njh/house.example.net.conf

## house.example.net.conf
server {
    server_name  house.example.net;
    listen       1.2.3.4:80 default_server;
    listen       [2001:1234:ffff::1]:80 default_server;

    add_header   Cache-Control "public,max-age=31536000";
    return       301  https://$server_name$request_uri;
}

map $ssl_client_s_dn $ssl_username {
    default       0;

    "/CN=nick@example.net/emailAddress=nick@example.net"   nick;
    "/CN=alfie@example.net/emailAddress=debs@example.net"  alfie;
    "/CN=henry@example.net/emailAddress=debs@example.net"  henry;
}

server {
    server_name  house.example.net;
    listen       1.2.3.4:443 ssl default_server;
    listen       [2001:1234:ffff::1]:443 ssl default_server;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_certificate /etc/ssl/certs/house.example.net.crt;
    ssl_certificate_key /etc/ssl/private/house.example.net.key;
    ssl_client_certificate /etc/ssl/certs/StartCom_Certification_Authority.pem;
    ssl_verify_client on;
    ssl_verify_depth 2;

    # See map above
    if ($ssl_username = 0) {
        return 403;
    }

    # add Strict-Transport-Security to prevent man in the middle attacks
    add_header   Strict-Transport-Security "max-age=31536000";

    root /srv/www/house;
    index index.html;

    location / {
        # First attempt to serve request as file, then
        # as directory, then fall back to displaying a 404.
        try_files $uri $uri/ =404;
    }

    location /facette {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass http://localhost:12003;
    }

    location /node-red {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_pass http://localhost:1880;
    }
}
	server {
	server_name house.example.net;
	listen 1.2.3.4:80 default_server;
	listen [2001:1234:ffff::1]:80 default_server;

	add_header Cache-Control "public,max-age=31536000";
	return 301 https://$server_name$request_uri;
	}

	map $ssl_client_s_dn $ssl_username {
	default 0;

	"/CN=nick@example.net/emailAddress=nick@example.net" nick;
	"/CN=alfie@example.net/emailAddress=debs@example.net" alfie;
	"/CN=henry@example.net/emailAddress=debs@example.net" henry;
	}

	server {
	server_name house.example.net;
	listen 1.2.3.4:443 ssl default_server;
	listen [2001:1234:ffff::1]:443 ssl default_server;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	ssl_certificate /etc/ssl/certs/house.example.net.crt;
	ssl_certificate_key /etc/ssl/private/house.example.net.key;
	ssl_client_certificate /etc/ssl/certs/StartCom_Certification_Authority.pem;
	ssl_verify_client on;
	ssl_verify_depth 2;

	# See map above
	if ($ssl_username = 0) {
	return 403;
	}

	# add Strict-Transport-Security to prevent man in the middle attacks
	add_header Strict-Transport-Security "max-age=31536000";

	root /srv/www/house;
	index index.html;

	location / {
	# First attempt to serve request as file, then
	# as directory, then fall back to displaying a 404.
	try_files $uri $uri/ =404;
	}

	location /facette {
	proxy_set_header Host $http_host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_pass http://localhost:12003;
	}

	location /node-red {
	proxy_set_header Host $http_host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
	proxy_pass http://localhost:1880;
	}
	}