|
|
|
@ -36,15 +36,16 @@ http {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
stream {
|
|
|
|
|
include /etc/nginx/stream_rp.conf;
|
|
|
|
|
|
|
|
|
|
# Map the SNI from the TLS hello packet to an upstream server.
|
|
|
|
|
# This allow to RP request without breaking the TLS encryption
|
|
|
|
|
# like a proxy_pass does
|
|
|
|
|
map $ssl_preread_server_name $upstream_server {
|
|
|
|
|
acme-v02.api.letsencrypt.org acme;
|
|
|
|
|
r3.o.lencr.org r3;
|
|
|
|
|
default self;
|
|
|
|
|
{% for rp in (ssl_reverse_proxy_upstream | default({}) | dict2items) -%}
|
|
|
|
|
{{ rp.value.sni_server_name }} {{ rp.key }};
|
|
|
|
|
{%- endfor %}
|
|
|
|
|
default local;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
# let's encrypt servers, to generate LE cert from isolated network
|
|
|
|
@ -54,8 +55,13 @@ stream {
|
|
|
|
|
upstream r3 {
|
|
|
|
|
server r3.o.lencr.org:443;
|
|
|
|
|
}
|
|
|
|
|
{% for rp in (ssl_reverse_proxy_upstream | default({}) | dict2items) -%}
|
|
|
|
|
upstream {{ rp.key }} {
|
|
|
|
|
server {{ rp.value.to }}:{{ rp.value.to_port | default('443') }};
|
|
|
|
|
}
|
|
|
|
|
{%- endfor %}
|
|
|
|
|
# default to this server sites
|
|
|
|
|
upstream self {
|
|
|
|
|
upstream local {
|
|
|
|
|
server 127.0.0.1:8443;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|