Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
nginx configuration for sites with ACME-issued ssl certs
# /etc/nginx/sites-available/01-mojo-acme
upstream mojo-acme {
server 127.0.0.1:8000;
}
# /etc/nginx/common/http-redirects
location /.well-known/ {
proxy_pass http://mojo-acme;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location / {
return 301 https://$server_name$request_uri;
}
# mojo-acme.pl
use Mojolicious::Lite;
plugin 'ACME';
app->start;
__END__
start as:
$ perl mojo-acme.pl daemon -l 'http://*:8000'
to generate certificates:
$ perl mojo-acme.pl acme cert generate <domain> <domain> ....
# /etc/nginx/sites-available/myapp
upstream myapp {
server 127.0.0.1:8080;
}
server {
listen 80;
server_name myapp.myhost.com;
include /etc/nginx/common/http-redirects;
}
server {
listen 443 ssl;
server_name myapp.myhost.com;
location / {
proxy_pass http://myapp;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 3600s;
}
include /etc/nginx/common/ssl-settings;
}
# /etc/nginx/common/ssl-settings
ssl_certificate /path/to/cert.crt;
ssl_certificate_key /path/to/cert.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_dhparam /path/to/dhparams.pem;
ssl_session_cache shared:SSL:10m;
ssl_prefer_server_ciphers on;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment