nginx configuration for sites with ACME-issued ssl certs

## 01-mojo-acme
# /etc/nginx/sites-available/01-mojo-acme

upstream mojo-acme {
  server 127.0.0.1:8000;
}

## http-redirects
# /etc/nginx/common/http-redirects

location /.well-known/ {
  proxy_pass http://mojo-acme;
  proxy_http_version 1.1;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection "upgrade";
  proxy_set_header Host $host;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;
}

location / {
  return 301 https://$server_name$request_uri;
}

## mojo-acme.pl
# mojo-acme.pl

use Mojolicious::Lite;

plugin 'ACME';

app->start;

__END__

start as:
$ perl mojo-acme.pl daemon -l 'http://*:8000'

to generate certificates:
$ perl mojo-acme.pl acme cert generate <domain> <domain> ....

## myapp
# /etc/nginx/sites-available/myapp

upstream myapp {
  server 127.0.0.1:8080;
}
server {
  listen 80;
  server_name myapp.myhost.com;
  include /etc/nginx/common/http-redirects;
}
server {
  listen 443 ssl;
  server_name myapp.myhost.com;
  location / {
    proxy_pass http://myapp;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_read_timeout 3600s;
  }
  include /etc/nginx/common/ssl-settings;
}

## ssl-settings
# /etc/nginx/common/ssl-settings

ssl_certificate     /path/to/cert.crt;
ssl_certificate_key /path/to/cert.key;
ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers         'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_dhparam         /path/to/dhparams.pem;
ssl_session_cache   shared:SSL:10m;
ssl_prefer_server_ciphers on;
	# /etc/nginx/sites-available/01-mojo-acme

	upstream mojo-acme {
	server 127.0.0.1:8000;
	}
	# /etc/nginx/common/http-redirects

	location /.well-known/ {
	proxy_pass http://mojo-acme;
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	proxy_set_header Host $host;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	}

	location / {
	return 301 https://$server_name$request_uri;
	}
	# mojo-acme.pl

	use Mojolicious::Lite;

	plugin 'ACME';

	app->start;

	__END__

	start as:
	$ perl mojo-acme.pl daemon -l 'http://*:8000'

	to generate certificates:
	$ perl mojo-acme.pl acme cert generate <domain> <domain> ....
	# /etc/nginx/sites-available/myapp

	upstream myapp {
	server 127.0.0.1:8080;
	}
	server {
	listen 80;
	server_name myapp.myhost.com;
	include /etc/nginx/common/http-redirects;
	}
	server {
	listen 443 ssl;
	server_name myapp.myhost.com;
	location / {
	proxy_pass http://myapp;
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	proxy_set_header Host $host;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_read_timeout 3600s;
	}
	include /etc/nginx/common/ssl-settings;
	}
	# /etc/nginx/common/ssl-settings

	ssl_certificate /path/to/cert.crt;
	ssl_certificate_key /path/to/cert.key;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
	ssl_dhparam /path/to/dhparams.pem;
	ssl_session_cache shared:SSL:10m;
	ssl_prefer_server_ciphers on;