hansohn/nginx-https-upstream.conf

## nginx-https-upstream.conf
upstream <site_name>_upstream  {
    # send traffic to upstream proxy or unix socket
    server <ip_address:port_number> fail_timeout=0; # proxy
    #server unix:/tmp/<site>.socket fail_timeout=0; # socket
}

server {
    listen 80;
    server_name <server_names> <ip_address>;

    # 301 http requests to https
    rewrite ^ https://$http_host$request_uri? permanent;
}

server {
    listen 443 ssl;
    server_name <server_names> <ip_address>;

    root </path/to/root/directory>;
    access_log /var/log/nginx/<site_name>_access.log;
    error_log /var/log/nginx/<site_name>_error.log;
    rewrite_log on;

    # ssl
    ssl_certificate /etc/ssl/certs/<site_cert>;
    ssl_certificate_key /etc/ssl/private/<site_key>;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header X-Content-Type-Options nosniff;
    ssl_session_tickets off;

    # allow ff to display fonts from alternate domains
    location ~* \.(eot|ttf|woff)$ {
        add_header Access-Control-Allow-Origin *;
    }

    # static asset pipeline
    location ~ ^/(assets|images|javascripts|stylesheets|system)/  {
        root </path/to/static/assets>;
        expires 3M;
        break;
    }

    # forward to upstream
    location / {
        proxy_pass         http://<site_name>_upstream;
        proxy_redirect     off;
        proxy_set_header   Host             $host;
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
    }
}
	upstream <site_name>_upstream {
	# send traffic to upstream proxy or unix socket
	server <ip_address:port_number> fail_timeout=0; # proxy
	#server unix:/tmp/<site>.socket fail_timeout=0; # socket
	}

	server {
	listen 80;
	server_name <server_names> <ip_address>;

	# 301 http requests to https
	rewrite ^ https://$http_host$request_uri? permanent;
	}

	server {
	listen 443 ssl;
	server_name <server_names> <ip_address>;

	root </path/to/root/directory>;
	access_log /var/log/nginx/<site_name>_access.log;
	error_log /var/log/nginx/<site_name>_error.log;
	rewrite_log on;

	# ssl
	ssl_certificate /etc/ssl/certs/<site_cert>;
	ssl_certificate_key /etc/ssl/private/<site_key>;
	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
	ssl_dhparam /etc/ssl/certs/dhparam.pem;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:10m;
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
	add_header X-Content-Type-Options nosniff;
	ssl_session_tickets off;

	# allow ff to display fonts from alternate domains
	location ~* \.(eot\|ttf\|woff)$ {
	add_header Access-Control-Allow-Origin *;
	}

	# static asset pipeline
	location ~ ^/(assets\|images\|javascripts\|stylesheets\|system)/ {
	root </path/to/static/assets>;
	expires 3M;
	break;
	}

	# forward to upstream
	location / {
	proxy_pass http://<site_name>_upstream;
	proxy_redirect off;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}
	}