Created
January 31, 2019 12:03
-
-
Save ccapndave/80814dddbe2d427ddec200d1fc39166b to your computer and use it in GitHub Desktop.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| map $http_upgrade $connection_upgrade { | |
| default upgrade; | |
| '' close; | |
| } | |
| # Frontend SSL server | |
| server { | |
| listen 443; | |
| server_name xxx; | |
| ssl on; | |
| ssl_certificate /etc/sslmate/*.xxx.chained.crt; | |
| ssl_certificate_key /etc/sslmate/*.xxx.key; | |
| ssl_session_timeout 5m; | |
| ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; | |
| ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES"; | |
| ssl_prefer_server_ciphers on; | |
| include proxy_params; | |
| # Requirements are never encrypted and go straight to Varnish | |
| location ~ ^/[a-zA-Z0-9]+/requirements/.* { | |
| proxy_pass http://127.0.0.1:6081; | |
| } | |
| # Content requests for html, json and hbs in real content get passed through the encryption server which itself loads from Varnish and then encrypts the response | |
| location ~ ^/[a-zA-Z0-9]+/.*.(html|json|hbs)$ { | |
| proxy_pass http://127.0.0.1:3002; | |
| } | |
| # All other requests go straight to Varnish. This supports websocket upgrade. | |
| location / { | |
| proxy_pass http://127.0.0.1:6081; | |
| proxy_http_version 1.1; | |
| proxy_set_header Upgrade $http_upgrade; | |
| proxy_set_header Connection $connection_upgrade; | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment