seanhandley/my-nginx-server.conf

## my-nginx-server.conf
server {
  listen                443 ssl http2;
  server_name           awesomehost.ninja;

  ssl_certificate          /path/to/server.crt;
  ssl_certificate_key      /path/to/server/key
  ssl_client_certificate   /path/to/client-ca.crt;
  ssl_verify_client        optional;

  location /secret {
    if ($ssl_client_verify != SUCCESS) { return 403; }
    include /path/to/upstream.conf;
  }

  location / {
    include /path/to/upstream.conf;
  }
}

upstream unicorn {
  server unix:/var/run/unicorn.sock fail_timeout=0;
}

## upstream.conf
proxy_pass              http://unicorn;
proxy_read_timeout      90;
proxy_connect_timeout   90;
proxy_redirect          off;
proxy_set_header        X-Forwarded-Proto https;
proxy_set_header        Host $host;
proxy_set_header        X-Real-IP $remote_addr;
proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
	server {
	listen 443 ssl http2;
	server_name awesomehost.ninja;

	ssl_certificate /path/to/server.crt;
	ssl_certificate_key /path/to/server/key
	ssl_client_certificate /path/to/client-ca.crt;
	ssl_verify_client optional;

	location /secret {
	if ($ssl_client_verify != SUCCESS) { return 403; }
	include /path/to/upstream.conf;
	}

	location / {
	include /path/to/upstream.conf;
	}
	}

	upstream unicorn {
	server unix:/var/run/unicorn.sock fail_timeout=0;
	}
	proxy_pass http://unicorn;
	proxy_read_timeout 90;
	proxy_connect_timeout 90;
	proxy_redirect off;
	proxy_set_header X-Forwarded-Proto https;
	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;