server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    ssl_certificate /etc/ssl/dev.cac.atat.codes.crt;
    ssl_certificate_key /etc/ssl/dev.cac.atat.codes.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_prefer_server_ciphers on;

    ssl_verify_client optional;
    ssl_verify_depth 10;
    ssl_client_certificate /etc/ssl/ca-chain.pem;
    error_log /var/log/nginx/authnid.error.log debug;

    add_header Strict-Transport-Security max-age=15768000;
    #ssl_stapling on;
    #ssl_stapling_verify on;

    location / {
      try_files $uri @app;
    }

    location @app {
      include uwsgi_params;
      uwsgi_pass unix:///tmp/uwsgi.sock;
      uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify;
      uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert;
      uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn;
    }

    location /static {
      alias /app/static;
    }
}