59 lines
1.2 KiB
Text
59 lines
1.2 KiB
Text
server {
|
|
listen 80;
|
|
listen [::]:80;
|
|
|
|
server_name {{ item.domain }};
|
|
|
|
return 301 https://$host$request_uri;
|
|
}
|
|
|
|
server {
|
|
listen 443 ssl;
|
|
listen [::]:443 ssl;
|
|
|
|
server_name {{ item.domain }};
|
|
|
|
ssl_certificate {{ item.cert }};
|
|
ssl_certificate_key {{ item.key }};
|
|
|
|
include {{ item.ssl_conf }};
|
|
|
|
ssl_verify_client optional;
|
|
ssl_client_certificate {{ item.clnt_ca }};
|
|
|
|
proxy_cache_bypass $http_upgrade;
|
|
proxy_http_version 1.1;
|
|
proxy_redirect off;
|
|
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_set_header HOST $host;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header X-Forwarded-For $remote_addr;
|
|
proxy_set_header X-Forwarded-Host $host;
|
|
proxy_set_header X-Forwarded-Port $server_port;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
location / {
|
|
recursive_error_pages on;
|
|
|
|
error_page 418 = @no_crt;
|
|
error_page 419 = @with_crt;
|
|
|
|
if ($ssl_client_verify != SUCCESS) {
|
|
return 418;
|
|
}
|
|
|
|
if ($ssl_client_verify = SUCCESS) {
|
|
return 419;
|
|
}
|
|
}
|
|
|
|
location @no_crt {
|
|
proxy_pass https://{{ item.no_crt }};
|
|
}
|
|
|
|
location @with_crt {
|
|
proxy_pass https://{{ item.with_crt }};
|
|
}
|
|
}
|