Note: This page is quite old and is likely out of date. My opinions may have also changed dramatically since this was written. It is here as a reference until I get around to updating it.

Dynamic Backend w/ Fallback


upstream redis {
  # TODO Properly configure this
  keepalive 1024 single;

  redis2_connect_timeout 100ms;
  redis2_send_timeout 100ms;
  redis2_read_timeout 100ms;
  redis2_pass redis;

server {
  listen 443;

  # Include SSL stuff;

  # Log stuff
  access_log /var/log/nginx/access.log;

  # Local/Internal DNS resolver

  location / {
    # Don't do any magic to static files
    root '/var/www/';
    if (-f $request_filename) {
      # This probably needs some work

    # TODO: Get this from Redis
    set $server '';
    set $port '80';

    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme; # Should always be https

    # Intercept all errors, if one matches the error block sent the request to
    # a different backend
    proxy_intercept_errors on;
    error_page 502 = @fallback;

    proxy_pass http://$server:$port;

  location @fallback {
    # Look this up, but pretty sure it means don't allow clients / HTTP
    # requests to access this.


echo -e "AC\n\n \n \n\n*\n\n" | openssl req -new -x509 \
  -newkey rsa:2048 -keyout server.key -nodes -days 365 -out server.crt

And include some DH parameters.

openssl dhparam -rand - 2048 > server_dh.pem

I just dropped server.{key,cert} into /etc/nginx/, and a quick SSL configuration to dump into the nginx configuration.

cat << EOF > /etc/nginx/conf.d/ssl.conf
server {
  listen 443;

  ssl on;

  ssl_certificate     /etc/nginx/server.crt;
  ssl_certificate_key /etc/nginx/server.key;

  ssl_dhparam /etc/nginx/server_dh.pem;

  ssl_session_timeout 5m;
  ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

  ssl_prefer_server_ciphers on;

  add_header Strict-Transport-Security max-age=15768000;

  access_log /var/log/nginx/access.log;


  location / {
    # Don't do any magic to static files
    root '/var/www/default';
    index index.html;