denji/chefsvr-nginx-ssl.conf

## chefsvr-nginx-ssl.conf
###Nginx config to make Chef servers WebGUI (localhost:4040) and
###REST API (localhost:4000) both available over SSL in the same vhost.
#If your SSL certificate requires a CA Cert bundle, then you may also need to install/symlink a copy of the
#bundle pem in folder /etc/ssl/certs/ and run "c_rehash /etc/ssl/certs/" on the machines that
#need to access these SSL endpoints.
# This is typically needed for RapidSSL/Geotrust issued SSL certificates, YMMV.

#I have these upstreams in the main nginc.conf:
#rest api
upstream chef_webui {
	server 127.0.0.1:4040;
}

#local chef server
upstream chef_api_local {
	server 127.0.0.1:4000;
}
#And the ssl vhost config uses these upstreams.

server {
	listen   443 default_server ssl;
	ssl_certificate /etc/myssl/mydomain_com_ee.crt;
	ssl_certificate_key /etc/myssl/mydomain.com.key;
	#ssl_client_certificate /etc/myssl/RapidSSL_CA_bundle.pem; Optionally include CA Cert bundle.

	keepalive_timeout 60;
	root /usr/share/nginx/www;
	index index.php index.html index.htm;

	# Make site accessible from http://localhost/
	server_name mychefsvr.domain.com;
	access_log /var/log/nginx/chef-access.log;
    error_log /var/log/nginx/chef-error.log;

	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto https;

	location / {
	#API
	if ( $http_x_ops_timestamp != "" ){
		proxy_pass http://chef_api_local;
		break;
       	  }
	#GUI
	proxy_pass http://chef_webui;
	}
	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	location ~ /\.ht {
		deny all;
	}
}
	###Nginx config to make Chef servers WebGUI (localhost:4040) and
	###REST API (localhost:4000) both available over SSL in the same vhost.
	#If your SSL certificate requires a CA Cert bundle, then you may also need to install/symlink a copy of the
	#bundle pem in folder /etc/ssl/certs/ and run "c_rehash /etc/ssl/certs/" on the machines that
	#need to access these SSL endpoints.
	# This is typically needed for RapidSSL/Geotrust issued SSL certificates, YMMV.

	#I have these upstreams in the main nginc.conf:
	#rest api
	upstream chef_webui {
	server 127.0.0.1:4040;
	}

	#local chef server
	upstream chef_api_local {
	server 127.0.0.1:4000;
	}
	#And the ssl vhost config uses these upstreams.

	server {
	listen 443 default_server ssl;
	ssl_certificate /etc/myssl/mydomain_com_ee.crt;
	ssl_certificate_key /etc/myssl/mydomain.com.key;
	#ssl_client_certificate /etc/myssl/RapidSSL_CA_bundle.pem; Optionally include CA Cert bundle.

	keepalive_timeout 60;
	root /usr/share/nginx/www;
	index index.php index.html index.htm;

	# Make site accessible from http://localhost/
	server_name mychefsvr.domain.com;
	access_log /var/log/nginx/chef-access.log;
	error_log /var/log/nginx/chef-error.log;

	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto https;

	location / {
	#API
	if ( $http_x_ops_timestamp != "" ){
	proxy_pass http://chef_api_local;
	break;
	}
	#GUI
	proxy_pass http://chef_webui;
	}
	# deny access to .htaccess files, if Apache's document root
	# concurs with nginx's one
	#
	location ~ /\.ht {
	deny all;
	}
	}