diff options
| author | hc <hc@email.ch> | 2024-11-20 12:51:33 +0800 |
|---|---|---|
| committer | hc <hc@email.ch> | 2024-11-20 12:51:33 +0800 |
| commit | 853b82126baa1e8e408a10f91053c52626ffad29 (patch) | |
| tree | 2fc1de9695810681ba654aab3c2a4867aacc1ac7 /config_files/nginx.conf | |
| parent | b1f88b682624e85b4b743343dfaaeed113b69413 (diff) | |
working
Diffstat (limited to 'config_files/nginx.conf')
| -rw-r--r-- | config_files/nginx.conf | 88 |
1 files changed, 88 insertions, 0 deletions
diff --git a/config_files/nginx.conf b/config_files/nginx.conf new file mode 100644 index 0000000..0f292af --- /dev/null +++ b/config_files/nginx.conf @@ -0,0 +1,88 @@ +user nginx; +worker_processes auto; + +error_log /var/log/nginx/error.log notice; +pid /var/run/nginx.pid; + +events { + worker_connections 1024; +} + +ssl_engine pkcs11; + +http { + types_hash_max_size 4096; + include /etc/nginx/mime.types; + default_type application/octet-stream; + + + sendfile on; + keepalive_timeout 65; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + # Server block for non-SSL routes + server { + listen 80; + server_name localhost; + + # Allow specific routes without SSL + location = / { + proxy_pass http://localhost:5000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + } + + location = /c { + proxy_pass http://localhost:5000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + } + + location ~ ^/v/ { + proxy_pass http://localhost:5000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + } + + # Redirect all other routes to HTTPS + location / { + return 301 https://$host$request_uri; + } + } + + # Server block for SSL routes + server { + listen 443 ssl; + server_name localhost; + +# ssl_certificate /etc/nginx/certs/server.crt; +# ssl_certificate_key /etc/nginx/certs/server.key; +# ssl_client_certificate /etc/nginx/certs/ca.pem; +# ssl_verify_client on; + + ssl_certificate /etc/nginx/certs/hsm_server.crt; + ssl_certificate_key "engine:pkcs11:pkcs11:serial=DENK0104964;object=serverkey;type=private"; + ssl_client_certificate /etc/nginx/certs/hsm_chain.crt; + ssl_verify_client on; + # Add these debugging settings temporarily + ssl_protocols TLSv1.2 TLSv1.3; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + ssl_verify_depth 3; + ssl_prefer_server_ciphers on; + + # Add error logging for SSL + error_log /var/log/nginx/error.log debug; + + location / { + proxy_pass http://localhost:5000; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + } + } +} |