-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathnginx_stream.conf
28 lines (23 loc) · 1.19 KB
/
nginx_stream.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# This is an example of using nginx as a reverse proxy that terminates TLS.
# It listens on port 994, terminates TLS, and forwards the connection to
# Ergo over a unix domain socket (prepending a PROXY v1 header containing
# the original IP).
# NOTE: this must be included in a `stream` block of the nginx configuration,
# not an `http` block. so don't put it in /etc/nginx/sites-enabled, create a new
# /etc/nginx/streams-enabled, put it there, then add the following to
# /etc/nginx/nginx.conf:
#
#stream {
# include /etc/nginx/streams-enabled/*;
#}
server {
# 994 is the "official" port that nobody uses, as per RFC 7194
listen 994 ssl;
listen [::]:994 ssl;
ssl_certificate /etc/letsencrypt/live/testnet.oragono.io/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/testnet.oragono.io/privkey.pem;
ssl_ciphers "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
ssl_protocols TLSv1.3 TLSv1.2;
proxy_pass unix:/tmp/ergo_sock;
proxy_protocol on;
}