-
-
Save panva/bb153c974cfd65fb0bc9ebb89ca0a3eb to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
listen 443 ssl; | |
server_name op.panva.me; | |
ssl_certificate /Users/panva/repo/provider/acme/acme-v02.api.letsencrypt.org/sites/op.panva.me/op.panva.me.crt; | |
ssl_certificate_key /Users/panva/repo/provider/acme/acme-v02.api.letsencrypt.org/sites/op.panva.me/op.panva.me.key; | |
# to allow no-cert and self-signed | |
ssl_verify_client optional_no_ca; | |
# without this browser clients were always prompted, even without any installed certs | |
ssl_client_certificate /Users/panva/repo/ca/intermediate/certs/ca-chain.cert.pem; | |
# not sure why i had this, probably had to do with the way my local CA chain was setup | |
ssl_verify_depth 2; | |
location / { | |
proxy_set_header Host $host; | |
proxy_set_header X-Real-IP $remote_addr; | |
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
proxy_set_header X-Forwarded-Proto $scheme; | |
# used for checking self_signed_tls_client_auth client's jwks_uri x5c | |
# used for calculating the cert's thumbprint | |
proxy_set_header x-ssl-client-cert $ssl_client_cert; | |
# used for checking client's tls_client_auth_subject_dn | |
proxy_set_header x-ssl-client-s-dn $ssl_client_s_dn; | |
# used for checking tls_client_auth | |
proxy_set_header x-ssl-client-verify $ssl_client_verify; | |
proxy_pass http://127.0.0.1:3000; | |
proxy_redirect off; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment