There is no warranty or liability, this is my own setup notes!
Install Ubuntu ${LATEST} LTS, update/upgrade all packages, don't install normal NGINX .
Install legacy-nginx following instructions at https://github.com/rem-verse/legacy-nginx .
Create a DS certificate using https://github.com/KaeruTeam/nds-constraint - ensure you concatenate nwc.crt, as Nginx doesn't let you add a chain file unlike Apache. (Also, maybe a Wii certificate using https://github.com/shutterbug2000/wii-ssl-bug - TODO ask Shutter if selfsigned is ok).
Copy NGINX config to /usr/local/nginx/conf/nginx.conf
.
load_module /usr/local/nginx/modules/ngx_stream_module.so;
events
{
worker_connections 768; # Copied, should probably be worth working out a 'sane' default here?
}
stream
{
# This server block will handle TLS 1.2/1.3 - assuming 1.0.2u has 1.3 support? - maybe have a normal website here?
upstream https_default_backend
{
server 127.0.0.1:8443;
}
# This server block will handle any/all SSLv3 connections.
upstream ds_backend
{
server 127.0.0.1:8003;
}
# Same idea, but for TLSv1
upstream wii_backend
{
server 127.0.0.1:8010;
}
map $ssl_preread_protocol $upstream
{
default https_default_backend; # NB: This will also handle TLSv1.1 - which I hope your website isn't using!
"TLSv1" wii_backend;
"SSLv3" ds_backend;
}
server
{
listen 443;
listen [::]:443;
ssl_preread on;
proxy_protocol on; # Passes along IP/etc, https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
proxy_pass $upstream;
}
}
http
{
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /usr/local/nginx/conf/mime.types;
default_type application/octet-stream;
ssl_prefer_server_ciphers on;
gzip on;
underscores_in_headers on;
keepalive_requests 256;
ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
ssl_ciphers "ALL:!aNULL:";
# load configs
include /usr/local/nginx/conf.d/*.conf;
include /usr/local/nginx/sites-enabled/*;
}
sites-available/dls1.conf
server
{
listen 127.0.0.1:8003 ssl proxy_protocol;
# Remember, DS doesn't send SNI - this is more for your own peace of mind/NGINX SSL cert checking.
server_name dls1.ilostmymind.xyz;
ssl_certificate /usr/local/nginx/ssl/dls1-ds/server.crt;
ssl_certificate_key /usr/local/nginx/ssl/dls1-ds/server.key;
ssl_protocols SSLv3;
ssl_ciphers "ALL:!aNULL:";
underscores_in_headers on;
keepalive_requests 256;
location /
{
proxy_buffering off;
proxy_pass http://127.0.0.1:9000;
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
proxy_set_header X-Forwarded-Port $proxy_protocol_port;
keepalive_requests 256;
}
}
server
{
listen 127.0.0.1:8010 ssl proxy_protocol;
# Remember, DS doesn't send SNI - this is more for your own peace of mind/NGINX SSL cert checking.
server_name dls1.ilostmymind.xyz;
ssl_certificate /usr/local/nginx/ssl/dls1-wii/server.crt;
ssl_certificate_key /usr/local/nginx/ssl/dls1-wii/server.key;
ssl_protocols TLSv1;
ssl_ciphers "ALL:!aNULL:";
underscores_in_headers on;
keepalive_requests 256;
location /
{
proxy_buffering off;
proxy_pass http://127.0.0.1:9000;
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
proxy_set_header X-Forwarded-Port $proxy_protocol_port;
keepalive_requests 256;
}
}
server {
listen 80;
listen [::]:80;
server_name dls1.ilostmymind.xyz dls1.wiimmfi.de;
location /
{
proxy_buffering off;
proxy_pass http://127.0.0.1:9000;
proxy_set_header X-Forwarded-For $proxy_protocol_addr;
proxy_set_header X-Forwarded-Port $proxy_protocol_port;
keepalive_requests 256;
}
}
sites-available/gamestats.conf
server {
listen 80;
listen [::]:80;
server_name gamestats.gs.wiimmfi.de gamestats2.gs.wiimmfi.de gamestats.gs.nintendowifi.net gamestats2.gs.nintendowifi.net *.gamestats.gs.wiimmfi.de *.gamestats2.gs.wiimmfi.de *.gamestats.gs.nintendowifi.net *.gamestats2.gs.nintendowifi.net;
location /
{
proxy_buffering off;
proxy_pass http://127.0.0.1:9090;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Port $remote_port;
keepalive_requests 256;
}
location /syachi2ds/
{
proxy_set_header Host gamestats2.gs.nintendowifi.net;
proxy_buffering off;
proxy_pass http://gamestats2.gs.pkmnclassic.net/syachi2ds/;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Port $remote_port;
keepalive_requests 256;
}
location /pokemondpds/
{
proxy_set_header Host gamestats2.gs.nintendowifi.net;
proxy_buffering off;
proxy_pass http://gamestats2.gs.pkmnclassic.net/pokemondpds/;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Port $remote_port;
keepalive_requests 256;
}
location /pokedungeonds/
{
proxy_set_header Host gamestats2.gs.nintendowifi.net;
proxy_buffering off;
proxy_pass http://gamestats2.gs.pkmnclassic.net/pokedungeonds/;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Port $remote_port;
keepalive_requests 256;
}
location /pokedngnwii/
{
proxy_set_header Host gamestats2.gs.nintendowifi.net;
proxy_buffering off;
proxy_pass http://gamestats2.gs.pkmnclassic.net/pokedngnwii/;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Port $remote_port;
keepalive_requests 256;
}
}