cwpenhale/default.conf Secret

## default.conf
server {
    listen 1.2.3.4:443 ssl http2;
    listen [1:2:0:0:0:0:0:4]:443 ssl http2;
    server_name cdn.organization.tld;

    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate /etc/ssl/certs/cdn.organization.tld.fullchain.crt;
    ssl_certificate_key /etc/ssl/private/cdn.organization.tld.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions

    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
    ssl_dhparam /etc/ssl/private/dh_param.pem;

    # intermediate configuration
    ssl_protocols TLSv1.2;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;

    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;

    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate /etc/ssl/certs/cdn.organization.tld.intermediate.crt;

    #Verify
    ssl_verify_client off;

    # replace with the IP address of your resolver
    resolver 1.1.1.1;

    root /opt/organization.tld/html;

    add_header X-Served-By $hostname;

    proxy_ssl_server_name on;
    proxy_ssl_name cdn.organization.tld;
    proxy_http_version 1.1;
    proxy_set_header Host cdn.organization.tld;

    # basic
    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    server_tokens off;
    keepalive_timeout 300s;
    types_hash_max_size 2048;
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    # gzip
    gzip on;
    gzip_disable "msie6";
    gzip_http_version 1.1;
    gzip_comp_level 6;
    gzip_types application/vnd.apple.mpegurl video/mp2t;

    # Disable cache
    add_header Cache-Control no-cache;

    # CORS setup
    add_header 'Access-Control-Allow-Origin' '*' always;
    add_header 'Access-Control-Expose-Headers' 'Content-Length';

    add_header X-Cache-Status $upstream_cache_status;

    location /edge {
        # proxy
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_read_timeout 10s;
        proxy_send_timeout 10s;
        proxy_connect_timeout 10s;
        proxy_cache ome_cache_temp;
        proxy_cache_methods GET HEAD;
        proxy_cache_key $scheme$proxy_host$uri$is_args$arg__HLS_msn$arg__HLS_part;
        proxy_cache_valid 200 302 1m;
        proxy_cache_valid 404 3s;
        proxy_pass "http://127.0.0.1:80"; # <-- OME edge container
        proxy_set_header Host cdn.organization.tld;
        types {
            application/vnd.apple.mpegurl m3u8;
            video/mp2t ts;
        }
    }
}
	server {
	listen 1.2.3.4:443 ssl http2;
	listen [1:2:0:0:0:0:0:4]:443 ssl http2;
	server_name cdn.organization.tld;

	# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
	ssl_certificate /etc/ssl/certs/cdn.organization.tld.fullchain.crt;
	ssl_certificate_key /etc/ssl/private/cdn.organization.tld.key;
	ssl_session_timeout 1d;
	ssl_session_cache shared:MozSSL:10m; # about 40000 sessions

	# curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
	ssl_dhparam /etc/ssl/private/dh_param.pem;

	# intermediate configuration
	ssl_protocols TLSv1.2;
	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
	ssl_prefer_server_ciphers off;

	# HSTS (ngx_http_headers_module is required) (63072000 seconds)
	add_header Strict-Transport-Security "max-age=63072000" always;

	# OCSP stapling
	ssl_stapling on;
	ssl_stapling_verify on;

	# verify chain of trust of OCSP response using Root CA and Intermediate certs
	ssl_trusted_certificate /etc/ssl/certs/cdn.organization.tld.intermediate.crt;

	#Verify
	ssl_verify_client off;

	# replace with the IP address of your resolver
	resolver 1.1.1.1;

	root /opt/organization.tld/html;

	add_header X-Served-By $hostname;

	proxy_ssl_server_name on;
	proxy_ssl_name cdn.organization.tld;
	proxy_http_version 1.1;
	proxy_set_header Host cdn.organization.tld;

	# basic
	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	server_tokens off;
	keepalive_timeout 300s;
	types_hash_max_size 2048;
	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	# gzip
	gzip on;
	gzip_disable "msie6";
	gzip_http_version 1.1;
	gzip_comp_level 6;
	gzip_types application/vnd.apple.mpegurl video/mp2t;

	# Disable cache
	add_header Cache-Control no-cache;

	# CORS setup
	add_header 'Access-Control-Allow-Origin' '*' always;
	add_header 'Access-Control-Expose-Headers' 'Content-Length';

	add_header X-Cache-Status $upstream_cache_status;

	location /edge {
	# proxy
	proxy_redirect off;
	proxy_http_version 1.1;
	proxy_read_timeout 10s;
	proxy_send_timeout 10s;
	proxy_connect_timeout 10s;
	proxy_cache ome_cache_temp;
	proxy_cache_methods GET HEAD;
	proxy_cache_key $scheme$proxy_host$uri$is_args$arg__HLS_msn$arg__HLS_part;
	proxy_cache_valid 200 302 1m;
	proxy_cache_valid 404 3s;
	proxy_pass "http://127.0.0.1:80"; # <-- OME edge container
	proxy_set_header Host cdn.organization.tld;
	types {
	application/vnd.apple.mpegurl m3u8;
	video/mp2t ts;
	}
	}
	}