# ESP8266 nginx SSL reverse proxy configuration file (tested and working on nginx v1.10.0) # proxy cache location proxy_cache_path /opt/etc/nginx/cache levels=1:2 keys_zone=ESP8266_cache:10m max_size=10g inactive=5m use_temp_path=off; # webserver proxy server { # general server parameters listen 50080; server_name myDomain.net; access_log /opt/var/log/nginx/myDomain.net.access.log; # SSL configuration ssl on; ssl_certificate /usr/builtin/etc/certificate/lets-encrypt/myDomain.net/fullchain.pem; ssl_certificate_key /usr/builtin/etc/certificate/lets-encrypt/myDomain.net/privkey.pem; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; ssl_prefer_server_ciphers on; location / { # proxy caching configuration proxy_cache ESP8266_cache; proxy_cache_revalidate on; proxy_cache_min_uses 1; proxy_cache_use_stale off; proxy_cache_lock on; # proxy_cache_bypass $http_cache_control; # include the sessionId cookie value as part of the cache key - keeps the cache per user # proxy_cache_key $proxy_host$request_uri$cookie_sessionId; # header pass through configuration proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; # ESP8266 custom headers which identify to the device that it's running through an SSL proxy proxy_set_header X-SSL On; proxy_set_header X-SSL-WebserverPort 50080; proxy_set_header X-SSL-WebsocketPort 50081; # extra debug headers add_header X-Proxy-Cache $upstream_cache_status; add_header X-Forwarded-For $proxy_add_x_forwarded_for; # actual proxying configuration proxy_ssl_session_reuse on; # target the IP address of the device with proxy_pass proxy_pass http://192.168.0.20; proxy_read_timeout 90; } } # websocket proxy server { # general server parameters listen 50081; server_name myDomain.net; access_log /opt/var/log/nginx/myDomain.net.wss.access.log; # SSL configuration ssl on; ssl_certificate /usr/builtin/etc/certificate/lets-encrypt/myDomain.net/fullchain.pem; ssl_certificate_key /usr/builtin/etc/certificate/lets-encrypt/myDomain.net/privkey.pem; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; ssl_prefer_server_ciphers on; location / { # websocket upgrade tunnel configuration proxy_pass http://192.168.0.20:81; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_read_timeout 86400; } }