panva/op.conf Secret

## op.conf
server {
    listen       443 ssl;
    server_name  op.panva.me;

    ssl_certificate     /Users/panva/repo/provider/acme/acme-v02.api.letsencrypt.org/sites/op.panva.me/op.panva.me.crt;
    ssl_certificate_key /Users/panva/repo/provider/acme/acme-v02.api.letsencrypt.org/sites/op.panva.me/op.panva.me.key;

    # to allow no-cert and self-signed
    ssl_verify_client optional_no_ca;

    # without this browser clients were always prompted, even without any installed certs
    ssl_client_certificate /Users/panva/repo/ca/intermediate/certs/ca-chain.cert.pem;

    # not sure why i had this, probably had to do with the way my local CA chain was setup
    ssl_verify_depth 2;

    location / {
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;

      # used for checking self_signed_tls_client_auth client's jwks_uri x5c
      # used for calculating the cert's thumbprint
      proxy_set_header x-ssl-client-cert $ssl_client_cert;

      # used for checking client's tls_client_auth_subject_dn
      proxy_set_header x-ssl-client-s-dn $ssl_client_s_dn;

      # used for checking tls_client_auth
      proxy_set_header x-ssl-client-verify $ssl_client_verify;

      proxy_pass http://127.0.0.1:3000;
      proxy_redirect off;
    }
}
	server {
	listen 443 ssl;
	server_name op.panva.me;

	ssl_certificate /Users/panva/repo/provider/acme/acme-v02.api.letsencrypt.org/sites/op.panva.me/op.panva.me.crt;
	ssl_certificate_key /Users/panva/repo/provider/acme/acme-v02.api.letsencrypt.org/sites/op.panva.me/op.panva.me.key;

	# to allow no-cert and self-signed
	ssl_verify_client optional_no_ca;

	# without this browser clients were always prompted, even without any installed certs
	ssl_client_certificate /Users/panva/repo/ca/intermediate/certs/ca-chain.cert.pem;

	# not sure why i had this, probably had to do with the way my local CA chain was setup
	ssl_verify_depth 2;

	location / {
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Proto $scheme;

	# used for checking self_signed_tls_client_auth client's jwks_uri x5c
	# used for calculating the cert's thumbprint
	proxy_set_header x-ssl-client-cert $ssl_client_cert;

	# used for checking client's tls_client_auth_subject_dn
	proxy_set_header x-ssl-client-s-dn $ssl_client_s_dn;

	# used for checking tls_client_auth
	proxy_set_header x-ssl-client-verify $ssl_client_verify;

	proxy_pass http://127.0.0.1:3000;
	proxy_redirect off;
	}
	}