub Desktop.
Save binary1230/8e5ba715d4100161f708 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
nginx-ssl-server.conf
server {
listen *:443 ssl;
server_name example.org;
ssl on;
ssl_certificate /etc/nginx/server.crt;
ssl_certificate_key /etc/nginx/server.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
index index.html index.htm index.php;
access_log /var/log/nginx/server.access.log;
error_log /var/log/nginx/server.error.log;
ssl_client_certificate /etc/nginx/client-ca.crt;
ssl_verify_client optional;
location / {
root /var/www/;
}
location /jsonrpc/ {
if ($ssl_client_verify != "SUCCESS") { return 403; }
proxy_pass http://localhost:8282/jsonrpc-api/;
proxy_read_timeout 90;
proxy_redirect http://localhost/ $scheme://$host:$server_port/;
}
location /uber/ {
proxy_pass http://localhost:8282/backend/;
proxy_read_timeout 90;
proxy_redirect http://localhost/ $scheme://$host:$server_port/;
}
}
@binary1230
Copy link
Author

goals:

  1. allow normal SSL browsing on port 443 via web browsers
  2. allow client-certificate authentication for the URL /jsonrpc, denying anyone who doesn't have the correct cert

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment