working

author: hc <hc@email.ch> 2024-11-20 12:51:33 +0800
committer: hc <hc@email.ch> 2024-11-20 12:51:33 +0800
commit: 853b82126baa1e8e408a10f91053c52626ffad29 (patch)
tree: 2fc1de9695810681ba654aab3c2a4867aacc1ac7 /config_files/nginx.conf
parent: b1f88b682624e85b4b743343dfaaeed113b69413 (diff)
1 files changed, 88 insertions, 0 deletions
diff --git a/config_files/nginx.conf b/config_files/nginx.conf
new file mode 100644
index 0000000..0f292af
--- /dev/null
+++ b/config_files/nginx.conf
@@ -0,0 +1,88 @@
+user  nginx;
+worker_processes  auto;
+error_log  /var/log/nginx/error.log notice;
+pid        /var/run/nginx.pid;
+events {
+    worker_connections  1024;
+}
+ssl_engine pkcs11;
+http {
+    types_hash_max_size 4096;
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+    sendfile        on;
+    keepalive_timeout  65;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+    ssl_prefer_server_ciphers off;
+    # Server block for non-SSL routes
+    server {
+        listen 80;
+        server_name localhost;
+        # Allow specific routes without SSL
+        location = / {
+            proxy_pass http://localhost:5000;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+        }
+        location = /c {
+            proxy_pass http://localhost:5000;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+        }
+        location ~ ^/v/ {
+            proxy_pass http://localhost:5000;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+        }
+        # Redirect all other routes to HTTPS
+        location / {
+            return 301 https://$host$request_uri;
+        }
+    }
+    # Server block for SSL routes
+    server {
+        listen 443 ssl;
+        server_name localhost;
+#        ssl_certificate /etc/nginx/certs/server.crt;
+#        ssl_certificate_key /etc/nginx/certs/server.key;
+#        ssl_client_certificate /etc/nginx/certs/ca.pem;
+#        ssl_verify_client on;
+        ssl_certificate /etc/nginx/certs/hsm_server.crt;
+        ssl_certificate_key "engine:pkcs11:pkcs11:serial=DENK0104964;object=serverkey;type=private";
+        ssl_client_certificate /etc/nginx/certs/hsm_chain.crt;
+        ssl_verify_client on;
+        # Add these debugging settings temporarily
+        ssl_protocols TLSv1.2 TLSv1.3;
+        ssl_session_cache shared:SSL:10m;
+        ssl_session_timeout 10m;
+        ssl_verify_depth 3;
+        ssl_prefer_server_ciphers on;
+        # Add error logging for SSL
+        error_log /var/log/nginx/error.log debug;
+        location / {
+            proxy_pass http://localhost:5000;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+        }
+    }
+}
author	hc <hc@email.ch>	2024-11-20 12:51:33 +0800
committer	hc <hc@email.ch>	2024-11-20 12:51:33 +0800
commit	853b82126baa1e8e408a10f91053c52626ffad29 (patch)
tree	2fc1de9695810681ba654aab3c2a4867aacc1ac7 /config_files/nginx.conf
parent	b1f88b682624e85b4b743343dfaaeed113b69413 (diff)

diff --git a/config_files/nginx.conf b/config_files/nginx.conf new file mode 100644 index 0000000..0f292af --- /dev/null +++ b/config_files/nginx.conf
@@ -0,0 +1,88 @@
	1	user nginx;
	2	worker_processes auto;
	3
	4	error_log /var/log/nginx/error.log notice;
	5	pid /var/run/nginx.pid;
	6
	7	events {
	8	worker_connections 1024;
	9	}
	10
	11	ssl_engine pkcs11;
	12
	13	http {
	14	types_hash_max_size 4096;
	15	include /etc/nginx/mime.types;
	16	default_type application/octet-stream;
	17
	18
	19	sendfile on;
	20	keepalive_timeout 65;
	21
	22	ssl_protocols TLSv1.2 TLSv1.3;
	23	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
	24	ssl_prefer_server_ciphers off;
	25
	26	# Server block for non-SSL routes
	27	server {
	28	listen 80;
	29	server_name localhost;
	30
	31	# Allow specific routes without SSL
	32	location = / {
	33	proxy_pass http://localhost:5000;
	34	proxy_set_header Host $host;
	35	proxy_set_header X-Real-IP $remote_addr;
	36	}
	37
	38	location = /c {
	39	proxy_pass http://localhost:5000;
	40	proxy_set_header Host $host;
	41	proxy_set_header X-Real-IP $remote_addr;
	42	}
	43
	44	location ~ ^/v/ {
	45	proxy_pass http://localhost:5000;
	46	proxy_set_header Host $host;
	47	proxy_set_header X-Real-IP $remote_addr;
	48	}
	49
	50	# Redirect all other routes to HTTPS
	51	location / {
	52	return 301 https://$host$request_uri;
	53	}
	54	}
	55
	56	# Server block for SSL routes
	57	server {
	58	listen 443 ssl;
	59	server_name localhost;
	60
	61	# ssl_certificate /etc/nginx/certs/server.crt;
	62	# ssl_certificate_key /etc/nginx/certs/server.key;
	63	# ssl_client_certificate /etc/nginx/certs/ca.pem;
	64	# ssl_verify_client on;
	65
	66	ssl_certificate /etc/nginx/certs/hsm_server.crt;
	67	ssl_certificate_key "engine:pkcs11:pkcs11:serial=DENK0104964;object=serverkey;type=private";
	68	ssl_client_certificate /etc/nginx/certs/hsm_chain.crt;
	69	ssl_verify_client on;
	70	# Add these debugging settings temporarily
	71	ssl_protocols TLSv1.2 TLSv1.3;
	72	ssl_session_cache shared:SSL:10m;
	73	ssl_session_timeout 10m;
	74	ssl_verify_depth 3;
	75	ssl_prefer_server_ciphers on;
	76
	77	# Add error logging for SSL
	78	error_log /var/log/nginx/error.log debug;
	79
	80	location / {
	81	proxy_pass http://localhost:5000;
	82	proxy_set_header Host $host;
	83	proxy_set_header X-Real-IP $remote_addr;
	84	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	85	proxy_set_header X-Forwarded-Proto $scheme;
	86	}
	87	}
	88	}