atst/ssl/ssl.conf
2018-08-06 10:44:00 -04:00

40 lines
1.1 KiB
Plaintext

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_certificate /etc/ssl/dev.cac.atat.codes.crt;
ssl_certificate_key /etc/ssl/dev.cac.atat.codes.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_prefer_server_ciphers on;
ssl_verify_client optional;
ssl_verify_depth 10;
ssl_client_certificate /etc/ssl/ca-chain.pem;
error_log /var/log/nginx/authnid.error.log debug;
add_header Strict-Transport-Security max-age=15768000;
#ssl_stapling on;
#ssl_stapling_verify on;
location / {
try_files $uri @app;
}
location @app {
include uwsgi_params;
uwsgi_pass unix:///tmp/uwsgi.sock;
uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify;
uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert;
uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn;
}
location /static {
alias /app/static;
}
}