From 55f2a6be4391337cebb61a14950bbeb700bc409c Mon Sep 17 00:00:00 2001
From: Serghei Mihai <smihai@entrouvert.com>
Date: Fri, 22 May 2015 10:51:27 +0200
Subject: [PATCH] debian: webserver config example

---
 debian/docs               |  2 ++
 debian/nginx-example.conf | 35 +++++++++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+)
 create mode 100644 debian/docs
 create mode 100644 debian/nginx-example.conf

diff --git a/debian/docs b/debian/docs
new file mode 100644
index 0000000..9a8150c
--- /dev/null
+++ b/debian/docs
@@ -0,0 +1,2 @@
+README
+debian/nginx-example.conf
diff --git a/debian/nginx-example.conf b/debian/nginx-example.conf
new file mode 100644
index 0000000..6270948
--- /dev/null
+++ b/debian/nginx-example.conf
@@ -0,0 +1,35 @@
+server {
+        listen 8443;
+
+        server_name authentic.dev.entrouvert.lan;
+
+        ssl on;
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+        ssl_prefer_server_ciphers on;
+
+        ssl_certificate         /etc/ssl/certs/wildcard.dev.entrouvert.org.pem;
+        ssl_certificate_key     /etc/ssl/private/wildcard.dev.entrouvert.org.key;
+        ssl_verify_client on;
+
+        location / {
+                return 301 https://$host;
+        }
+
+        location ~ ^/accounts/beid/(x509|signin|add|activate/.*) {
+                proxy_pass         http://localhost:8000;
+                proxy_read_timeout 600;
+                proxy_set_header Host              $host;
+                proxy_set_header X-Real-IP         $remote_addr;
+                proxy_set_header X-Forwarded-For   $remote_addr;
+                proxy_set_header X-Forwarded-SSL off;
+                proxy_set_header X-Forwarded-Protocol ssl;
+                proxy_set_header X-Forwarded-Proto http;
+                proxy_set_header Ssl-Client-I-Dn $ssl_client_i_dn;
+                proxy_set_header Ssl-Client-S-Dn $ssl_client_s_dn;
+                proxy_set_header Ssl-Client-Serial $ssl_client_serial;
+                proxy_set_header Ssl-Client-Cert $ssl_client_cert;
+                proxy_set_header Ssl-Client-Verify $ssl_client_verify;
+        }
+
+}