nginx configuration for sites with ACME-issued ssl certs
|
# /etc/nginx/sites-available/01-mojo-acme |
|
|
|
upstream mojo-acme { |
|
server 127.0.0.1:8000; |
|
} |
|
# /etc/nginx/common/http-redirects |
|
|
|
location /.well-known/ { |
|
proxy_pass http://mojo-acme; |
|
proxy_http_version 1.1; |
|
proxy_set_header Upgrade $http_upgrade; |
|
proxy_set_header Connection "upgrade"; |
|
proxy_set_header Host $host; |
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
|
proxy_set_header X-Forwarded-Proto $scheme; |
|
} |
|
|
|
location / { |
|
return 301 https://$server_name$request_uri; |
|
} |
|
# mojo-acme.pl |
|
|
|
use Mojolicious::Lite; |
|
|
|
plugin 'ACME'; |
|
|
|
app->start; |
|
|
|
__END__ |
|
|
|
start as: |
|
$ perl mojo-acme.pl daemon -l 'http://*:8000' |
|
|
|
to generate certificates: |
|
$ perl mojo-acme.pl acme cert generate <domain> <domain> .... |
|
# /etc/nginx/sites-available/myapp |
|
|
|
upstream myapp { |
|
server 127.0.0.1:8080; |
|
} |
|
server { |
|
listen 80; |
|
server_name myapp.myhost.com; |
|
include /etc/nginx/common/http-redirects; |
|
} |
|
server { |
|
listen 443 ssl; |
|
server_name myapp.myhost.com; |
|
location / { |
|
proxy_pass http://myapp; |
|
proxy_http_version 1.1; |
|
proxy_set_header Upgrade $http_upgrade; |
|
proxy_set_header Connection "upgrade"; |
|
proxy_set_header Host $host; |
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; |
|
proxy_set_header X-Forwarded-Proto $scheme; |
|
proxy_read_timeout 3600s; |
|
} |
|
include /etc/nginx/common/ssl-settings; |
|
} |
|
# /etc/nginx/common/ssl-settings |
|
|
|
ssl_certificate /path/to/cert.crt; |
|
ssl_certificate_key /path/to/cert.key; |
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; |
|
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; |
|
ssl_dhparam /path/to/dhparams.pem; |
|
ssl_session_cache shared:SSL:10m; |
|
ssl_prefer_server_ciphers on; |