wryfi · February 3, 2016 20:03
diff --git a/gistfile1.txt b/gistfile1.txt
 #
 # this file is managed by salt - manual changes will be overwritten
 #
 upstream elasticsearch {
  server 127.0.0.1:9200;
  keepalive 64;
 }

 # 8433 is wide open for logstash
 server {
    listen 8443 ssl default_server;

    ssl_certificate /etc/nginx/ssl/soma-wildcard.crt;
    ssl_certificate_key /etc/nginx/ssl/soma-wildcard.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # modern configuration. tweak to your needs.
    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
    ssl_prefer_server_ciphers on;

    location / {
        proxy_pass http://elasticsearch;
        proxy_http_version 1.1;
        proxy_set_header Connection "Keep-Alive";
        proxy_set_header Proxy-Connection "Keep-Alive";
        auth_basic "elasticsearch";
        auth_basic_user_file /etc/nginx/htpasswd-es-logstash;
    }
 }

 # everyone else will connect on 443 with limited access
 server {
    listen 443 ssl default_server;

    ssl_certificate /etc/nginx/ssl/soma-wildcard.crt;
    ssl_certificate_key /etc/nginx/ssl/soma-wildcard.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # modern configuration. tweak to your needs.
    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
    ssl_prefer_server_ciphers on;

    location / {
        proxy_pass http://elasticsearch;
        proxy_http_version 1.1;
        proxy_set_header Connection "Keep-Alive";
        proxy_set_header Proxy-Connection "Keep-Alive";
        limit_except GET {
            deny all;
        }
    }

    location ~* ^(.*/_search|.*/_analyze) {
        auth_basic "elasticsearch";
        auth_basic_user_file /etc/nginx/htpasswd-es-plos;
        proxy_pass http://elasticsearch;
        proxy_http_version 1.1;
        proxy_set_header Connection "Keep-Alive";
        proxy_set_header Proxy-Connection "Keep-Alive";
    }
 }
	#
	# this file is managed by salt - manual changes will be overwritten
	#
	upstream elasticsearch {
	server 127.0.0.1:9200;
	keepalive 64;
	}

	# 8433 is wide open for logstash
	server {
	listen 8443 ssl default_server;

	ssl_certificate /etc/nginx/ssl/soma-wildcard.crt;
	ssl_certificate_key /etc/nginx/ssl/soma-wildcard.key;
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;

	# modern configuration. tweak to your needs.
	ssl_protocols TLSv1.1 TLSv1.2;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
	ssl_prefer_server_ciphers on;

	location / {
	proxy_pass http://elasticsearch;
	proxy_http_version 1.1;
	proxy_set_header Connection "Keep-Alive";
	proxy_set_header Proxy-Connection "Keep-Alive";
	auth_basic "elasticsearch";
	auth_basic_user_file /etc/nginx/htpasswd-es-logstash;
	}
	}

	# everyone else will connect on 443 with limited access
	server {
	listen 443 ssl default_server;

	ssl_certificate /etc/nginx/ssl/soma-wildcard.crt;
	ssl_certificate_key /etc/nginx/ssl/soma-wildcard.key;
	ssl_session_timeout 1d;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;

	# modern configuration. tweak to your needs.
	ssl_protocols TLSv1.1 TLSv1.2;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
	ssl_prefer_server_ciphers on;

	location / {
	proxy_pass http://elasticsearch;
	proxy_http_version 1.1;
	proxy_set_header Connection "Keep-Alive";
	proxy_set_header Proxy-Connection "Keep-Alive";
	limit_except GET {
	deny all;
	}
	}

	location ~* ^(./_search\|./_analyze) {
	auth_basic "elasticsearch";
	auth_basic_user_file /etc/nginx/htpasswd-es-plos;
	proxy_pass http://elasticsearch;
	proxy_http_version 1.1;
	proxy_set_header Connection "Keep-Alive";
	proxy_set_header Proxy-Connection "Keep-Alive";
	}
	}