accel-sstp-docker/nginx-stream/stream.conf.template

error_log /dev/stderr;

stream {
    map $ssl_preread_server_name $sni_name {
            ${SNI_NAME} cert-check;
            default https;
        }

    upstream https {
        server ${HTTPS_UPSTREAM}:443;
    }

    upstream cert-check {
        server unix:/tmp/virtual-stream.socket;
    }

    server {
        listen 443;
        listen [::]:443;

        proxy_pass $sni_name;
        ssl_preread on;
        #proxy_protocol on;
    }

    map $ssl_client_verify $name {
        SUCCESS sstp;
        default fallback;
    }

    upstream sstp {
        server ${SSTP_UPSTREAM}:443;
    }

    upstream fallback {
        server unix:/tmp/fallback-stream.socket;
    }

    server {
        listen unix:/tmp/virtual-stream.socket ssl;

        ssl_certificate /etc/nginx/certs/cert.pem;
        ssl_certificate_key /etc/nginx/certs/privkey.pem;

        ssl_trusted_certificate /etc/nginx/certs/${CA_CERT};
        ssl_verify_client optional;

        # Doesn't work without it
        proxy_ssl on;

        proxy_pass $name;
        proxy_protocol on;
    }
}

http {

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    server {
        listen unix:/tmp/fallback-stream.socket ssl proxy_protocol;
        server_name _;

        ssl_certificate /etc/nginx/certs/cert.pem;
        ssl_certificate_key /etc/nginx/certs/privkey.pem;

        ssl_trusted_certificate /etc/nginx/certs/${CA_CERT};

        #access_log  /var/log/nginx/host.access.log  main;
        access_log  /dev/stdout  main;

        location / {
            root   /usr/share/nginx/html;
            index  index.html index.htm;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/share/nginx/html;
        }

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }
}