nginx-example-domain-with-tls-client-auth.conf

geo $rfc6890 {
  default 0;
  10.0.0.0/8 1;
  172.16.0.0/12 1;
  192.168.0.0/16 1;
  100.64.0.0/10 1;
  127.0.0.0/8 1;
}

geo $allowed_ips {
  default 0;
  1.1.1.1/32 1;
}

server {
  listen *:80;

  server_name ${DOMAIN};
  server_tokens off;

  location / {
    return 301 https://${DOMAIN}:443$request_uri;
  }
  
}

server {
  listen *:443 ssl http2;
  
  server_name ${DOMAIN};
  server_tokens off;
  
  ssl_certificate /etc/${APPLICATION}/ssl/${DOMAIN}.crt;
  ssl_certificate_key /etc/${APPLICATION}/ssl/${DOMAIN}.key;
  ssl_client_certificate /etc/${APPLICATION}/ssl/ca.crt;
  ssl_verify_client optional;
  ssl_verify_depth 2;
  
  if ($ssl_client_verify != SUCCESS) {
    set $fail 1;
  }
  
  if ($rfc6890) { set $fail 0; }
  if ($allowed_ips) { set $fail 0; }
  if ($fail = 1) { return 403; }
  
  # ${APPLICATION} needs backwards compatible ciphers to retain compatibility with Java IDEs
  ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4';
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;
  ssl_session_cache builtin:1000 shared:SSL:10m;
  ssl_session_timeout 5m;
  
  ssl_certificate /etc/gitlab/ssl/${DOMAIN}.crt;
  ssl_certificate_key /etc/gitlab/ssl/${DOMAIN}.key;
}