[Mojolicious] Re: Typical nginx config with https and hypnotoad ?

Sat, 21 Nov 2015 07:17:14 -0800 

Pierre,

Since I normally cannot help on Mojolicious stuff, I'm pleased I can help 
on this.

Here's our actual Nginx config for a production server that we run. I have 
changed the domain names over to protect the innocent, me!

It provides an https connection to a Hypnotoad backend. Users connect from 
either a Apple or Google phone on port 3,000 over an https connection. 
Nginx makes the connection to Hypnotoad over http on port 3001 on the same 
server.

The rest of the stuff is changes to the security configuration to remove 
less secure encryption, which may or may not interest you. It is left in 
for completeness. 

We run 16 workers under Hypnotoad and so far performance is OK. However we 
are still ramping users up.

server {
       listen 3000;
     server_name XXX.YYYY.com;

        ssl on;
ssl_certificate /etc/ssl/certs/SSL.crt;
ssl_certificate_key /etc/ssl/private/server.key;

        ssl_session_timeout 5m;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   ssl_ciphers 
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'
;

        ssl_prefer_server_ciphers on;
  ssl_dhparam /etc/ssl/private/dhparams.pem;

        location / {
                proxy_set_header        Host $host;
                proxy_set_header        X-Real-IP $remote_addr;
                proxy_set_header        X-Forwarded-For 
$proxy_add_x_forwarded_for;
                proxy_set_header        X-Forwarded-Proto $scheme;

                 # Fix the “It appears that your reverse proxy set up is 
broken" error.
                proxy_pass          http://127.0.0.1:3001;
                proxy_read_timeout  90;

                 proxy_redirect      http://127.0.0.1:3001 
https://XXX.YYYY.com;
       }

} 

Hope this is of use,

Rob


-- 
You received this message because you are subscribed to the Google Groups 
"Mojolicious" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/mojolicious.
For more options, visit https://groups.google.com/d/optout.

Reply via email to