njh · January 21, 2016 13:09 · Jan 21, 2016
diff --git a/house.example.net.conf b/house.example.net.conf
@@ -0,0 +1,67 @@
+server {
+    server_name  house.example.net;
+    listen       1.2.3.4:80 default_server;
+    listen       [2001:1234:ffff::1]:80 default_server;
+
+    add_header   Cache-Control "public,max-age=31536000";
+    return       301  https://$server_name$request_uri;
+}
+
+map $ssl_client_s_dn $ssl_username {
+    default       0;
+
+    "/[email protected]/[email protected]"   nick;
+    "/[email protected]/[email protected]"  alfie;
+    "/[email protected]/[email protected]"  henry;
+}
+
+server {
+    server_name  house.example.net;
+    listen       1.2.3.4:443 ssl default_server;
+    listen       [2001:1234:ffff::1]:443 ssl default_server;
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_prefer_server_ciphers on;
+    ssl_certificate /etc/ssl/certs/house.example.net.crt;
+    ssl_certificate_key /etc/ssl/private/house.example.net.key;
+    ssl_client_certificate /etc/ssl/certs/StartCom_Certification_Authority.pem;
+    ssl_verify_client on;
+    ssl_verify_depth 2;
+
+    # See map above
+    if ($ssl_username = 0) {
+        return 403;
+    }
+
+    # add Strict-Transport-Security to prevent man in the middle attacks
+    add_header   Strict-Transport-Security "max-age=31536000"; 
+
+    root /srv/www/house;
+    index index.html;
+
+    location / {
+        # First attempt to serve request as file, then
+        # as directory, then fall back to displaying a 404.
+        try_files $uri $uri/ =404;
+    }
+
+    location /facette {
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_pass http://localhost:12003;
+    }
+
+    location /node-red {
+        proxy_set_header Host $http_host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_pass http://localhost:1880;
+    }
+}
+