<% if File.exist?(@ssl_cert) && File.exist?(@ssl_key) -%> upstream _btcpayserver { server localhost:<%= @btcpay_port %>; } # If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the # scheme used to connect to this server map $http_x_forwarded_proto $proxy_x_forwarded_proto { default $http_x_forwarded_proto; '' $scheme; } # If we receive X-Forwarded-Port, pass it through; otherwise, pass along the # server port the client connected to map $http_x_forwarded_port $proxy_x_forwarded_port { default $http_x_forwarded_port; '' $server_port; } # If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any # Connection header that may have been passed to this server map $http_upgrade $proxy_connection { default upgrade; '' close; } # Set appropriate X-Forwarded-Ssl header map $scheme $proxy_x_forwarded_ssl { default off; https on; } # HTTP 1.1 support proxy_http_version 1.1; proxy_buffering off; proxy_set_header Host $http_host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $proxy_connection; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto; proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl; proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port; # Mitigate httpoxy attack proxy_set_header Proxy ""; server { client_max_body_size 100M; server_name <%= @server_name %>; listen 443 ssl http2; listen [::]:443 ssl http2; access_log <%= node[:nginx][:log_dir] %>/btcpayserver.access.log json; error_log <%= node[:nginx][:log_dir] %>/btcpayserver.error.log warn; ssl_prefer_server_ciphers on; ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; ssl_certificate <%= @ssl_cert %>; ssl_certificate_key <%= @ssl_key %>; add_header Strict-Transport-Security "max-age=15768000"; location / { proxy_pass http://_btcpayserver; } } <% end -%>