nginx/default.conf
geo $trustedupstream {
default 0;
${TRUSTEDPROXYIP} 1;
}
server {
listen 80;
server_name ${DOMAIN};
server_tokens off;
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
server_name ${DOMAIN};
server_tokens off;
root /app/owasp_sso;
ssl_certificate /etc/letsencrypt/live/${DOMAIN}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/${DOMAIN}/privkey.pem;
include /etc/nginx/crypto/options-ssl-nginx.conf;
ssl_dhparam /etc/nginx/crypto/ssl-dhparams.pem;
ssl_client_certificate /etc/nginx/crypto/ca.pem;
ssl_verify_client optional;
#error_log /var/log/nginx/error.log debug;
location / {
try_files $uri $uri/ /index.html;
}
# Allow cert passthrough FROM a trusted proxy IP (for multiple reverse proxies)
if ($trustedupstream = 1) {
set $ssl_client_escaped_cert $http_x_tls_cert;
set $ssl_client_verify $http_x_tls_verified;
}
location ^~ /api {
# Basic proxy setup
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# Client cert passthrough
proxy_set_header X-TLS-CERT $ssl_client_escaped_cert;
proxy_set_header X-TLS-VERIFIED $ssl_client_verify;
proxy_ssl_session_reuse on;
proxy_pass https://backend:3000;
rewrite /api(.*) $1 break;
}
}