error_log /dev/stderr; stream { map $ssl_preread_server_name $sni_name { ${SNI_NAME} cert-check; default https; } upstream https { server ${HTTPS_UPSTREAM}:443; } upstream cert-check { server unix:/tmp/virtual-stream.socket; } server { listen 443; listen [::]:443; proxy_pass $sni_name; ssl_preread on; #proxy_protocol on; } map $ssl_client_verify $name { SUCCESS sstp; default fallback; } upstream sstp { server ${SSTP_UPSTREAM}:443; } upstream fallback { server unix:/tmp/fallback-stream.socket; } server { listen unix:/tmp/virtual-stream.socket ssl; ssl_certificate /etc/nginx/certs/cert.pem; ssl_certificate_key /etc/nginx/certs/privkey.pem; ssl_trusted_certificate /etc/nginx/certs/${CA_CERT}; ssl_verify_client optional; # Doesn't work without it proxy_ssl on; proxy_pass $name; proxy_protocol on; } } http { log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; server { listen unix:/tmp/fallback-stream.socket ssl proxy_protocol; server_name _; ssl_certificate /etc/nginx/certs/cert.pem; ssl_certificate_key /etc/nginx/certs/privkey.pem; ssl_trusted_certificate /etc/nginx/certs/${CA_CERT}; #access_log /var/log/nginx/host.access.log main; access_log /dev/stdout main; location / { root /usr/share/nginx/html; index index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} } }